diff --git a/webui/src/assets/data/demo-rdoc-dynamic.json b/webui/src/assets/data/demo-rdoc-dynamic.json deleted file mode 100644 index a132489af..000000000 --- a/webui/src/assets/data/demo-rdoc-dynamic.json +++ /dev/null @@ -1 +0,0 @@ -{"meta":{"timestamp":"2023-10-20T14:15:23.786418","version":"7.1.0","argv":["tests/data/dynamic/cape/v2.2/0000a65749f5902c4d82ffa701198038f0b4870b00a27cfca109f8f933476d82.json","--json"],"sample":{"md5":"e2147b5333879f98d515cd9aa905d489","sha1":"ad4d520fb7792b4a5701df973d6bd8a6cbfbb57f","sha256":"0000a65749f5902c4d82ffa701198038f0b4870b00a27cfca109f8f933476d82","path":"/usr/local/google/home/wballenthin/code/public/capa/tests/data/dynamic/cape/v2.2/0000a65749f5902c4d82ffa701198038f0b4870b00a27cfca109f8f933476d82.json"},"flavor":"dynamic","analysis":{"format":"unknown","arch":"unknown","os":"unknown","extractor":"CapeExtractor","rules":["/usr/local/google/home/wballenthin/code/public/capa/rules"],"layout":{"processes":[{"address":{"type":"process","value":[2456,3052]},"name":"0000A65749F5902C4D82.exe","matched_threads":[{"address":{"type":"thread","value":[2456,3052,1960]},"matched_calls":[{"address":{"type":"call","value":[2456,3052,1960,1]},"name":"NtDelayExecution(Milliseconds=0x30) -> 0x0"},{"address":{"type":"call","value":[2456,3052,1960,36]},"name":"NtDelayExecution(Milliseconds=0x30) -> 0x0"},{"address":{"type":"call","value":[2456,3052,1960,150]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x313000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[2456,3052,3064]},"matched_calls":[{"address":{"type":"call","value":[2456,3052,3064,16]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x490000, RegionSize=0xc0000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,17]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x490000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,32]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,37]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[2456,3052,3064,43]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,44]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[2456,3052,3064,46]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,47]},"name":"NtOpenKey(KeyHandle=0xd8, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,48]},"name":"NtOpenKey(KeyHandle=0xd4, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,49]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,50]},"name":"NtQueryValueKey(KeyHandle=0xd4, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,115]},"name":"LdrGetProcedureAddress(ModuleName=\"WINSPOOL.DRV\", ModuleHandle=0x744e0000, FunctionName=\"SplDriverUnloadComplete\", Ordinal=0x0, FunctionAddress=0x744ede48) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,145]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[2456,3052,3064,146]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,147]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x360000, RegionSize=0x68000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,148]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,149]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x300000, RegionSize=0x6000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,154]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,158]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5c0000, RegionSize=0x6a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,225]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,274]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x8a000, MemType=0x0, Protection=PAGE_READWRITE, OldProtection=PAGE_READONLY, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[2456,3052,3064,275]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x400, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[2456,3052,3064,277]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x40d000, Size=0x5a30, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[2456,3052,3064,279]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x417000, Size=0x51708, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[2456,3052,3064,280]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x469000, Size=0xe50, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[2456,3052,3064,299]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,363]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x190"},{"address":{"type":"call","value":[2456,3052,3064,366]},"name":"NtQueryValueKey(KeyHandle=0x24, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[2456,3052,3064,370]},"name":"NtCreateFile(FileHandle=0x194, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,371]},"name":"NtCreateSection(SectionHandle=0x198, DesiredAccess=STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ, ObjectAttributes=\"\", FileHandle=0x194) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,372]},"name":"NtMapViewOfSection(SectionHandle=0x198, ProcessHandle=0xffffffff, BaseAddress=0x4910000, SectionOffset=0x18e860, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,480]},"name":"NtOpenProcess(ProcessHandle=0x190, DesiredAccess=PROCESS_DUP_HANDLE, ProcessIdentifier=0x3052) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,481]},"name":"NtQuerySystemInformation(SystemInformationClass=0x16) -> INFO_LENGTH_MISMATCH"},{"address":{"type":"call","value":[2456,3052,3064,482]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4be0000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,483]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4be0000, RegionSize=0x42000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,484]},"name":"NtQuerySystemInformation(SystemInformationClass=0x16) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,711]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", Handle=0x1a0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,716]},"name":"NtOpenFile(FileHandle=0x1a0, DesiredAccess=SYNCHRONIZE, FileName=\"C:\\\", ShareAccess=0x0) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,717]},"name":"NtQueryInformationFile(FileHandle=0x1a0, HandleName=\"C:\\\", FileInformationClass=FileNameInformation, FileInformation=\"\\x02\\x00\\x00\\x00\\\\x00\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,721]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x1a8, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,725]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", Handle=0x1a8, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,730]},"name":"NtOpenFile(FileHandle=0x1a8, DesiredAccess=SYNCHRONIZE, FileName=\"C:\\\", ShareAccess=0x0) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,731]},"name":"NtQueryInformationFile(FileHandle=0x1a8, HandleName=\"C:\\\", FileInformationClass=FileNameInformation, FileInformation=\"\\x02\\x00\\x00\\x00\\\\x00\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,734]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", Handle=0x1a8, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,739]},"name":"NtOpenFile(FileHandle=0x1a8, DesiredAccess=SYNCHRONIZE, FileName=\"C:\\\", ShareAccess=0x0) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,740]},"name":"NtQueryInformationFile(FileHandle=0x1a8, HandleName=\"C:\\\", FileInformationClass=FileNameInformation, FileInformation=\"\\x02\\x00\\x00\\x00\\\\x00\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,746]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", Handle=0x1b0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,751]},"name":"NtOpenFile(FileHandle=0x1b0, DesiredAccess=SYNCHRONIZE, FileName=\"C:\\\", ShareAccess=0x0) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,752]},"name":"NtQueryInformationFile(FileHandle=0x1b0, HandleName=\"C:\\\", FileInformationClass=FileNameInformation, FileInformation=\"\\x02\\x00\\x00\\x00\\\\x00\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,758]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x1b0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,765]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x1b8, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,775]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"System\\CurrentControlSet\\Control\\LSA\\AccessProviders\", Handle=0x1b4, FullName=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,782]},"name":"NtOpenFile(FileHandle=0x1b4, DesiredAccess=WRITE_DAC, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,803]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4de0000, RegionSize=0x101000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,804]},"name":"NtCreateFile(FileHandle=0x1b4, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,805]},"name":"NtWriteFile(FileHandle=0x1b4, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", Buffer=\"Ne\\xc99\\x11\\xdd6\\xcb\\xceE8[\\xf5F`[\\x0eumVF\\xb4\\xe8!\\xe9A\\x94\\x8c]\\xc0\\x9e\\x9b\\xfe\\xbbJ\\xe03\\xa6\\xbb\\x8d\\x99-\\xba\\xd6\\x98-\\xf2T\\xfb\\x02\\x8aY\\x83m-\\x16\\x16\\xaa\\xe0\\xc3\\x10\\xe5\\xb5x\\xfd\\xd8\\x88\\xbdL*\\x81\\xe0^yd\\xa1\\xb1\\x9d\\x834\\xc2i\\x174*pc\\xe3.\\xe4\", Length=0x90) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,813]},"name":"NtCreateFile(FileHandle=0x1e0, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,814]},"name":"NtQueryInformationFile(FileHandle=0x1e0, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\", FileInformationClass=FileStandardInformation, FileInformation=\"\\x00\\x80\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x08\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,815]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x46d0000, RegionSize=0x89000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,816]},"name":"NtReadFile(FileHandle=0x1e0, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\", Buffer=\"MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x04\\x00 \\xe61[\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x02\\x01\\x0b\\x01\\x0c\\x00\\x00@\\x00\\x00\\x00P\\x08\\x00\\x00\\x00\\x00\\x00\\xe0'\\x00\\x00\\x00\\x10\\x00\\x00\\x00P\\x00\\x00\\x00\\x00@\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x00\", Length=0x557056) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,823]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\0000A65749F5902C4D82.exe\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\0000A65749F5902C4D82.exe\") -> 0x2"},{"address":{"type":"call","value":[2456,3052,3064,937]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x982000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,938]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x97b000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,940]},"name":"NtUnmapViewOfSection(ProcessHandle=0xffffffff, BaseAddress=0x4de0000, RegionSize=0x1000) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,942]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x970000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,959]},"name":"NtUnmapViewOfSection(ProcessHandle=0xffffffff, BaseAddress=0x570000, RegionSize=0x1000) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,961]},"name":"NtUnmapViewOfSection(ProcessHandle=0xffffffff, BaseAddress=0x560000, RegionSize=0x2000) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,982]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x922000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,986]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x986000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,993]},"name":"NtUnmapViewOfSection(ProcessHandle=0xffffffff, BaseAddress=0x2080000, RegionSize=0x15000) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,1013]},"name":"NtUnmapViewOfSection(ProcessHandle=0xffffffff, BaseAddress=0x3e0000, RegionSize=0x1000) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,1015]},"name":"NtUnmapViewOfSection(ProcessHandle=0xffffffff, BaseAddress=0x38b0000, RegionSize=0x1000) -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,1022]},"name":"NtOpenKey(KeyHandle=0x5c, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,3064,1023]},"name":"NtQueryValueKey(KeyHandle=0x5c, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[2456,3052,2792]},"matched_calls":[{"address":{"type":"call","value":[2456,3052,2792,828]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x274, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,830]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x944000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,834]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x2ac, TargetProcessHandle=0xffffffff, TargetHandle=0x2b0, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,840]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\", Handle=0x2b0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,841]},"name":"RegOpenKeyEx(Registry=0x2b0, SubKey=\"{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\\", Handle=0x2ac, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,843]},"name":"RegQueryValueEx(Handle=0x2ac, ValueName=\"Data\", Data=\"\\x00\\x00\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xbd\\xad\\xdb\\xba\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbd\\xad\\xdb\\xba\\xbd\\xad\\xdb\\xba\\xbd\\xad\\xdb\\xba\\xbd\\xad\\xdb\\xba\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00I\\x00D\\x00E\\x00#\\x00C\\x00d\\x00R\\x00o\\x00m\\x00<\\x00W\\x00O\\x00O\\x00T\\x00>\\x00_\\x00H\\x00L\\x00-\\x00P\\x00Q\\x00-\\x00S\\x00V\\x00_\\x00W\\x00B\\x008\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x00_\\x002\\x00.\\x005\\x00+\\x00_\\x00_\\x00_\\x00_\\x00#\\x005\\x00&\\x002\\x007\\x007\\x000\\x00a\\x007\\x00a\\x00f\\x00&\\x000\\x00&\\x000\\x00.\\x000\\x00.\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\Data\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,845]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\", Handle=0x2ac, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,846]},"name":"RegOpenKeyEx(Registry=0x2ac, SubKey=\"{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\\", Handle=0x2b0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,848]},"name":"RegQueryValueEx(Handle=0x2b0, ValueName=\"Generation\", Data=0x1, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\Generation\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,850]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x2b0, TargetProcessHandle=0xffffffff, TargetHandle=0x2ac, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,856]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\", Handle=0x2ac, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,857]},"name":"RegOpenKeyEx(Registry=0x2ac, SubKey=\"{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\\", Handle=0x2b0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,859]},"name":"RegQueryValueEx(Handle=0x2b0, ValueName=\"Data\", Data=\"\\x00\\x00\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x00\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00W\\xa58\\x08\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x005\\x00f\\x000\\x00c\\x003\\x004\\x007\\x002\\x00-\\x00f\\x001\\x006\\x000\\x00-\\x001\\x001\\x00e\\x00a\\x00-\\x009\\x00f\\x000\\x00e\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\Data\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,861]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\", Handle=0x2b0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,862]},"name":"RegOpenKeyEx(Registry=0x2b0, SubKey=\"{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\\", Handle=0x2ac, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,864]},"name":"RegQueryValueEx(Handle=0x2ac, ValueName=\"Generation\", Data=0x1, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\Generation\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,866]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x2ac, TargetProcessHandle=0xffffffff, TargetHandle=0x2b0, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,872]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\", Handle=0x2b0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,873]},"name":"RegOpenKeyEx(Registry=0x2b0, SubKey=\"{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\\", Handle=0x2ac, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,875]},"name":"RegQueryValueEx(Handle=0x2ac, ValueName=\"Data\", Data=\"\\x00\\x00\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x00\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00D\\x82:\\\\x04@\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x005\\x00f\\x000\\x00c\\x003\\x004\\x007\\x002\\x00-\\x00f\\x001\\x006\\x000\\x00-\\x001\\x001\\x00e\\x00a\\x00-\\x009\\x00f\\x000\\x00e\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x006\\x005\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\Data\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,877]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\", Handle=0x2ac, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,878]},"name":"RegOpenKeyEx(Registry=0x2ac, SubKey=\"{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\\", Handle=0x2b0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,880]},"name":"RegQueryValueEx(Handle=0x2b0, ValueName=\"Generation\", Data=0x1, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\Generation\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,882]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,883]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,887]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,888]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,892]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,893]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,897]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,898]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,902]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,903]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,906]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,907]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,910]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,911]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2456,3052,2792,915]},"name":"NtQueryInformationFile(FileHandle=0xffffffff, HandleName=\"\", FileInformationClass=FileEaInformation, FileInformation=\"\") -> OBJECT_TYPE_MISMATCH"},{"address":{"type":"call","value":[2456,3052,2792,916]},"name":"NtCreateFile(FileHandle=0x2b0, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\MountPointManager\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"}]}]},{"address":{"type":"process","value":[3052,2192]},"name":"0000A65749F5902C4D82.exe","matched_threads":[{"address":{"type":"thread","value":[3052,2192,1476]},"matched_calls":[{"address":{"type":"call","value":[3052,2192,1476,138]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2c3000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[3052,2192,2204]},"matched_calls":[{"address":{"type":"call","value":[3052,2192,2204,16]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4450000, RegionSize=0xc0000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,17]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4450000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,32]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,33]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,2192,2204,35]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,36]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,2192,2204,38]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,39]},"name":"NtOpenKey(KeyHandle=0xdc, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,40]},"name":"NtOpenKey(KeyHandle=0xd8, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,41]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,42]},"name":"NtQueryValueKey(KeyHandle=0xd8, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,137]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[3052,2192,2204,139]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,140]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1f50000, RegionSize=0x68000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,141]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,142]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2b0000, RegionSize=0x6000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,146]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,150]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x36e0000, RegionSize=0x6a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,217]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,266]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x8a000, MemType=0x0, Protection=PAGE_READWRITE, OldProtection=PAGE_READONLY, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,2192,2204,267]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x400, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,2192,2204,269]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x40d000, Size=0x5a30, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,2192,2204,271]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x417000, Size=0x51708, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,2192,2204,272]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x469000, Size=0xe50, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,2192,2204,291]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,345]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x65f000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,356]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x18c"},{"address":{"type":"call","value":[3052,2192,2204,359]},"name":"NtQueryValueKey(KeyHandle=0x24, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,2192,2204,363]},"name":"NtCreateFile(FileHandle=0x190, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,365]},"name":"NtMapViewOfSection(SectionHandle=0x194, ProcessHandle=0xffffffff, BaseAddress=0x48b0000, SectionOffset=0x18e860, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,475]},"name":"NtOpenProcess(ProcessHandle=0x18c, DesiredAccess=PROCESS_DUP_HANDLE, ProcessIdentifier=0x2192) -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,477]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4b80000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,478]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4b80000, RegionSize=0x42000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,1076]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x2192) -> 0x194"},{"address":{"type":"call","value":[3052,2192,2204,1206]},"name":"NtOpenKey(KeyHandle=0x5c, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[3052,2192,2204,1207]},"name":"NtQueryValueKey(KeyHandle=0x5c, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]}]},{"address":{"type":"process","value":[3052,1180]},"name":"jxoqwn.exe","matched_threads":[{"address":{"type":"thread","value":[3052,1180,500]},"matched_calls":[{"address":{"type":"call","value":[3052,1180,500,15]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1e80000, RegionSize=0xc0000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,16]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1e80000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,31]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,32]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,1180,500,34]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,35]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,1180,500,37]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,38]},"name":"NtOpenKey(KeyHandle=0xdc, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,39]},"name":"NtOpenKey(KeyHandle=0xd8, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,40]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,41]},"name":"NtQueryValueKey(KeyHandle=0xd8, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,136]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[3052,1180,500,137]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,138]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x490000, RegionSize=0x68000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,139]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,140]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2b0000, RegionSize=0x6000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,145]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,149]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5b0000, RegionSize=0x6a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,216]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,265]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x8a000, MemType=0x0, Protection=PAGE_READWRITE, OldProtection=PAGE_READONLY, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,1180,500,266]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x400, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,1180,500,268]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x40d000, Size=0x5a30, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,1180,500,270]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x417000, Size=0x51708, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,1180,500,271]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x469000, Size=0xe50, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,1180,500,290]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,344]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6b7000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,355]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x18c"},{"address":{"type":"call","value":[3052,1180,500,358]},"name":"NtQueryValueKey(KeyHandle=0x24, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,1180,500,362]},"name":"NtCreateFile(FileHandle=0x190, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,364]},"name":"NtMapViewOfSection(SectionHandle=0x194, ProcessHandle=0xffffffff, BaseAddress=0x4930000, SectionOffset=0x18e860, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,476]},"name":"NtOpenProcess(ProcessHandle=0x18c, DesiredAccess=PROCESS_DUP_HANDLE, ProcessIdentifier=0x1180) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,477]},"name":"NtQuerySystemInformation(SystemInformationClass=0x16) -> INFO_LENGTH_MISMATCH"},{"address":{"type":"call","value":[3052,1180,500,478]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4c00000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,479]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4c00000, RegionSize=0x42000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,480]},"name":"NtQuerySystemInformation(SystemInformationClass=0x16) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,690]},"name":"LdrGetProcedureAddress(ModuleName=\"ntdll.dll\", ModuleHandle=0x77d00000, FunctionName=\"NtMapViewOfSection\", Ordinal=0x0, FunctionAddress=0x77d1fc80) -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,693]},"name":"NtMapViewOfSection(SectionHandle=0x1ac, ProcessHandle=0xffffffff, BaseAddress=0x4530000, SectionOffset=0x0, ViewSize=0x6a000, Win32Protect=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,694]},"name":"NtMapViewOfSection(SectionHandle=0x1ac, ProcessHandle=0x1a0, BaseAddress=0xc0000, SectionOffset=0x0, ViewSize=0x6a000, Win32Protect=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,699]},"name":"WriteProcessMemory(ProcessHandle=0x1a0, BaseAddress=0x1f102d, Buffer=\"\\xe9\\xe8\r\\xed\\xff\", BufferLength=0x5, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[3052,1180,500,717]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x692000, RegionSize=0x9000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,742]},"name":"NtOpenKey(KeyHandle=0x5c, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[3052,1180,500,743]},"name":"NtQueryValueKey(KeyHandle=0x5c, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[3052,1180,1692]},"matched_calls":[{"address":{"type":"call","value":[3052,1180,1692,141]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2e3000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]}]},{"address":{"type":"process","value":[3052,2852]},"name":"cmd.exe","matched_threads":[{"address":{"type":"thread","value":[3052,2852,2804]},"matched_calls":[{"address":{"type":"call","value":[3052,2852,2804,1]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[3052,2852,2804,4]},"name":"NtOpenThread(ThreadHandle=0xec, DesiredAccess=THREAD_ALL_ACCESS, ProcessId=0x2852, ThreadId=0x2804) -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,33]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6c0000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,34]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6c1000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,36]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6c2000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,53]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6c3000, RegionSize=0x5000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,55]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,56]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,2852,2804,58]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,59]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,2852,2804,61]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,62]},"name":"NtOpenKey(KeyHandle=0xf0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,63]},"name":"NtOpenKey(KeyHandle=0xf4, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,64]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,65]},"name":"NtQueryValueKey(KeyHandle=0xf4, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,66]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x8e3000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,67]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x8e4000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,68]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4710000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,69]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4710000, RegionSize=0x12000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,80]},"name":"NtQueryValueKey(KeyHandle=0x30, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[3052,2852,2804,84]},"name":"NtCreateFile(FileHandle=0xf8, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,86]},"name":"NtMapViewOfSection(SectionHandle=0xfc, ProcessHandle=0xffffffff, BaseAddress=0x4810000, SectionOffset=0x36edb8, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,110]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6c3000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,115]},"name":"NtCreateFile(FileHandle=0xfc, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Local\\Temp\\0000A65749F5902C4D82.exe\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,118]},"name":"NtCreateFile(FileHandle=0x100, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\System32\\calc.exe\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,119]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FileStandardInformation, FileInformation=\"\\x00\\xe0\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x0b\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,120]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,129]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,138]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,147]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,156]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,165]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,174]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,183]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,186]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,188]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,190]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,192]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,194]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,196]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,198]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,200]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,202]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,204]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,206]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,208]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,210]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,212]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,214]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,216]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,218]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,220]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,222]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,224]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,226]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,228]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,230]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,232]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,234]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,236]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,238]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,240]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,242]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,244]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,246]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,248]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,250]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,252]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,254]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,256]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,258]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,260]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,262]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,264]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,266]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,268]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,270]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,271]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,272]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,273]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,274]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,275]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,276]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,277]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,278]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,279]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,280]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,281]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,282]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,283]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,284]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,285]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,286]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,287]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,288]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,289]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,290]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,291]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,292]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,293]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,294]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,295]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,296]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,297]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,298]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,299]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,300]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,301]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,302]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,303]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,304]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,305]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,306]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,307]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,308]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,309]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,310]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,311]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,312]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,313]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,314]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,315]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,316]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,317]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,318]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,319]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,320]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,321]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,322]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,323]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,324]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,325]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,326]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,327]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,328]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,329]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,330]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,331]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,332]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,333]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,334]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,335]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,336]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,337]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,338]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,339]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,340]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,341]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,342]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,343]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,344]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,345]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,346]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,347]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,348]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,349]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,350]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,351]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,352]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,353]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,354]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,355]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,356]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,357]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,358]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,359]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,360]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,361]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,362]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,363]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,364]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,365]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,366]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,367]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,368]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,369]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,370]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,371]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,372]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,373]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,374]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,375]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,376]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,377]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,378]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,379]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,380]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,381]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,382]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,383]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,384]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,385]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,386]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,387]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,388]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,389]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,390]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,391]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,392]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,393]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,394]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,395]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,396]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,397]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,398]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,399]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,400]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,401]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,402]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,403]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,404]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,405]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,406]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,407]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,408]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,409]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,410]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,411]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,412]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,413]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,414]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,415]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,416]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,417]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,418]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,419]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,420]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,421]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,422]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,423]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,424]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,425]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,426]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,427]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,428]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,429]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,430]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,431]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,432]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,433]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,434]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,435]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,436]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,437]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,438]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,439]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,440]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,441]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,442]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,443]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,444]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,445]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,446]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,447]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,448]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,449]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,450]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,451]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,452]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,453]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,454]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,455]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,456]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,457]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,458]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,459]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,460]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,461]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,462]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,463]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,464]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,465]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,466]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,467]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,468]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,469]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,470]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,471]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,472]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,473]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,474]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,475]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,476]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,477]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,478]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,479]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,480]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,481]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,482]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,483]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,484]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,485]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,486]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,487]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,488]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,489]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,490]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,491]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,492]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,493]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,494]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,495]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,496]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,497]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,498]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,499]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,500]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,501]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,502]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,503]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,504]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,505]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,506]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,507]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,508]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,509]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,510]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,511]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,512]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,513]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,514]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,515]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,516]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,517]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,518]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,519]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,520]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,521]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,522]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,523]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,524]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,525]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,526]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,527]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,528]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,529]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,530]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,531]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,532]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,533]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,534]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,535]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,536]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,537]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,538]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,539]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,540]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,541]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,542]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,543]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,544]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,545]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,546]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,547]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,548]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,549]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,550]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,551]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,552]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,553]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,554]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,555]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,556]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,557]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,558]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,559]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,560]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,561]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,562]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,563]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,564]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,565]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,566]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,567]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,568]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,569]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,570]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,576]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,577]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,578]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,579]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,580]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,581]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,582]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,583]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,584]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,585]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,586]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,587]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,588]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,589]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,590]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,591]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,592]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,593]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,594]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,595]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,596]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,597]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,598]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,599]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,600]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,601]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,602]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,603]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,604]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,605]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,606]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,607]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,608]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,609]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,610]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,611]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,612]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x02\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,613]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,614]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,615]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,616]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,617]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,618]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,619]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,620]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,621]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,622]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,623]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,624]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,625]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,626]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,627]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,628]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,629]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,630]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,631]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,632]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,633]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,634]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,635]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,636]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,637]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,638]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,639]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,640]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,641]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,642]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,643]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,644]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,645]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,646]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,647]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,648]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,649]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,650]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,651]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,652]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,653]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,654]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,655]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,656]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,657]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,658]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,659]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,660]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,661]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,662]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,663]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,664]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,665]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,666]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,667]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,668]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,669]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,670]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,671]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,672]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,673]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,674]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,675]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,676]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,677]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,678]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,679]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,680]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,681]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,682]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,683]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,684]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,685]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,686]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,687]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,688]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,689]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,690]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,691]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,692]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,693]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,694]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,695]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,696]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,697]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,698]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,699]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,700]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,701]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,702]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,703]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,704]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,705]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,706]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,707]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,708]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,709]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,710]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,711]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,712]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,713]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,714]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,715]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,716]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,717]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,718]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,719]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,720]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,721]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,722]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,723]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,724]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,725]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,726]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,727]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,728]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,729]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,730]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,731]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,732]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,733]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,734]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,735]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,736]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,737]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,738]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,739]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,740]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x03\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,741]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,742]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,743]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,744]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,745]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,746]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,747]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,748]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,749]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,750]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,751]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,752]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,753]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,754]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,755]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,756]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,757]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,758]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,759]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,760]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,761]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,762]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,763]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,764]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,765]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,766]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,767]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,768]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,769]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,770]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,771]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,772]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,773]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,774]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,775]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,776]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,777]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,778]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,779]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,780]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,781]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,782]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,783]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,784]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,785]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,786]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,787]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,788]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,789]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,790]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,791]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,792]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,793]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,794]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,795]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,796]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,797]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,798]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,799]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,800]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,801]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,802]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,803]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,804]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,805]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,806]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,807]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,808]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,809]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,810]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,811]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,812]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,813]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,814]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,815]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,816]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,817]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,818]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,819]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,820]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,821]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,822]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,823]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,824]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,825]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,826]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,827]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,828]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,829]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,830]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,831]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,832]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,833]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,834]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,835]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,836]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,837]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,838]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,839]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,840]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,841]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,842]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,843]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,844]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,845]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,846]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,847]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,848]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,849]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,850]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,851]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,852]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,853]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,854]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,855]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,856]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,857]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,858]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,859]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,860]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,861]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,862]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,863]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,864]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,865]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,866]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,867]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,868]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x04\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,869]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,870]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,871]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,872]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,873]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,874]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,875]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,876]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,877]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,878]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,879]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,880]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,881]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,882]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,883]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,884]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,885]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,886]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,887]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,888]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,889]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,890]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,891]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,892]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,893]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,894]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,895]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,896]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,897]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,898]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,899]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,900]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,901]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,902]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,903]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,904]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,905]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,906]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,907]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,908]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,909]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,910]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,911]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,912]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,913]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,914]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,915]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,916]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,917]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,918]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,919]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,920]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,921]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,922]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,923]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,924]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,925]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,926]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,927]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,928]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,929]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,930]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,931]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,932]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,933]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,934]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,935]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,936]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,937]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,938]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,939]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,940]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,941]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,942]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,943]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,944]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,945]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,946]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,947]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,948]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,949]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,950]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,951]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,952]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,953]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,954]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,955]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,956]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,957]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,958]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,959]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,960]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,961]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,962]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,963]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,964]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,965]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,966]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,967]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,968]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,969]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,970]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,971]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,972]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,973]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,974]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,975]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,976]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,977]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,978]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,979]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,980]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,981]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,982]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,983]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,984]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,985]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,986]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,987]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,988]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,989]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,990]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,991]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,992]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,993]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,994]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,995]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,996]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x05\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,997]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,998]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,999]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1000]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1001]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1002]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1003]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1004]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1005]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1006]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1007]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1008]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1009]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1010]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1011]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1012]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1013]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1014]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1015]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1016]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1017]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1018]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1019]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1020]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1021]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1022]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1023]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1024]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1025]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1026]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1027]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1028]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1029]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1030]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1031]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1032]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1033]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1034]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1035]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1036]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1037]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1038]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1039]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1040]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1041]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1042]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1043]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1044]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1045]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1046]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1047]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1048]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1049]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1050]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1051]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1052]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1053]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1054]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1055]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1056]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1057]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1058]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1059]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1060]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1061]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1062]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1063]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1064]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1065]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1066]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1067]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1068]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1069]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1070]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1071]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1072]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1073]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1074]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1075]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1076]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1077]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1078]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1079]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1080]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1081]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1082]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1083]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1084]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1085]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1086]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1087]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1088]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1089]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1090]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1091]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1092]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1093]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1094]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1095]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1096]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1097]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1098]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1099]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1100]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1101]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1102]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1103]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1104]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1105]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1106]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1107]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1108]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1109]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1110]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1111]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1112]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1113]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1114]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1115]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1116]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1117]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1118]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1119]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1120]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1121]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1122]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1123]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1124]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x06\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1125]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1126]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1127]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1128]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1129]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1130]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1131]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1132]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1133]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1134]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1135]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1136]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1137]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1138]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1139]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1140]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1141]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1142]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1143]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1144]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1145]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1146]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1147]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1148]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1149]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1150]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1151]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1152]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1153]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1154]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1155]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1156]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1157]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1158]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1159]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1160]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1161]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1162]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1163]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1164]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1165]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1166]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1167]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1168]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1169]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1170]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1171]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1172]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1173]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1174]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1175]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1176]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1177]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1178]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1179]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1180]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1181]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1182]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1183]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1184]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1185]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1186]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1187]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1188]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1189]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1190]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1191]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1192]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1193]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1194]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1195]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1196]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1197]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1198]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1199]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1200]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1201]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1202]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1203]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1204]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1205]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1206]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1207]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1208]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1209]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1210]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1211]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1212]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1213]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1214]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1215]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1216]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1217]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1218]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1219]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1220]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1221]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1222]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1223]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1224]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1225]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1226]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1227]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1228]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1229]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1230]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1231]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1232]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1233]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1234]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1235]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1236]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1237]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1238]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1239]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1240]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1241]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1242]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1243]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1244]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1245]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1246]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1247]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1248]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1249]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1250]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1251]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1252]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1253]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x07\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1254]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1255]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1256]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1257]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1258]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1259]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1260]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1261]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1262]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1263]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1264]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1265]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1266]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1267]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1268]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1269]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1270]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1271]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1272]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1273]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1274]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1275]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1276]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1277]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1278]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1279]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1280]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1281]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1282]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1283]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1284]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1285]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1286]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1287]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1288]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1289]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1290]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1291]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1292]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1293]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1294]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1295]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1296]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1297]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1298]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1299]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1300]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1301]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1302]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1303]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1304]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1305]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1306]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1307]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1308]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1309]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1310]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1311]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1312]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1313]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1314]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1315]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1316]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1317]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1318]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1319]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1320]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1321]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1322]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1323]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1324]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1325]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1326]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1327]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1328]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1329]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1330]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1331]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1332]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1333]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1334]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1335]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1336]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1337]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1338]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1339]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1340]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1341]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1342]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1343]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1344]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1345]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1346]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1347]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1348]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1349]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1351]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1357]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1455]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1457]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1458]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1459]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1460]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1461]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1462]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1463]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1465]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1466]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1471]},"name":"NtSetInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1472]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1473]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1474]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1475]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1476]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1477]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1478]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1479]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1480]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1481]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1482]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1483]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1553]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1554]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1555]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1556]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1557]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1558]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1559]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1560]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1561]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1562]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1563]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1564]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1565]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1568]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\\x08\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1569]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1570]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1571]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1572]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1573]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1574]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1575]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1576]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1577]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1578]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1579]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1580]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1581]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1582]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1583]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1584]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1585]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1586]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1587]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1588]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1589]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1590]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1591]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1592]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1593]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1594]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1595]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1596]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1597]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1598]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1599]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1600]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1601]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1602]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1603]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1604]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1605]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1606]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1607]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1608]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1609]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1610]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1611]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1612]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1613]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1614]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1615]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1616]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1617]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1618]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1619]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1620]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1621]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1622]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1623]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1624]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1625]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1626]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1627]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1628]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1629]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1630]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1631]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1632]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1633]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1634]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1635]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1636]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1637]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1638]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1639]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1640]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1641]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1642]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1643]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1644]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1645]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1646]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1647]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1648]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1649]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1650]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1651]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1652]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1653]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1654]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1655]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1656]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1657]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1658]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1659]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1660]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1661]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1662]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1663]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1664]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1665]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1666]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1667]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1668]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1669]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1670]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1671]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1672]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1673]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1674]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1675]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1676]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1677]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1678]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1679]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1680]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1681]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1682]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1683]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1684]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1685]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1686]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1687]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1688]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1689]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1690]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1691]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1692]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1693]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1694]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1695]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1696]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\t\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1697]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1698]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1699]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1700]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1701]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1702]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1703]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1704]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1705]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1706]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1707]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1708]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1709]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1710]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1711]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1712]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1713]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1714]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1715]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1716]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1717]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1718]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1719]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1720]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1721]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1722]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1723]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1724]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1725]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1726]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1727]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1728]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1729]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1730]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1731]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1732]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1733]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1734]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1735]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1736]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1737]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1738]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1739]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1740]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1741]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1742]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1743]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1744]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1745]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1746]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1747]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1748]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1749]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1750]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1751]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1752]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1753]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1754]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1755]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1756]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1757]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1758]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1759]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1760]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1761]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1762]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1763]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1764]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1765]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1766]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1767]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1768]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1769]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1770]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1771]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1772]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1773]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1774]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1775]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1776]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1777]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1778]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1779]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1780]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1781]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1782]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1783]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1784]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1785]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1786]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1787]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1788]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1789]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1790]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1791]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1792]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1793]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1794]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1795]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1796]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1797]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1798]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1799]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1800]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1801]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1802]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1803]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1804]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1805]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1806]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xda\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1807]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xdc\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1808]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xde\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1809]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe0\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1810]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe2\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1811]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe4\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1812]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe6\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1813]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xe8\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1814]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xea\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1815]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xec\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1816]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xee\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1817]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf0\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1818]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf2\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1819]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf4\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1820]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf6\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1821]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xf8\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1822]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfa\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1823]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfc\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1824]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xfe\n\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1825]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1826]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x02\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1827]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x04\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1828]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x06\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1829]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x08\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1830]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\n\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1831]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0c\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1832]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x0e\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1833]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x10\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1834]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x12\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1835]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x14\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1836]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x16\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1837]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x18\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1838]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1a\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1839]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1c\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1840]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x1e\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1841]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00 \\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1842]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\"\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1843]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00$\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1844]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00&\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1845]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00(\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1846]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00*\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1847]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00,\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1848]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00.\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1849]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x000\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1850]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x002\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1851]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x004\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1852]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x006\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1853]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x008\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1854]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00:\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1855]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00<\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1856]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00>\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1857]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00@\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1858]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00B\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1859]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00D\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1860]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00F\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1861]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00H\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1862]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00J\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1863]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00L\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1864]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00N\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1865]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00P\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1866]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00R\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1867]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00T\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1868]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00V\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1869]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00X\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1870]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00Z\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1871]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1872]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00^\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1873]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00`\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1874]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00b\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1875]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00d\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1876]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00f\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1877]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00h\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1878]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00j\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1879]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00l\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1880]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00n\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1881]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00p\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1882]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00r\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1883]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00t\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1884]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00v\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1885]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00x\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1886]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00z\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1887]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00|\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1888]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00~\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1889]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x80\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1890]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x82\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1891]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x84\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1892]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x86\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1893]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x88\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1894]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8a\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1895]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8c\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1896]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x8e\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1897]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x90\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1898]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x92\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1899]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x94\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1900]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x96\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1901]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x98\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1902]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9a\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1903]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9c\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1904]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x9e\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1905]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa0\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1906]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa2\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1907]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa4\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1908]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa6\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1909]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xa8\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1910]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xaa\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1911]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xac\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1912]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xae\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1913]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb0\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1914]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb2\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1915]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb4\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1916]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb6\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1917]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xb8\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1918]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xba\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1919]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbc\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1920]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xbe\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1921]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc0\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1922]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc2\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1923]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc4\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1924]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc6\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1925]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xc8\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1926]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xca\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1927]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xcc\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1928]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xce\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1929]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd0\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1930]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd2\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1931]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd4\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1932]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd6\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1933]},"name":"NtQueryInformationFile(FileHandle=0x100, HandleName=\"C:\\Windows\\SysWOW64\\calc.exe\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\xd8\\x0b\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1957]},"name":"NtOpenKey(KeyHandle=0x68, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[3052,2852,2804,1958]},"name":"NtQueryValueKey(KeyHandle=0x68, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[3052,2852,2868]},"matched_calls":[{"address":{"type":"call","value":[3052,2852,2868,1382]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[3052,2852,2868,1498]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[3052,2852,2868,1552]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x12c, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[3052,2852,2868,1566]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6ef000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]}]},{"address":{"type":"process","value":[2852,2900]},"name":"PING.EXE","matched_threads":[{"address":{"type":"thread","value":[2852,2900,3000]},"matched_calls":[{"address":{"type":"call","value":[2852,2900,3000,30]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0xa3000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[2852,2900,3004]},"matched_calls":[{"address":{"type":"call","value":[2852,2900,3004,28]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2d2000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[2852,2900,2904]},"matched_calls":[{"address":{"type":"call","value":[2852,2900,2904,16]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[2852,2900,2904,19]},"name":"WSAStartup(VersionRequested=0x2) -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,23]},"name":"getaddrinfo(NodeName=\"127.0.0.1\", ServiceName=\"\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,25]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2d0000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,38]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2d7000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,43]},"name":"NtOpenKey(KeyHandle=0x138, DesiredAccess=KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Policies\\Microsoft\\SQMClient\\Windows\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,44]},"name":"NtQueryValueKey(KeyHandle=0x138, ValueName=\"CEIPEnable\", Type=REG_DWORD, Information=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,48]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x44d0000, RegionSize=0x80000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,50]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4510000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,85]},"name":"NtOpenKey(KeyHandle=0x138, DesiredAccess=KEY_QUERY_VALUE, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,86]},"name":"NtQueryValueKey(KeyHandle=0x138, ValueName=\"Disable\", Type=REG_DWORD, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,90]},"name":"NtCreateFile(FileHandle=0x13c, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\Nsi\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,200]},"name":"NtOpenKey(KeyHandle=0x68, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2904,201]},"name":"NtQueryValueKey(KeyHandle=0x68, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[2852,2900,1744]},"matched_calls":[{"address":{"type":"call","value":[2852,2900,1744,27]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x110, Options=0x2) -> 0x0"}]},{"address":{"type":"thread","value":[2852,2900,2032]},"matched_calls":[{"address":{"type":"call","value":[2852,2900,2032,31]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x11c, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2852,2900,2032,32]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2d3000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2852,2900,2032,33]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2d5000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]}]},{"address":{"type":"process","value":[1180,1852]},"name":"explorer.exe","matched_threads":[{"address":{"type":"thread","value":[1180,1852,920]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,920,9]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\OLEAUT\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,920,11]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventWrite\", Ordinal=0x0, FunctionAddress=0x77d5979d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,12]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventRegister\", Ordinal=0x0, FunctionAddress=0x77d42875) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,13]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventUnregister\", Ordinal=0x0, FunctionAddress=0x77d5923d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,14]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ntdll.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,15]},"name":"LdrGetProcedureAddress(ModuleName=\"ntdll.dll\", ModuleHandle=0x77d00000, FunctionName=\"RtlUnhandledExceptionFilter\", Ordinal=0x0, FunctionAddress=0x77dc911e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,16]},"name":"LdrGetProcedureAddress(ModuleName=\"ntdll.dll\", ModuleHandle=0x77d00000, FunctionName=\"RtlIsThreadWithinLoaderCallout\", Ordinal=0x0, FunctionAddress=0x77d3cc51) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,17]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4f0000, RegionSize=0x20000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,18]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4f0000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,19]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9f0000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,20]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9f1000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,22]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventWrite\", Ordinal=0x0, FunctionAddress=0x77d5979d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,23]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventRegister\", Ordinal=0x0, FunctionAddress=0x77d42875) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,24]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventUnregister\", Ordinal=0x0, FunctionAddress=0x77d5923d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,25]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9f2000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,26]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9f3000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,27]},"name":"HeapCreate(Options=0x0, InitialSize=0x0, MaximumSize=0x0) -> 0x4650000"},{"address":{"type":"call","value":[1180,1852,920,28]},"name":"NtCreateFile(FileHandle=0x114, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\SysWOW64\\en-US\\SETUPAPI.dll.mui\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_DELETE, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,30]},"name":"NtMapViewOfSection(SectionHandle=0x118, ProcessHandle=0xffffffff, BaseAddress=0x510000, SectionOffset=0x5be7c0, ViewSize=0xd000, Win32Protect=PAGE_WRITECOPY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,32]},"name":"NtOpenKey(KeyHandle=0x118, DesiredAccess=KEY_QUERY_VALUE, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,33]},"name":"NtQueryValueKey(KeyHandle=0x118, ValueName=\"Disable\", Type=REG_DWORD, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,35]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Setup\", Handle=0x118, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,36]},"name":"LdrLoadDll(Flags=0x0, FileName=\"API-MS-Win-Core-LocalRegistry-L1-1-0.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,37]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"RegQueryValueExW\", Ordinal=0x0, FunctionAddress=0x75af1dda) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,38]},"name":"RegQueryValueEx(Handle=0x118, ValueName=\"SourcePath\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,920,40]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\", Handle=0x118, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,42]},"name":"NtOpenKey(KeyHandle=0x11c, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,43]},"name":"NtQueryValueKey(KeyHandle=0x11c, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,920,45]},"name":"NtOpenKey(KeyHandle=0x11c, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,46]},"name":"NtQueryValueKey(KeyHandle=0x11c, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,920,49]},"name":"NtCreateMutant(Handle=0x11c, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,50]},"name":"NtCreateMutant(Handle=0x124, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,52]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x533000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,53]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4510000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,54]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4510000, RegionSize=0x12000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,55]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x537000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,65]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ADVAPI32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,66]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegisterTraceGuidsW\", Ordinal=0x0, FunctionAddress=0x77d42983) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,68]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventRegister\", Ordinal=0x0, FunctionAddress=0x77d42875) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,69]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventUnregister\", Ordinal=0x0, FunctionAddress=0x77d5923d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,70]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventEnabled\", Ordinal=0x0, FunctionAddress=0x77d3875f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,71]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EventWrite\", Ordinal=0x0, FunctionAddress=0x77d5979d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,72]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,920,74]},"name":"HeapCreate(Options=0x0, InitialSize=0x80000, MaximumSize=0x0) -> 0x4730000"},{"address":{"type":"call","value":[1180,1852,920,75]},"name":"NtCreateEvent(Handle=0x138, EventName=\"dkncd2gaf\", EventType=0x1, InitialState=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,80]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetModuleHandleA\", Ordinal=0x0, FunctionAddress=0x75af1245) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,82]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,83]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateToolhelp32Snapshot\", Ordinal=0x0, FunctionAddress=0x75b174bf) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,84]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Process32First\", Ordinal=0x0, FunctionAddress=0x75b18c53) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,85]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Process32Next\", Ordinal=0x0, FunctionAddress=0x75b189aa) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,86]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Module32First\", Ordinal=0x0, FunctionAddress=0x75b76571) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,87]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Module32Next\", Ordinal=0x0, FunctionAddress=0x75b7665a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,88]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateRemoteThread\", Ordinal=0x0, FunctionAddress=0x75b749fb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,89]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WriteProcessMemory\", Ordinal=0x0, FunctionAddress=0x75b0da40) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,90]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ReadProcessMemory\", Ordinal=0x0, FunctionAddress=0x75b0d034) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,91]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"OpenProcess\", Ordinal=0x0, FunctionAddress=0x75af1962) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,92]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,93]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualFreeEx\", Ordinal=0x0, FunctionAddress=0x75b0da28) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,94]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualProtect\", Ordinal=0x0, FunctionAddress=0x75af43ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,95]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WaitForSingleObject\", Ordinal=0x0, FunctionAddress=0x75af1136) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,96]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetLastError\", Ordinal=0x0, FunctionAddress=0x75af11a9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,97]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b1bf9e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,98]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetCurrentDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b01874) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,99]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateProcessA\", Ordinal=0x0, FunctionAddress=0x75af1072) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,100]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetModuleFileNameA\", Ordinal=0x0, FunctionAddress=0x75af1491) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,101]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetFilePointer\", Ordinal=0x0, FunctionAddress=0x75af17ad) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,102]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetEndOfFile\", Ordinal=0x0, FunctionAddress=0x75b0ce96) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,103]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindFirstFileA\", Ordinal=0x0, FunctionAddress=0x75afe30e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,104]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindNextFileA\", Ordinal=0x0, FunctionAddress=0x75b1bfe6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,105]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindClose\", Ordinal=0x0, FunctionAddress=0x75af44b1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,106]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateFileA\", Ordinal=0x0, FunctionAddress=0x75af5db6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,107]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateFileW\", Ordinal=0x0, FunctionAddress=0x75af4074) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,108]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ReadFile\", Ordinal=0x0, FunctionAddress=0x75af3fe5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,109]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WriteFile\", Ordinal=0x0, FunctionAddress=0x75af1282) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,110]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CloseHandle\", Ordinal=0x0, FunctionAddress=0x75af13f0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,111]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DeleteFileA\", Ordinal=0x0, FunctionAddress=0x75af5e34) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,112]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LoadLibraryA\", Ordinal=0x0, FunctionAddress=0x75af48d7) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,113]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentThreadId\", Ordinal=0x0, FunctionAddress=0x75af1430) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,114]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"MoveFileA\", Ordinal=0x0, FunctionAddress=0x75b6dfc9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,115]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LocalFree\", Ordinal=0x0, FunctionAddress=0x75af2f4c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,116]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b1bfce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,117]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetVolumeInformationA\", Ordinal=0x0, FunctionAddress=0x75b16f43) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,118]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateThread\", Ordinal=0x0, FunctionAddress=0x75af24e4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,119]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"OpenThread\", Ordinal=0x0, FunctionAddress=0x75b01288) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,120]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ExpandEnvironmentStringsA\", Ordinal=0x0, FunctionAddress=0x75b0eed1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,121]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualProtectEx\", Ordinal=0x0, FunctionAddress=0x75b74e4f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,122]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"InterlockedCompareExchange\", Ordinal=0x0, FunctionAddress=0x75af1464) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,123]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ntdll.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,124]},"name":"LdrGetProcedureAddress(ModuleName=\"ntdll.dll\", ModuleHandle=0x77d00000, FunctionName=\"ZwQueryInformationThread\", Ordinal=0x0, FunctionAddress=0x77d1fc38) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,125]},"name":"LdrLoadDll(Flags=0x0, FileName=\"advapi32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,126]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"AdjustTokenPrivileges\", Ordinal=0x0, FunctionAddress=0x776b40be) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,127]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegOpenKeyExA\", Ordinal=0x0, FunctionAddress=0x776b483b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,128]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegCreateKeyExA\", Ordinal=0x0, FunctionAddress=0x776b1399) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,129]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegQueryInfoKeyA\", Ordinal=0x0, FunctionAddress=0x776ae0ab) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,130]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegEnumValueA\", Ordinal=0x0, FunctionAddress=0x776aceb1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,131]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegEnumKeyExA\", Ordinal=0x0, FunctionAddress=0x776b13b1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,132]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegSetValueExA\", Ordinal=0x0, FunctionAddress=0x776b13e3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,133]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegQueryValueExA\", Ordinal=0x0, FunctionAddress=0x776b4823) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,134]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegCloseKey\", Ordinal=0x0, FunctionAddress=0x776b45cd) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,135]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegDeleteValueA\", Ordinal=0x0, FunctionAddress=0x776ca46a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,136]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"AllocateAndInitializeSid\", Ordinal=0x0, FunctionAddress=0x776b4016) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,137]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"SetEntriesInAclA\", Ordinal=0x0, FunctionAddress=0x776f18f9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,138]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"SetNamedSecurityInfoA\", Ordinal=0x0, FunctionAddress=0x776f18b0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,139]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"FreeSid\", Ordinal=0x0, FunctionAddress=0x776b405e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,140]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"LookupAccountSidA\", Ordinal=0x0, FunctionAddress=0x776e207c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,141]},"name":"LdrLoadDll(Flags=0x0, FileName=\"shell32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,142]},"name":"LdrGetProcedureAddress(ModuleName=\"SHELL32.dll\", ModuleHandle=0x75d70000, FunctionName=\"ShellExecuteA\", Ordinal=0x0, FunctionAddress=0x75fb8790) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,144]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"IsWow64Process\", Ordinal=0x0, FunctionAddress=0x75af193a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,147]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,148]},"name":"LdrLoadDll(Flags=0x0, FileName=\"user32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,149]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"MessageBoxA\", Ordinal=0x0, FunctionAddress=0x777bfdae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,150]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"FindWindowA\", Ordinal=0x0, FunctionAddress=0x7776fffe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,151]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"SendMessageA\", Ordinal=0x0, FunctionAddress=0x777771fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,152]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"PostMessageA\", Ordinal=0x0, FunctionAddress=0x77774bbc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,153]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"GetForegroundWindow\", Ordinal=0x0, FunctionAddress=0x77774458) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,154]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"RegisterClassExA\", Ordinal=0x0, FunctionAddress=0x7776dba8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,155]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"CreateWindowExA\", Ordinal=0x0, FunctionAddress=0x7776d23e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,156]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"ShowWindow\", Ordinal=0x0, FunctionAddress=0x77770e13) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,157]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"UpdateWindow\", Ordinal=0x0, FunctionAddress=0x77773db1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,158]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"GetMessageA\", Ordinal=0x0, FunctionAddress=0x77767bd3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,159]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"TranslateMessage\", Ordinal=0x0, FunctionAddress=0x77767809) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,160]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"DispatchMessageA\", Ordinal=0x0, FunctionAddress=0x77767bbb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,161]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"DestroyWindow\", Ordinal=0x0, FunctionAddress=0x77769a55) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,162]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"UnregisterClassA\", Ordinal=0x0, FunctionAddress=0x7776dcfd) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,163]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"DefWindowProcA\", Ordinal=0x0, FunctionAddress=0x77d3cd12) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,164]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"PostQuitMessage\", Ordinal=0x0, FunctionAddress=0x77769abb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,165]},"name":"NtCreateEvent(Handle=0x140, EventName=\"uIjiFtq\", EventType=0x1, InitialState=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,166]},"name":"CreateThread(StartRoutine=0xc1661, Parameter=0x0, CreationFlags=0x0, ThreadId=0x2596) -> 0x144"},{"address":{"type":"call","value":[1180,1852,920,167]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\uxtheme.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,168]},"name":"LdrGetProcedureAddress(ModuleName=\"UxTheme.dll\", ModuleHandle=0x75230000, FunctionName=\"ThemeInitApiHook\", Ordinal=0x0, FunctionAddress=0x75244571) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,174]},"name":"NtMapViewOfSection(SectionHandle=0x14c, ProcessHandle=0xffffffff, BaseAddress=0x4830000, SectionOffset=0x5befb8, ViewSize=0xdf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,183]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"IsProcessDPIAware\", Ordinal=0x0, FunctionAddress=0x777681a6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,184]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4651000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,185]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4655000, RegionSize=0x11000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,186]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4666000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,195]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4667000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,196]},"name":"LdrLoadDll(Flags=0x0, FileName=\"dwmapi.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,197]},"name":"LdrGetProcedureAddress(ModuleName=\"dwmapi.dll\", ModuleHandle=0x744e0000, FunctionName=\"DwmIsCompositionEnabled\", Ordinal=0x0, FunctionAddress=0x744e1603) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,198]},"name":"LdrLoadDll(Flags=0x0, FileName=\"user32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,199]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"ChangeWindowMessageFilter\", Ordinal=0x0, FunctionAddress=0x7776b6df) -> 0x0"},{"address":{"type":"call","value":[1180,1852,920,200]},"name":"ChangeWindowMessageFilter(message=0x2, dwFlag=0x1) -> 0x1"}]},{"address":{"type":"thread","value":[1180,1852,2596]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2596,170]},"name":"FindResourceEx(Module=0xc0000, Type=\"#10\", Name=0x3, Language=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,171]},"name":"FindResourceEx(Module=0xc0000, Type=\"#3\", Name=0x3, Language=0x0) -> 0xd7128"},{"address":{"type":"call","value":[1180,1852,2596,175]},"name":"FindResourceEx(Module=0xc0000, Type=\"#10\", Name=0x2, Language=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,176]},"name":"FindResourceEx(Module=0xc0000, Type=\"#3\", Name=0x2, Language=0x0) -> 0xd7118"},{"address":{"type":"call","value":[1180,1852,2596,179]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4910000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,180]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4910000, RegionSize=0x10000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,181]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4920000, RegionSize=0x10000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,205]},"name":"FindResourceEx(Module=0xc0000, Type=\"#10\", Name=0x1, Language=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,206]},"name":"FindResourceEx(Module=0xc0000, Type=\"#3\", Name=0x1, Language=0x0) -> 0xd7108"},{"address":{"type":"call","value":[1180,1852,2596,209]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4930000, RegionSize=0x3f000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,210]},"name":"FindResourceEx(Module=0x492f858, Type=\"#10\", Name=0x8, Language=0x0) -> 0x495a900"},{"address":{"type":"call","value":[1180,1852,2596,213]},"name":"NtCreateMutant(Handle=0x154, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,217]},"name":"NtCreateFile(FileHandle=0x150, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,218]},"name":"NtQueryInformationFile(FileHandle=0x150, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", FileInformationClass=FileStandardInformation, FileInformation=\"`\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,221]},"name":"NtClose(Handle=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2596,228]},"name":"LdrGetDllHandle(FileName=\"avcuf32.dll\", ModuleHandle=0x0) -> DLL_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,232]},"name":"CreateThread(StartRoutine=0xc1577, Parameter=0x0, CreationFlags=0x0, ThreadId=0x764) -> 0x150"},{"address":{"type":"call","value":[1180,1852,2596,233]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x158"},{"address":{"type":"call","value":[1180,1852,2596,234]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,235]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,236]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,238]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,239]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,241]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,242]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,244]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,245]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,247]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,248]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,250]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,251]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,253]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,254]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,256]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,257]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,259]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,260]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,262]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,263]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,265]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,266]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,268]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,269]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,271]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,272]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,274]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,275]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,277]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,278]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,280]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{6182725B-398A-45B3-991F-6E4EF92107FC}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,281]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x896) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,283]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,284]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,286]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,287]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,289]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,290]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,292]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,293]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,295]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2C25023A-A136-43A5-9306-02B6D2726D77}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,299]},"name":"NtOpenProcess(ProcessHandle=0x15c, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1140) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,301]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x496f000, RegionSize=0x2d000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,302]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x499c000, RegionSize=0x2d000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,307]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x15c, BaseAddress=0x1c40000, RegionSize=0x2c000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,489]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x15c, BaseAddress=0x1c70000, RegionSize=0x2d000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,492]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x15c, BaseAddress=0x1ca0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,496]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x520000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,497]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x540000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,498]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x990000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,637]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,640]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,642]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{0C65146B-AE86-4F2C-8324-82DB3B6F2B69}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,643]},"name":"NtOpenProcess(ProcessHandle=0x1a4, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1224) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,644]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4969000, RegionSize=0x2d000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,645]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4996000, RegionSize=0x2d000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,646]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x1a4, BaseAddress=0x1ba0000, RegionSize=0x2c000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,701]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x1a4, BaseAddress=0x1e80000, RegionSize=0x2d000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,706]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x1a4, BaseAddress=0x1cf0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,717]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9a0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,718]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9b0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,719]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1ec0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1095]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{36FAD353-ECC1-48FC-9C88-72C90B8BE41B}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1096]},"name":"NtOpenProcess(ProcessHandle=0x470, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1248) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1097]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x36f0000, RegionSize=0x2c000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1231]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x3720000, RegionSize=0x2d000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1234]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x2170000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1237]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x3470000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1238]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x35c0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1239]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x35d0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1246]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1247]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1249]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1250]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1252]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CD3DFDA4-81F2-43D7-849A-029481EB1E7A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1253]},"name":"NtOpenProcess(ProcessHandle=0x470, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1680) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1254]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x100000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1257]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x150000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1260]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x180000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1263]},"name":"CreateRemoteThread(ProcessHandle=0x470, StartRoutine=0x180000, Parameter=0x150000, CreationFlags=0x0, ThreadId=0x3044) -> 0x4ec"},{"address":{"type":"call","value":[1180,1852,2596,1271]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10772024-55D1-484C-AB42-13271D391A3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1272]},"name":"NtOpenProcess(ProcessHandle=0x470, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1712) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1273]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x2860000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1276]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x2890000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1279]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0xa90000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1282]},"name":"CreateRemoteThread(ProcessHandle=0x470, StartRoutine=0xa90000, Parameter=0x2890000, CreationFlags=0x0, ThreadId=0x1592) -> 0x4f0"},{"address":{"type":"call","value":[1180,1852,2596,1288]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1289]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1291]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1292]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1294]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1295]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1297]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1298]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1300]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1301]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1303]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1304]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1306]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1307]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1309]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1310]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1312]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1313]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1315]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{AE6445F6-9FEE-4B6F-85DE-B14739A3A85A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1316]},"name":"NtOpenProcess(ProcessHandle=0x470, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2456) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1317]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x2c80000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1320]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x3330000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1325]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x29e0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1328]},"name":"CreateRemoteThread(ProcessHandle=0x470, StartRoutine=0x29e0000, Parameter=0x3330000, CreationFlags=0x0, ThreadId=0x1948) -> 0x4f4"},{"address":{"type":"call","value":[1180,1852,2596,1334]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FCCC703F-C4A8-4EB7-9282-810A79D129DD}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1335]},"name":"NtOpenProcess(ProcessHandle=0x470, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2852) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1336]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x230000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1339]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x370000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1477]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1d0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1550]},"name":"CreateRemoteThread(ProcessHandle=0x470, StartRoutine=0x1d0000, Parameter=0x370000, CreationFlags=0x0, ThreadId=0x2868) -> 0x4f8"},{"address":{"type":"call","value":[1180,1852,2596,1556]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C72FB551-BE50-451F-86D0-DDBA7123AD9A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1557]},"name":"NtOpenProcess(ProcessHandle=0x470, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1412) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1558]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1b20000, RegionSize=0x2c000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1561]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1ba0000, RegionSize=0x2d000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1564]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1b50000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1567]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x3680000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1568]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x3690000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1571]},"name":"NtFreeVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1b20000, RegionSize=0x0, FreeType=0x8000) -> PROCESS_IS_TERMINATING"},{"address":{"type":"call","value":[1180,1852,2596,1572]},"name":"NtFreeVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1b50000, RegionSize=0x0, FreeType=0x8000) -> PROCESS_IS_TERMINATING"},{"address":{"type":"call","value":[1180,1852,2596,1573]},"name":"NtFreeVirtualMemory(ProcessHandle=0x470, BaseAddress=0x1ba0000, RegionSize=0x0, FreeType=0x8000) -> PROCESS_IS_TERMINATING"},{"address":{"type":"call","value":[1180,1852,2596,1631]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{DD287560-1D3F-450C-ADB8-4D51C15D5E75}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1632]},"name":"NtOpenProcess(ProcessHandle=0x570, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2900) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1633]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x570, BaseAddress=0x0, RegionSize=0x2c000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> PROCESS_IS_TERMINATING"},{"address":{"type":"call","value":[1180,1852,2596,1707]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4760000, RegionSize=0x20000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1714]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x158"},{"address":{"type":"call","value":[1180,1852,2596,1715]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,1716]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1717]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,1719]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1720]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1722]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1723]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1725]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1726]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1728]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1729]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1731]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1732]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1734]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1735]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1737]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1738]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1740]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1741]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1743]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1744]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1746]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1747]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1749]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1750]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1752]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1753]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1755]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1756]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1758]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1759]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1761]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{6182725B-398A-45B3-991F-6E4EF92107FC}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1762]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x896) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1764]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1765]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1767]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1768]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1770]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1771]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1773]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1774]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1779]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1780]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1788]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1789]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1791]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1792]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1800]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1801]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1803]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1804]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1806]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1807]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1809]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1810]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1812]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1813]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1815]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1816]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1818]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1819]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1821]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1822]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1824]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1825]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1831]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E5AFF7DA-261E-4E7C-ADDC-820697EB5A2B}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1832]},"name":"NtOpenProcess(ProcessHandle=0x554, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2420) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1833]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x554, BaseAddress=0x5d0000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1836]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x554, BaseAddress=0x1fe0000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1839]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x554, BaseAddress=0x300000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1842]},"name":"CreateRemoteThread(ProcessHandle=0x554, StartRoutine=0x300000, Parameter=0x1fe0000, CreationFlags=0x0, ThreadId=0x2996) -> 0x560"},{"address":{"type":"call","value":[1180,1852,2596,1848]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1849]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,1851]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8C5456C3-4637-476E-8200-24B510A46035}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,1854]},"name":"NtOpenProcess(ProcessHandle=0x554, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2360) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1855]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x554, BaseAddress=0x9e0000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1858]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x554, BaseAddress=0x1f00000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1861]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x554, BaseAddress=0x930000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1864]},"name":"CreateRemoteThread(ProcessHandle=0x554, StartRoutine=0x930000, Parameter=0x1f00000, CreationFlags=0x0, ThreadId=0x240) -> 0x570"},{"address":{"type":"call","value":[1180,1852,2596,1866]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1887]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x158"},{"address":{"type":"call","value":[1180,1852,2596,1888]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,1935]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4933000, RegionSize=0x24000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,1936]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ac000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2016]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4930000, RegionSize=0x27000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2017]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a11000, RegionSize=0x48000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2018]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x584"},{"address":{"type":"call","value":[1180,1852,2596,2019]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,2020]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2021]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,2023]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2024]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2026]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2027]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2029]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2030]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2032]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2033]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2035]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2036]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2038]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2039]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2041]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2042]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2044]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2045]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2047]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2048]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2050]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2051]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2053]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2054]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2056]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2057]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2059]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2060]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2062]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2063]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2065]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2066]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2068]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2069]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2071]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2072]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2074]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2075]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2080]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2081]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2089]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2090]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2092]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2093]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2101]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2102]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2104]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2105]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2107]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2108]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2110]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2111]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2113]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2114]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2116]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2117]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2119]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2120]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2122]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2123]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2125]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2126]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2132]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2133]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2171]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x49c"},{"address":{"type":"call","value":[1180,1852,2596,2172]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,2173]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2174]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,2176]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2177]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2179]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2180]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2182]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2183]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2185]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2186]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2188]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2189]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2191]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2192]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2194]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2195]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2197]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2198]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2200]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2201]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2203]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2204]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2206]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2207]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2209]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2210]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2212]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2213]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2215]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2216]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2218]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2219]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2221]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2222]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2224]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2225]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2227]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2228]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2233]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2234]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2242]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2243]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2245]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2246]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2254]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2255]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2257]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2258]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2260]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2261]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2263]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2264]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2266]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2267]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2269]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2270]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2272]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2273]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2275]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2276]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2278]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2279]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2285]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2286]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2289]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2290]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x49c"},{"address":{"type":"call","value":[1180,1852,2596,2291]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,2335]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4933000, RegionSize=0x24000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2377]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a11000, RegionSize=0x48000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2378]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x464"},{"address":{"type":"call","value":[1180,1852,2596,2379]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,2380]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2381]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,2383]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2384]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2386]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2387]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2389]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2390]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2392]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2393]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2395]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2396]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2398]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2399]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2401]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2402]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2404]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2405]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2407]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2408]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2410]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2411]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2413]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2414]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2416]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2417]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2419]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2420]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2422]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2423]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2425]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2426]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2428]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2429]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2431]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2432]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2434]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2435]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2440]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2441]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2449]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2450]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2452]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2453]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2461]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2462]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2464]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2465]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2467]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2468]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2470]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2471]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2473]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2474]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2476]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2477]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2479]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2480]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2482]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2483]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2485]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2486]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2492]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2493]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2747]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x600"},{"address":{"type":"call","value":[1180,1852,2596,2748]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,2749]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2750]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,2752]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2753]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2755]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2756]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2758]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2759]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2761]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2762]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2764]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2765]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2767]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2768]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2770]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2771]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2773]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2774]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2776]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2777]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2779]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2780]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2782]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2783]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2785]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2786]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2788]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2789]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2791]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2792]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2794]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2795]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2797]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2798]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2800]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2801]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2803]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2804]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2809]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2810]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2818]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2819]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2821]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2822]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2830]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2831]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2833]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2834]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2836]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2837]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2839]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2840]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2842]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2843]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2845]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2846]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2848]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2849]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2851]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2852]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2854]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2855]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2861]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2862]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,2864]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2E0734F3-983E-4A11-90E4-3D45A3EC902C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,2865]},"name":"NtOpenProcess(ProcessHandle=0x5f8, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2724) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2866]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4734000, RegionSize=0x4c000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2867]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4969000, RegionSize=0x59000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2868]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5f8, BaseAddress=0x6d0000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2873]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5f8, BaseAddress=0x31c0000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2879]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5f8, BaseAddress=0x370000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,2887]},"name":"CreateRemoteThread(ProcessHandle=0x5f8, StartRoutine=0x370000, Parameter=0x31c0000, CreationFlags=0x0, ThreadId=0x2016) -> 0x608"},{"address":{"type":"call","value":[1180,1852,2596,2889]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3115]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{3CA4AFF5-4F76-4722-AE9B-2AB9CAFB0E5D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3116]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1912) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,3118]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{756DFDAD-0A55-41CE-8C73-60F1BCD1ACB5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3119]},"name":"NtOpenProcess(ProcessHandle=0x5b8, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2800) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3120]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5b8, BaseAddress=0x3e0000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3123]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5b8, BaseAddress=0x660000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3190]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5b8, BaseAddress=0x210000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3193]},"name":"CreateRemoteThread(ProcessHandle=0x5b8, StartRoutine=0x210000, Parameter=0x660000, CreationFlags=0x0, ThreadId=0x3044) -> 0x58c"},{"address":{"type":"call","value":[1180,1852,2596,3203]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E3D6183-AF65-47D6-883F-239192228356}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3204]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2660) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,3207]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a3d000, RegionSize=0x1c000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3208]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3209]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x600"},{"address":{"type":"call","value":[1180,1852,2596,3210]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,3254]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4933000, RegionSize=0x24000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3360]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a11000, RegionSize=0x48000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3361]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x644"},{"address":{"type":"call","value":[1180,1852,2596,3362]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,3363]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3364]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,3366]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3367]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3369]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3370]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3372]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3373]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3375]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3376]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3378]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3379]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3381]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3382]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3384]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3385]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3387]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3388]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3390]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3391]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3393]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3394]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3396]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3397]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3399]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3400]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3402]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3403]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3405]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3406]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3408]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3409]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3411]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3412]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3414]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3415]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3417]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3418]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3423]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3424]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3432]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3433]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3435]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3436]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3444]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3445]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3447]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3448]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3450]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3451]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3453]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3454]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3456]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3457]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3459]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3460]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3462]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3463]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3465]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3466]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3468]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3469]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3475]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3476]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3498]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x644"},{"address":{"type":"call","value":[1180,1852,2596,3499]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,3500]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3501]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,3503]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3504]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3506]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3507]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3509]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3510]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3512]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3513]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3515]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3516]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3518]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3519]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3521]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3522]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3524]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3525]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3527]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3528]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3530]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3531]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3533]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3534]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3536]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3537]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3539]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3540]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3542]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3543]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3545]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3546]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3548]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3549]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3551]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3552]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3554]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3555]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3560]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3561]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3569]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3570]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3572]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3573]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3581]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3582]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3584]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3585]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3587]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3588]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3590]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3591]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3593]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3594]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3596]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3597]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3599]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3600]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3602]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3603]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3605]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3606]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3612]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3613]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3616]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3617]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x644"},{"address":{"type":"call","value":[1180,1852,2596,3618]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,3662]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4933000, RegionSize=0x24000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3859]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a11000, RegionSize=0x48000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,3860]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x674"},{"address":{"type":"call","value":[1180,1852,2596,3861]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,3862]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3863]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,3865]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3866]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3868]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3869]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3871]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3872]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3874]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3875]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3877]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3878]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3880]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3881]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3883]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3884]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3886]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3887]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3889]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3890]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3892]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3893]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3895]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3896]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3898]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3899]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3901]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3902]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3904]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3905]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3907]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3908]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3910]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3911]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3913]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3914]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3916]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3917]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3922]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3923]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3931]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3932]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3934]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3935]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3943]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3944]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3946]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3947]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3949]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3950]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3952]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3953]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3955]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3956]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3958]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3959]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3961]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3962]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3964]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3965]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3967]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3968]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,3974]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,3975]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4064]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x688"},{"address":{"type":"call","value":[1180,1852,2596,4065]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,4066]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4067]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,4069]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4070]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4072]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4073]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4075]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4076]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4078]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4079]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4081]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4082]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4084]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4085]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4087]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4088]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4090]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4091]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4093]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4094]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4096]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4097]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4099]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4100]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4102]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4103]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4105]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4106]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4108]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4109]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4111]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4112]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4114]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4115]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4117]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4118]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4120]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4121]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4126]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4127]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4135]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4136]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4138]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4139]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4147]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4148]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4150]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4151]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4153]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4154]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4156]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4157]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4159]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4160]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4162]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4163]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4165]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4166]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4168]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4169]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4171]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4172]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4178]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4179]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4182]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4183]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x688"},{"address":{"type":"call","value":[1180,1852,2596,4184]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,4228]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4933000, RegionSize=0x24000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4588]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a11000, RegionSize=0x48000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4589]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x64c"},{"address":{"type":"call","value":[1180,1852,2596,4590]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,4591]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4592]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,4594]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4595]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4597]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4598]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4600]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4601]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4603]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4604]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4606]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4607]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4609]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4610]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4612]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4613]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4615]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4616]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4618]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4619]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4621]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4622]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4624]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4625]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4627]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4628]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4630]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4631]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4633]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4634]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4636]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4637]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4639]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4640]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4642]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4643]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4645]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4646]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4651]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4652]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4660]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4661]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4663]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4664]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4672]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4673]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4675]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4676]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4678]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4679]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4681]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4682]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4684]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4685]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4687]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4688]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4690]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4691]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4693]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4694]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4696]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4697]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4703]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4704]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4731]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x5c0"},{"address":{"type":"call","value":[1180,1852,2596,4732]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,4733]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CBBA717-D68B-41A2-9229-6F961879276D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4734]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x0) -> INVALID_CID"},{"address":{"type":"call","value":[1180,1852,2596,4736]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{28F0CE01-D1A1-492A-9E0A-F41EDD20D69C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4737]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x4) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4739]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1A6BC459-9186-4191-A527-F20891D84C83}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4740]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x228) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4742]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{7CE010EA-F6F3-4F06-9A1A-FC0B77815501}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4743]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x312) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4745]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2668735D-A435-46F5-8018-1EAC05F8EEC2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4746]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x348) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4748]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{1ECC4A7C-10F7-4FC6-8F7B-8F9DDCC90CE0}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4749]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x356) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4751]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{D7277347-BDFA-458B-8A05-1E3DA361731D}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4752]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x404) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4754]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{E3CE8889-BEEE-4C91-9EE0-1C391988F2DA}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4755]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x432) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4757]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8F46B20B-B0D8-43BC-A24A-925102D3C65F}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4758]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x456) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4760]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9E2D9763-19FB-4581-8024-3A77FE0AEDD5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4761]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x464) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4763]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CB99E21B-3805-43CD-8F5A-46294A19D564}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4764]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x560) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4766]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{A691D25E-3EE1-414B-8277-CF4B9EF54488}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4767]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x628) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4769]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{4C0FB690-CCBB-4503-9D90-913158BE2F01}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4770]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x696) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4772]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{92C5C150-8E5E-45B7-AC64-20679758F82C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4773]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x792) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4775]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C3F9B389-08A6-4613-88FE-338B644B3D24}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4776]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x816) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4778]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49271C9F-3DEC-4558-AE6F-E9737C66CF48}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4779]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x972) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4781]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{786077BC-E071-41BD-A78E-F1A8EDFA24A2}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4782]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x300) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4784]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{78D98CDD-0D6D-48F7-9D70-705E359860FF}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4785]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x276) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4787]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{16B69167-78A1-457E-960C-DF7DFB605A07}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4788]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1064) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4793]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{10FB1D85-D2F1-44DF-AEAB-92623F8A9E42}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4794]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1208) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4802]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F4BF379F-F7C8-4C6A-ADF2-237EDCF7B4AE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4803]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1440) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4805]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{5B66ED90-E8A1-4587-8621-DFA2F52576E5}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4806]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1672) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4814]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{9CCCD2AB-BDEC-479B-93EA-93066C3CDE00}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4815]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2020) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4817]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{29ECE9E4-7D71-41B3-A3E9-BB9894B39F3A}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4818]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1236) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4820]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{49932BC3-8612-4BEB-93B6-A1DF3A59169C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4821]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1104) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4823]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{569B32BE-2FDE-4CE1-A20E-393C4B7AAD18}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4824]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2052) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4826]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{2ADB636D-7EB2-4634-9243-03B3CC9EB530}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4827]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2080) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4829]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{22130FDB-6483-4DF4-AE86-F712E531EA70}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4830]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2212) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4832]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{CEC711BF-FB73-4702-A324-A29FBBAF226C}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4833]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2364) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4835]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F694CB4D-7240-4FDA-A6E5-3085539639BE}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4836]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2956) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4838]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{FB0FB52D-55A0-457B-AC06-3FB7867793B1}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4839]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1060) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4845]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{8228670C-D48E-467A-85FA-444AD4208610}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4846]},"name":"NtOpenProcess(ProcessHandle=0x0, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2820) -> ACCESS_DENIED"},{"address":{"type":"call","value":[1180,1852,2596,4848]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{916A8874-C269-4728-A7A4-74057E286671}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4849]},"name":"NtOpenProcess(ProcessHandle=0x5c8, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x500) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4850]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4734000, RegionSize=0x4c000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4851]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4969000, RegionSize=0x59000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4852]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5c8, BaseAddress=0x590000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4855]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5c8, BaseAddress=0x600000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4858]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5c8, BaseAddress=0x1f10000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4861]},"name":"CreateRemoteThread(ProcessHandle=0x5c8, StartRoutine=0x1f10000, Parameter=0x600000, CreationFlags=0x0, ThreadId=0x2568) -> 0x694"},{"address":{"type":"call","value":[1180,1852,2596,4863]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4868]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{F5C75363-56B6-4DC2-AFF9-A353A46A0BB4}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4869]},"name":"NtOpenProcess(ProcessHandle=0x5c8, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1572) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4870]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5c8, BaseAddress=0x540000, RegionSize=0x28000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4879]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5c8, BaseAddress=0x24d0000, RegionSize=0x29000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4882]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x5c8, BaseAddress=0x1df0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4885]},"name":"CreateRemoteThread(ProcessHandle=0x5c8, StartRoutine=0x1df0000, Parameter=0x24d0000, CreationFlags=0x0, ThreadId=0x2932) -> 0x690"},{"address":{"type":"call","value":[1180,1852,2596,4924]},"name":"NtOpenEvent(Handle=0x0, EventName=\"{C16A09FC-AF49-48E2-8AAA-7B2DBAB9239B}\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2596,4925]},"name":"NtOpenProcess(ProcessHandle=0x57c, DesiredAccess=PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1912) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4926]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4734000, RegionSize=0x4c000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4927]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4969000, RegionSize=0x59000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4928]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x57c, BaseAddress=0x2110000, RegionSize=0x2c000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4932]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x57c, BaseAddress=0x2160000, RegionSize=0x2d000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4935]},"name":"NtAllocateVirtualMemory(ProcessHandle=0x57c, BaseAddress=0x2290000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4938]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x3840000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4939]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4690000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4940]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x46a0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,4943]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ab000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,5080]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a3d000, RegionSize=0x1c000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,5081]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x5c0"},{"address":{"type":"call","value":[1180,1852,2596,5082]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2596,5129]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4933000, RegionSize=0x24000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2596,5130]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x47ac000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,764]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,764,296]},"name":"FindResourceEx(Module=0xc0000, Type=\"#10\", Name=0x1, Language=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,297]},"name":"FindResourceEx(Module=0xc0000, Type=\"#3\", Name=0x1, Language=0x0) -> 0xd7108"},{"address":{"type":"call","value":[1180,1852,764,303]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x49c9000, RegionSize=0x3f000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,304]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a10000, RegionSize=0x200000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,305]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a10000, RegionSize=0x10000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,306]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a20000, RegionSize=0x10000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,313]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a30000, RegionSize=0x2a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,314]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4a11000, RegionSize=0x1e000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,315]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x49ff000, RegionSize=0x8000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,316]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x750000, RegionSize=0x2f000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,318]},"name":"LdrLoadDll(Flags=0x0, FileName=\"IPHLPAPI.DLL\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,320]},"name":"LdrGetProcedureAddress(ModuleName=\"IPHLPAPI.DLL\", ModuleHandle=0x757c0000, FunctionName=\"GetBestRoute\", Ordinal=0x0, FunctionAddress=0x757cec2e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,321]},"name":"LdrGetProcedureAddress(ModuleName=\"IPHLPAPI.DLL\", ModuleHandle=0x757c0000, FunctionName=\"GetIpAddrTable\", Ordinal=0x0, FunctionAddress=0x757c9bb0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,323]},"name":"LdrGetProcedureAddress(ModuleName=\"WS2_32.dll\", ModuleHandle=0x770b0000, FunctionName=\"getnameinfo\", Ordinal=0x0, FunctionAddress=0x770bb8b8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,330]},"name":"LdrGetProcedureAddress(ModuleName=\"WS2_32.dll\", ModuleHandle=0x770b0000, FunctionName=\"\", Ordinal=0x2, FunctionAddress=0x770b4582) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,332]},"name":"LdrGetProcedureAddress(ModuleName=\"WS2_32.dll\", ModuleHandle=0x770b0000, FunctionName=\"getaddrinfo\", Ordinal=0x0, FunctionAddress=0x770b4296) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,334]},"name":"LdrGetProcedureAddress(ModuleName=\"WS2_32.dll\", ModuleHandle=0x770b0000, FunctionName=\"freeaddrinfo\", Ordinal=0x0, FunctionAddress=0x770b4b1b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,336]},"name":"LdrGetProcedureAddress(ModuleName=\"WS2_32.dll\", ModuleHandle=0x770b0000, FunctionName=\"WSAIoctl\", Ordinal=0x0, FunctionAddress=0x770b2fe7) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,352]},"name":"LdrGetProcedureAddress(ModuleName=\"SHLWAPI.dll\", ModuleHandle=0x76a60000, FunctionName=\"StrCmpNA\", Ordinal=0x0, FunctionAddress=0x76a8c57c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,353]},"name":"LdrGetProcedureAddress(ModuleName=\"SHLWAPI.dll\", ModuleHandle=0x76a60000, FunctionName=\"PathCombineA\", Ordinal=0x0, FunctionAddress=0x76a8b136) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,354]},"name":"LdrGetProcedureAddress(ModuleName=\"SHLWAPI.dll\", ModuleHandle=0x76a60000, FunctionName=\"PathMatchSpecA\", Ordinal=0x0, FunctionAddress=0x76a9af13) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,355]},"name":"LdrGetProcedureAddress(ModuleName=\"SHLWAPI.dll\", ModuleHandle=0x76a60000, FunctionName=\"wvnsprintfW\", Ordinal=0x0, FunctionAddress=0x76aa066c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,356]},"name":"LdrGetProcedureAddress(ModuleName=\"SHLWAPI.dll\", ModuleHandle=0x76a60000, FunctionName=\"wvnsprintfA\", Ordinal=0x0, FunctionAddress=0x76a8edfe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,358]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoTaskMemFree\", Ordinal=0x0, FunctionAddress=0x77596f61) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,359]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoCreateInstance\", Ordinal=0x0, FunctionAddress=0x77589c5b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,360]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoInitialize\", Ordinal=0x0, FunctionAddress=0x7755b576) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,361]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoInitializeSecurity\", Ordinal=0x0, FunctionAddress=0x77567179) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,362]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoInitializeEx\", Ordinal=0x0, FunctionAddress=0x7758097d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,363]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoUninitialize\", Ordinal=0x0, FunctionAddress=0x77588623) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,365]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"OpenEventA\", Ordinal=0x0, FunctionAddress=0x75af4945) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,366]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetThreadContext\", Ordinal=0x0, FunctionAddress=0x75b17b34) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,367]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetTickCount\", Ordinal=0x0, FunctionAddress=0x75af110c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,368]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetWindowsDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b12c7a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,369]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetEnvironmentVariableA\", Ordinal=0x0, FunctionAddress=0x75afe371) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,370]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetModuleFileNameA\", Ordinal=0x0, FunctionAddress=0x75af1491) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,371]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetSystemInfo\", Ordinal=0x0, FunctionAddress=0x75af48ca) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,372]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,373]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WriteFile\", Ordinal=0x0, FunctionAddress=0x75af1282) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,374]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FlushFileBuffers\", Ordinal=0x0, FunctionAddress=0x75af5bab) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,375]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LocalAlloc\", Ordinal=0x0, FunctionAddress=0x75af1668) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,376]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcmpW\", Ordinal=0x0, FunctionAddress=0x75af5271) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,377]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetFileAttributesW\", Ordinal=0x0, FunctionAddress=0x75af1af4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,378]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetFileAttributesA\", Ordinal=0x0, FunctionAddress=0x75b0f06b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,379]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CopyFileA\", Ordinal=0x0, FunctionAddress=0x75b15a5d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,380]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ResumeThread\", Ordinal=0x0, FunctionAddress=0x75af445e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,381]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetExitCodeProcess\", Ordinal=0x0, FunctionAddress=0x75b0178d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,382]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcpyW\", Ordinal=0x0, FunctionAddress=0x75b13272) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,383]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcpyA\", Ordinal=0x0, FunctionAddress=0x75b12c0a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,384]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrlenA\", Ordinal=0x0, FunctionAddress=0x75af59d3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,385]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetEvent\", Ordinal=0x0, FunctionAddress=0x75af16a1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,386]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateEventA\", Ordinal=0x0, FunctionAddress=0x75af27ec) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,387]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcmpA\", Ordinal=0x0, FunctionAddress=0x75b0f083) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,388]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ResetEvent\", Ordinal=0x0, FunctionAddress=0x75af16b9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,389]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateMutexA\", Ordinal=0x0, FunctionAddress=0x75af4b6b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,390]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SleepEx\", Ordinal=0x0, FunctionAddress=0x75af1215) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,391]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"TerminateThread\", Ordinal=0x0, FunctionAddress=0x75af7a47) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,392]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetExitCodeThread\", Ordinal=0x0, FunctionAddress=0x75b0d615) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,393]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DuplicateHandle\", Ordinal=0x0, FunctionAddress=0x75af1862) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,394]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentThread\", Ordinal=0x0, FunctionAddress=0x75af17c8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,395]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentProcess\", Ordinal=0x0, FunctionAddress=0x75af17e5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,396]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Sleep\", Ordinal=0x0, FunctionAddress=0x75af10ff) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,397]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcatA\", Ordinal=0x0, FunctionAddress=0x75b12cea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,398]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"MoveFileA\", Ordinal=0x0, FunctionAddress=0x75b6dfc9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,399]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"MoveFileExA\", Ordinal=0x0, FunctionAddress=0x75b1ba61) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,400]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetLastError\", Ordinal=0x0, FunctionAddress=0x75af11c0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,401]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetThreadPriority\", Ordinal=0x0, FunctionAddress=0x75af281b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,402]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetEnvironmentVariableA\", Ordinal=0x0, FunctionAddress=0x75af3423) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,403]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcpynW\", Ordinal=0x0, FunctionAddress=0x75b1bffe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,404]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrlenW\", Ordinal=0x0, FunctionAddress=0x75af16dc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,405]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcatW\", Ordinal=0x0, FunctionAddress=0x75b183ee) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,406]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcmpiW\", Ordinal=0x0, FunctionAddress=0x75b0d62d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,407]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DisconnectNamedPipe\", Ordinal=0x0, FunctionAddress=0x75b74a6f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,408]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ReadFile\", Ordinal=0x0, FunctionAddress=0x75af3fe5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,409]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ConnectNamedPipe\", Ordinal=0x0, FunctionAddress=0x75b7498b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,410]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateNamedPipeA\", Ordinal=0x0, FunctionAddress=0x75b71f17) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,411]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ExitProcess\", Ordinal=0x0, FunctionAddress=0x75af7a28) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,412]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CloseHandle\", Ordinal=0x0, FunctionAddress=0x75af13f0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,413]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WaitForSingleObject\", Ordinal=0x0, FunctionAddress=0x75af1136) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,414]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcessId\", Ordinal=0x0, FunctionAddress=0x75b1b732) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,415]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"TerminateProcess\", Ordinal=0x0, FunctionAddress=0x75b0d862) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,416]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentProcessId\", Ordinal=0x0, FunctionAddress=0x75af11f8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,417]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateThread\", Ordinal=0x0, FunctionAddress=0x75af24e4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,418]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateEventW\", Ordinal=0x0, FunctionAddress=0x75af181a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,419]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateFileA\", Ordinal=0x0, FunctionAddress=0x75af5db6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,420]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetLocalTime\", Ordinal=0x0, FunctionAddress=0x75af5a2e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,421]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LoadLibraryA\", Ordinal=0x0, FunctionAddress=0x75af48d7) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,422]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetComputerNameA\", Ordinal=0x0, FunctionAddress=0x75b0b748) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,423]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DeleteFileA\", Ordinal=0x0, FunctionAddress=0x75af5e34) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,424]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b1bfce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,425]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DeleteFileW\", Ordinal=0x0, FunctionAddress=0x75af89cb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,426]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LeaveCriticalSection\", Ordinal=0x0, FunctionAddress=0x77d222b0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,427]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"EnterCriticalSection\", Ordinal=0x0, FunctionAddress=0x77d222f0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,428]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WaitForMultipleObjects\", Ordinal=0x0, FunctionAddress=0x75af2684) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,429]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"InitializeCriticalSection\", Ordinal=0x0, FunctionAddress=0x77d342f0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,430]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetComputerNameW\", Ordinal=0x0, FunctionAddress=0x75afdd4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,431]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DeleteCriticalSection\", Ordinal=0x0, FunctionAddress=0x77d33d8d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,432]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetVersionExA\", Ordinal=0x0, FunctionAddress=0x75af2528) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,433]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcmpiA\", Ordinal=0x0, FunctionAddress=0x75af3e7c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,434]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"HeapAlloc\", Ordinal=0x0, FunctionAddress=0x77d2e0e6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,435]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcessHeap\", Ordinal=0x0, FunctionAddress=0x75af14c9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,436]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"HeapReAlloc\", Ordinal=0x0, FunctionAddress=0x77d3c7a0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,437]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"HeapFree\", Ordinal=0x0, FunctionAddress=0x75af14a9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,438]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"QueryPerformanceCounter\", Ordinal=0x0, FunctionAddress=0x75af1701) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,439]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"QueryPerformanceFrequency\", Ordinal=0x0, FunctionAddress=0x75af2654) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,440]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetFileSize\", Ordinal=0x0, FunctionAddress=0x75af194a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,441]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetFileAttributesA\", Ordinal=0x0, FunctionAddress=0x75af5e04) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,442]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"HeapCreate\", Ordinal=0x0, FunctionAddress=0x75af492d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,443]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,444]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetSystemTimeAsFileTime\", Ordinal=0x0, FunctionAddress=0x75af2518) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,445]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FreeLibrary\", Ordinal=0x0, FunctionAddress=0x75af24d7) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,446]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SystemTimeToFileTime\", Ordinal=0x0, FunctionAddress=0x75af5a06) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,447]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetSystemTime\", Ordinal=0x0, FunctionAddress=0x75af5a1e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,448]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"MultiByteToWideChar\", Ordinal=0x0, FunctionAddress=0x75af190a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,449]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetModuleHandleA\", Ordinal=0x0, FunctionAddress=0x75af1245) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,450]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WideCharToMultiByte\", Ordinal=0x0, FunctionAddress=0x75af16e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,451]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ReleaseMutex\", Ordinal=0x0, FunctionAddress=0x75af111e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,452]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LoadResource\", Ordinal=0x0, FunctionAddress=0x75af5294) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,453]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SizeofResource\", Ordinal=0x0, FunctionAddress=0x75af5a51) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,454]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindResourceA\", Ordinal=0x0, FunctionAddress=0x75b0e8cb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,455]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"lstrcpynA\", Ordinal=0x0, FunctionAddress=0x75b0196a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,456]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetFilePointer\", Ordinal=0x0, FunctionAddress=0x75af17ad) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,458]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"MessageBoxW\", Ordinal=0x0, FunctionAddress=0x777bfdcf) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,459]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"CharUpperBuffA\", Ordinal=0x0, FunctionAddress=0x7776fe5f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,460]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"MessageBoxA\", Ordinal=0x0, FunctionAddress=0x777bfdae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,461]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"DialogBoxParamA\", Ordinal=0x0, FunctionAddress=0x777acba4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,462]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"DialogBoxParamW\", Ordinal=0x0, FunctionAddress=0x7778daca) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,463]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"GetWindowTextA\", Ordinal=0x0, FunctionAddress=0x77770041) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,464]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"GetWindowTextW\", Ordinal=0x0, FunctionAddress=0x77771e87) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,465]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"GetWindowLongA\", Ordinal=0x0, FunctionAddress=0x7776d166) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,466]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"FindWindowA\", Ordinal=0x0, FunctionAddress=0x7776fffe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,467]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"PostMessageA\", Ordinal=0x0, FunctionAddress=0x77774bbc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,469]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"GetTokenInformation\", Ordinal=0x0, FunctionAddress=0x776b424c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,470]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegCloseKey\", Ordinal=0x0, FunctionAddress=0x776b45cd) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,471]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegQueryInfoKeyA\", Ordinal=0x0, FunctionAddress=0x776ae0ab) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,472]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"InitializeSecurityDescriptor\", Ordinal=0x0, FunctionAddress=0x776b4550) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,473]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"SetSecurityDescriptorDacl\", Ordinal=0x0, FunctionAddress=0x776b408e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,474]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"ConvertStringSecurityDescriptorToSecurityDescriptorW\", Ordinal=0x0, FunctionAddress=0x776b1e89) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,475]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"GetSecurityDescriptorSacl\", Ordinal=0x0, FunctionAddress=0x776b4538) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,476]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"SetSecurityInfo\", Ordinal=0x0, FunctionAddress=0x776a9e47) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,477]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"GetSidSubAuthorityCount\", Ordinal=0x0, FunctionAddress=0x776b0d3f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,478]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"GetSidSubAuthority\", Ordinal=0x0, FunctionAddress=0x776b0d57) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,479]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegEnumKeyExA\", Ordinal=0x0, FunctionAddress=0x776b13b1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,480]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"OpenThreadToken\", Ordinal=0x0, FunctionAddress=0x776b425c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,481]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"OpenProcessToken\", Ordinal=0x0, FunctionAddress=0x776b4234) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,482]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"EqualSid\", Ordinal=0x0, FunctionAddress=0x776b403b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,483]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"CryptAcquireContextA\", Ordinal=0x0, FunctionAddress=0x776a9143) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,484]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"GetUserNameW\", Ordinal=0x0, FunctionAddress=0x776b14aa) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,505]},"name":"HeapCreate(Options=0x0, InitialSize=0x80000, MaximumSize=0x0) -> 0x4d80000"},{"address":{"type":"call","value":[1180,1852,764,506]},"name":"NtCreateEvent(Handle=0x15c, EventName=\"uIjiFtq\", EventType=0x1, InitialState=0x0) -> 0x40000000"},{"address":{"type":"call","value":[1180,1852,764,507]},"name":"NtCreateEvent(Handle=0x168, EventName=\"dkncd2gaf\", EventType=0x1, InitialState=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,512]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetModuleHandleA\", Ordinal=0x0, FunctionAddress=0x75af1245) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,514]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,515]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateToolhelp32Snapshot\", Ordinal=0x0, FunctionAddress=0x75b174bf) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,516]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Process32First\", Ordinal=0x0, FunctionAddress=0x75b18c53) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,517]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Process32Next\", Ordinal=0x0, FunctionAddress=0x75b189aa) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,518]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Module32First\", Ordinal=0x0, FunctionAddress=0x75b76571) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,519]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"Module32Next\", Ordinal=0x0, FunctionAddress=0x75b7665a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,520]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateRemoteThread\", Ordinal=0x0, FunctionAddress=0x75b749fb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,521]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WriteProcessMemory\", Ordinal=0x0, FunctionAddress=0x75b0da40) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,522]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ReadProcessMemory\", Ordinal=0x0, FunctionAddress=0x75b0d034) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,523]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"OpenProcess\", Ordinal=0x0, FunctionAddress=0x75af1962) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,524]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,525]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualFreeEx\", Ordinal=0x0, FunctionAddress=0x75b0da28) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,526]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualProtect\", Ordinal=0x0, FunctionAddress=0x75af43ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,527]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WaitForSingleObject\", Ordinal=0x0, FunctionAddress=0x75af1136) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,528]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetLastError\", Ordinal=0x0, FunctionAddress=0x75af11a9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,529]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b1bf9e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,530]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetCurrentDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b01874) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,531]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateProcessA\", Ordinal=0x0, FunctionAddress=0x75af1072) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,532]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetModuleFileNameA\", Ordinal=0x0, FunctionAddress=0x75af1491) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,533]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetFilePointer\", Ordinal=0x0, FunctionAddress=0x75af17ad) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,534]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SetEndOfFile\", Ordinal=0x0, FunctionAddress=0x75b0ce96) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,535]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindFirstFileA\", Ordinal=0x0, FunctionAddress=0x75afe30e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,536]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindNextFileA\", Ordinal=0x0, FunctionAddress=0x75b1bfe6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,537]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"FindClose\", Ordinal=0x0, FunctionAddress=0x75af44b1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,538]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateFileA\", Ordinal=0x0, FunctionAddress=0x75af5db6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,539]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateFileW\", Ordinal=0x0, FunctionAddress=0x75af4074) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,540]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ReadFile\", Ordinal=0x0, FunctionAddress=0x75af3fe5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,541]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"WriteFile\", Ordinal=0x0, FunctionAddress=0x75af1282) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,542]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CloseHandle\", Ordinal=0x0, FunctionAddress=0x75af13f0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,543]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"DeleteFileA\", Ordinal=0x0, FunctionAddress=0x75af5e34) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,544]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LoadLibraryA\", Ordinal=0x0, FunctionAddress=0x75af48d7) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,545]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetCurrentThreadId\", Ordinal=0x0, FunctionAddress=0x75af1430) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,546]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"MoveFileA\", Ordinal=0x0, FunctionAddress=0x75b6dfc9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,547]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"LocalFree\", Ordinal=0x0, FunctionAddress=0x75af2f4c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,548]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateDirectoryA\", Ordinal=0x0, FunctionAddress=0x75b1bfce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,549]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetVolumeInformationA\", Ordinal=0x0, FunctionAddress=0x75b16f43) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,550]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"CreateThread\", Ordinal=0x0, FunctionAddress=0x75af24e4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,551]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"OpenThread\", Ordinal=0x0, FunctionAddress=0x75b01288) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,552]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"ExpandEnvironmentStringsA\", Ordinal=0x0, FunctionAddress=0x75b0eed1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,553]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualProtectEx\", Ordinal=0x0, FunctionAddress=0x75b74e4f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,554]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"InterlockedCompareExchange\", Ordinal=0x0, FunctionAddress=0x75af1464) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,555]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ntdll.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,556]},"name":"LdrGetProcedureAddress(ModuleName=\"ntdll.dll\", ModuleHandle=0x77d00000, FunctionName=\"ZwQueryInformationThread\", Ordinal=0x0, FunctionAddress=0x77d1fc38) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,557]},"name":"LdrLoadDll(Flags=0x0, FileName=\"advapi32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,558]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"AdjustTokenPrivileges\", Ordinal=0x0, FunctionAddress=0x776b40be) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,559]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegOpenKeyExA\", Ordinal=0x0, FunctionAddress=0x776b483b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,560]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegCreateKeyExA\", Ordinal=0x0, FunctionAddress=0x776b1399) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,561]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegQueryInfoKeyA\", Ordinal=0x0, FunctionAddress=0x776ae0ab) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,562]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegEnumValueA\", Ordinal=0x0, FunctionAddress=0x776aceb1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,563]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegEnumKeyExA\", Ordinal=0x0, FunctionAddress=0x776b13b1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,564]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegSetValueExA\", Ordinal=0x0, FunctionAddress=0x776b13e3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,565]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegQueryValueExA\", Ordinal=0x0, FunctionAddress=0x776b4823) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,566]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegCloseKey\", Ordinal=0x0, FunctionAddress=0x776b45cd) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,567]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegDeleteValueA\", Ordinal=0x0, FunctionAddress=0x776ca46a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,568]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"AllocateAndInitializeSid\", Ordinal=0x0, FunctionAddress=0x776b4016) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,569]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"SetEntriesInAclA\", Ordinal=0x0, FunctionAddress=0x776f18f9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,570]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"SetNamedSecurityInfoA\", Ordinal=0x0, FunctionAddress=0x776f18b0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,571]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"FreeSid\", Ordinal=0x0, FunctionAddress=0x776b405e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,572]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"LookupAccountSidA\", Ordinal=0x0, FunctionAddress=0x776e207c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,573]},"name":"LdrLoadDll(Flags=0x0, FileName=\"shell32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,574]},"name":"LdrGetProcedureAddress(ModuleName=\"SHELL32.dll\", ModuleHandle=0x75d70000, FunctionName=\"ShellExecuteA\", Ordinal=0x0, FunctionAddress=0x75fb8790) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,576]},"name":"LdrLoadDll(Flags=0x0, FileName=\"API-MS-Win-Security-LSALookup-L1-1-0.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,577]},"name":"LdrGetProcedureAddress(ModuleName=\"sechost.dll\", ModuleHandle=0x76d40000, FunctionName=\"LookupAccountSidLocalA\", Ordinal=0x0, FunctionAddress=0x76d504c6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,578]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x170, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,579]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x9fd000, RegionSize=0x7000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,587]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"IsWow64Process\", Ordinal=0x0, FunctionAddress=0x75af193a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,589]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x19c"},{"address":{"type":"call","value":[1180,1852,764,590]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,764,591]},"name":"NtQueryValueKey(KeyHandle=0x2c, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,764,592]},"name":"LdrLoadDll(Flags=0x0, FileName=\"kernel32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,593]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SortGetHandle\", Ordinal=0x0, FunctionAddress=0x75af71b4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,594]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"SortCloseHandle\", Ordinal=0x0, FunctionAddress=0x75b8c410) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,595]},"name":"NtCreateFile(FileHandle=0x1a0, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,597]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4e00000, SectionOffset=0x47ee508, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,731]},"name":"LdrLoadDll(Flags=0x0, FileName=\"msvcrt.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,732]},"name":"LdrGetProcedureAddress(ModuleName=\"msvcrt.dll\", ModuleHandle=0x75cc0000, FunctionName=\"iswlower\", Ordinal=0x0, FunctionAddress=0x75cef796) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,733]},"name":"LdrGetProcedureAddress(ModuleName=\"msvcrt.dll\", ModuleHandle=0x75cc0000, FunctionName=\"_wcsicmp\", Ordinal=0x0, FunctionAddress=0x75cca9e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,764,734]},"name":"CreateThread(StartRoutine=0x75743b, Parameter=0x0, CreationFlags=0x0, ThreadId=0x1156) -> 0x19c"},{"address":{"type":"call","value":[1180,1852,764,741]},"name":"NtTerminateThread(ThreadHandle=0x0, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,1156]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1156,742]},"name":"NtCreateFile(FileHandle=0x16c, DesiredAccess=GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Local\\Temp\\~jxoqwn.tmp\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,745]},"name":"LdrLoadDll(Flags=0x0, FileName=\"CRYPTSP.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,746]},"name":"LdrGetProcedureAddress(ModuleName=\"CRYPTSP.dll\", ModuleHandle=0x73d40000, FunctionName=\"CryptAcquireContextA\", Ordinal=0x0, FunctionAddress=0x73d44a53) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,748]},"name":"NtCreateEvent(Handle=0x1a4, EventName=\"2jxoqwn1852\", EventType=0x1, InitialState=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,750]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,751]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,753]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,754]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,755]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,756]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,757]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,758]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,759]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,760]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,761]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,762]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,763]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,764]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,765]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,766]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,767]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,768]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,769]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,770]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,772]},"name":"FindResourceEx(Module=0x750000, Type=\"#10\", Name=0x8, Language=0x0) -> 0x77b0a8"},{"address":{"type":"call","value":[1180,1852,1156,775]},"name":"NtCreateMutant(Handle=0x1b8, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,779]},"name":"NtCreateFile(FileHandle=0x1bc, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,780]},"name":"NtQueryInformationFile(FileHandle=0x1bc, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", FileInformationClass=FileStandardInformation, FileInformation=\"`\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,783]},"name":"NtClose(Handle=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,1156,790]},"name":"NtCreateMutant(Handle=0x1bc, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,796]},"name":"NtCreateMutant(Handle=0x1e4, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,797]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", Handle=0x1e8, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,802]},"name":"NtOpenFile(FileHandle=0x1e8, DesiredAccess=SYNCHRONIZE, FileName=\"C:\\\", ShareAccess=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,803]},"name":"NtQueryInformationFile(FileHandle=0x1e8, HandleName=\"C:\\\", FileInformationClass=FileNameInformation, FileInformation=\"\\x02\\x00\\x00\\x00\\\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,806]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x32e0000, RegionSize=0x81000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,807]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"System\\CurrentControlSet\\Control\\LSA\\AccessProviders\", Handle=0x1e8, FullName=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,810]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ntmarta.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,812]},"name":"LdrGetProcedureAddress(ModuleName=\"ntmarta.dll\", ModuleHandle=0x74a20000, FunctionName=\"GetMartaExtensionInterface\", Ordinal=0x0, FunctionAddress=0x74a221f2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,819]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99ba0, CreationFlags=0x0, ThreadId=0x2788) -> 0x224"},{"address":{"type":"call","value":[1180,1852,1156,822]},"name":"NtCreateMutant(Handle=0x22c, MutexName=\"\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,826]},"name":"NtWaitForSingleObject(Handle=0x224, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,828]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99bc0, CreationFlags=0x0, ThreadId=0x828) -> 0x234"},{"address":{"type":"call","value":[1180,1852,1156,834]},"name":"NtWaitForSingleObject(Handle=0x224, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,836]},"name":"NtWaitForSingleObject(Handle=0x234, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,838]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99be0, CreationFlags=0x0, ThreadId=0x1028) -> 0x23c"},{"address":{"type":"call","value":[1180,1852,1156,847]},"name":"NtCreateFile(FileHandle=0x0, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\teoumiow.awt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1156,860]},"name":"NtWaitForSingleObject(Handle=0x224, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,862]},"name":"NtWaitForSingleObject(Handle=0x234, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,864]},"name":"NtWaitForSingleObject(Handle=0x23c, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,866]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c00, CreationFlags=0x0, ThreadId=0x2832) -> 0x244"},{"address":{"type":"call","value":[1180,1852,1156,888]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,889]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,890]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,891]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,892]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,893]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,894]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,895]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,896]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,897]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,898]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,899]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,900]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,901]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,902]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,903]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,904]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,905]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,906]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,907]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,912]},"name":"NtWaitForSingleObject(Handle=0x224, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,914]},"name":"NtWaitForSingleObject(Handle=0x234, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,916]},"name":"NtWaitForSingleObject(Handle=0x23c, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,918]},"name":"NtWaitForSingleObject(Handle=0x244, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,920]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c20, CreationFlags=0x0, ThreadId=0x2828) -> 0x250"},{"address":{"type":"call","value":[1180,1852,1156,929]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5400000, RegionSize=0x101000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,930]},"name":"NtCreateFile(FileHandle=0x254, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,1584]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c60, CreationFlags=0x0, ThreadId=0x1476) -> 0x554"},{"address":{"type":"call","value":[1180,1852,1156,1870]},"name":"FindResourceEx(Module=0x750000, Type=\"#10\", Name=0x10, Language=0x0) -> 0x77b088"},{"address":{"type":"call","value":[1180,1852,1156,1873]},"name":"NtCreateFile(FileHandle=0x0, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Local\\Microsoft\\jxoqwn.wpl\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1156,1877]},"name":"NtCreateFile(FileHandle=0x554, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Local\\Microsoft\\jxoqwn.wpl\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"no\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2344]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5e20000, RegionSize=0x101000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2345]},"name":"NtCreateFile(FileHandle=0x49c, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2351]},"name":"NtOpenKey(KeyHandle=0x4c0, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2353]},"name":"RegOpenKeyEx(Registry=0x4c2, SubKey=\"AppID\\explorer.exe\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\AppID\\explorer.exe\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,1156,2563]},"name":"LdrLoadDll(Flags=0x0, FileName=\"SspiCli.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2564]},"name":"LdrGetProcedureAddress(ModuleName=\"SspiCli.dll\", ModuleHandle=0x75800000, FunctionName=\"GetUserNameExW\", Ordinal=0x0, FunctionAddress=0x7581a412) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2565]},"name":"NtQueryInformationThread(ThreadHandle=0xfffffffe, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x00\\x00\\xfa~<\\x07\\x00\\x00\\x84\\x04\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\xff\\xff\\xff\\xff\", ThreadId=0x1156) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2567]},"name":"NtOpenKey(KeyHandle=0x484, DesiredAccess=KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Policies\\Microsoft\\SQMClient\\Windows\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2568]},"name":"NtQueryValueKey(KeyHandle=0x484, ValueName=\"CEIPEnable\", Type=REG_DWORD, Information=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2573]},"name":"NtOpenKey(KeyHandle=0x4bc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2575]},"name":"RegOpenKeyEx(Registry=0x4be, SubKey=\"AppID\\explorer.exe\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\AppID\\explorer.exe\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,1156,2578]},"name":"NtQueryInformationThread(ThreadHandle=0xfffffffe, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x00\\x00\\xfa~<\\x07\\x00\\x00\\x84\\x04\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\xff\\xff\\xff\\xff\", ThreadId=0x1156) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2592]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c60, CreationFlags=0x0, ThreadId=0x2656) -> 0x3e0"},{"address":{"type":"call","value":[1180,1852,1156,2602]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c80, CreationFlags=0x0, ThreadId=0x1020) -> 0x58c"},{"address":{"type":"call","value":[1180,1852,1156,2612]},"name":"NtOpenFile(FileHandle=0x594, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\comp@adobe[1].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2613]},"name":"NtSetInformationFile(FileHandle=0x594, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\comp@adobe[1].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2639]},"name":"NtOpenFile(FileHandle=0x594, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\comp@win-rar[2].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2640]},"name":"NtSetInformationFile(FileHandle=0x594, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\comp@win-rar[2].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2673]},"name":"NtOpenFile(FileHandle=0x5d4, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2674]},"name":"NtSetInformationFile(FileHandle=0x5d4, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2724]},"name":"NtOpenFile(FileHandle=0x600, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@bing[2].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2725]},"name":"NtSetInformationFile(FileHandle=0x600, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@bing[2].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2729]},"name":"NtOpenFile(FileHandle=0x600, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@google[2].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2730]},"name":"NtSetInformationFile(FileHandle=0x600, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@google[2].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2876]},"name":"NtOpenFile(FileHandle=0x610, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@msn[2].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2877]},"name":"NtSetInformationFile(FileHandle=0x610, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@msn[2].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2884]},"name":"NtOpenFile(FileHandle=0x60c, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@support.microsoft[1].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2885]},"name":"NtSetInformationFile(FileHandle=0x60c, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@support.microsoft[1].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2895]},"name":"NtOpenFile(FileHandle=0x60c, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@www.bing[1].txt\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2896]},"name":"NtSetInformationFile(FileHandle=0x60c, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@www.bing[1].txt\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2900]},"name":"NtOpenFile(FileHandle=0x60c, DesiredAccess=FILE_WRITE_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2901]},"name":"NtSetInformationFile(FileHandle=0x60c, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat\", FileInformationClass=FileBasicInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2933]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c60, CreationFlags=0x0, ThreadId=0x968) -> 0x5fc"},{"address":{"type":"call","value":[1180,1852,1156,2948]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5f30000, RegionSize=0x101000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,2949]},"name":"NtCreateFile(FileHandle=0x5f4, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,3679]},"name":"NtOpenKey(KeyHandle=0x64c, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,3681]},"name":"RegOpenKeyEx(Registry=0x64e, SubKey=\"AppID\\explorer.exe\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\AppID\\explorer.exe\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,1156,3684]},"name":"NtQueryInformationThread(ThreadHandle=0xfffffffe, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x00\\x00\\xfa~<\\x07\\x00\\x00\\x84\\x04\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xff\\xff\\xff\\xff\", ThreadId=0x1156) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,3686]},"name":"LdrLoadDll(Flags=0x0, FileName=\"SHLWAPI.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,3687]},"name":"LdrGetProcedureAddress(ModuleName=\"SHLWAPI.dll\", ModuleHandle=0x76a60000, FunctionName=\"PathFindFileNameW\", Ordinal=0x0, FunctionAddress=0x76a7bb71) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,3696]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c80, CreationFlags=0x0, ThreadId=0x2688) -> 0x650"},{"address":{"type":"call","value":[1180,1852,1156,3712]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99ca0, CreationFlags=0x0, ThreadId=0x1200) -> 0x658"},{"address":{"type":"call","value":[1180,1852,1156,3727]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6070000, RegionSize=0x101000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,3728]},"name":"NtCreateFile(FileHandle=0x65c, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4947]},"name":"FindResourceEx(Module=0x750000, Type=\"#10\", Name=0x10, Language=0x0) -> 0x77b088"},{"address":{"type":"call","value":[1180,1852,1156,4952]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4ded000, RegionSize=0x12000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4953]},"name":"NtCreateFile(FileHandle=0x57c, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Local\\Microsoft\\jxoqwn.wpl\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4956]},"name":"NtOpenKey(KeyHandle=0x5c8, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4958]},"name":"RegOpenKeyEx(Registry=0x5ca, SubKey=\"AppID\\explorer.exe\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\AppID\\explorer.exe\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,1156,4961]},"name":"NtQueryInformationThread(ThreadHandle=0xfffffffe, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x00\\x00\\xfa~<\\x07\\x00\\x00\\x84\\x04\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xff\\xff\\xff\\xff\", ThreadId=0x1156) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4964]},"name":"NtOpenKey(KeyHandle=0x57c, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4966]},"name":"RegOpenKeyEx(Registry=0x57e, SubKey=\"AppID\\explorer.exe\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\AppID\\explorer.exe\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,1156,4969]},"name":"NtQueryInformationThread(ThreadHandle=0xfffffffe, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x00\\x00\\xfa~<\\x07\\x00\\x00\\x84\\x04\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xff\\xff\\xff\\xff\", ThreadId=0x1156) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,4979]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c80, CreationFlags=0x0, ThreadId=0x1732) -> 0x5c8"},{"address":{"type":"call","value":[1180,1852,1156,4995]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99cc0, CreationFlags=0x0, ThreadId=0x2444) -> 0x698"},{"address":{"type":"call","value":[1180,1852,1156,5010]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x64d0000, RegionSize=0x101000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1156,5026]},"name":"NtCreateFile(FileHandle=0x690, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqw.dat\", CreateDisposition=FILE_OVERWRITE_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,1028]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1028,939]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", Handle=0x238, FullName=\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,940]},"name":"RegQueryInfoKey(KeyHandle=0x238, Class=\"\", SubKeyCount=0x0, MaxSubKeyLength=0x0, MaxClassLength=0x0, ValueCount=0x0, MaxValueNameLength=0x0, MaxValueLength=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,944]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4d9e000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,945]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4da3000, RegionSize=0x5c000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,946]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", Handle=0x238, FullName=\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,947]},"name":"RegSetValueEx(Handle=0x238, ValueName=\"yfeaxxbea\", Type=REG_SZ, Buffer=\"\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\"\", BufferLength=0x61, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\yfeaxxbea\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,2005]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", Handle=0x57c, FullName=\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,2006]},"name":"RegQueryInfoKey(KeyHandle=0x57c, Class=\"\", SubKeyCount=0x0, MaxSubKeyLength=0x0, MaxClassLength=0x0, ValueCount=0x1, MaxValueNameLength=0x9, MaxValueLength=0x122) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,2007]},"name":"RegEnumValue(Handle=0x57c, Index=0x0, ValueName=\"yfeaxxbea\", Data=\"\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\"\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\yfeaxxbea\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,3481]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", Handle=0x644, FullName=\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,3482]},"name":"RegQueryInfoKey(KeyHandle=0x644, Class=\"\", SubKeyCount=0x0, MaxSubKeyLength=0x0, MaxClassLength=0x0, ValueCount=0x1, MaxValueNameLength=0x9, MaxValueLength=0x122) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,3483]},"name":"RegEnumValue(Handle=0x644, Index=0x0, ValueName=\"yfeaxxbea\", Data=\"\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\"\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\yfeaxxbea\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,3488]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4de8000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,3489]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4ded000, RegionSize=0x12000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,4873]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", Handle=0x698, FullName=\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,4874]},"name":"RegQueryInfoKey(KeyHandle=0x698, Class=\"\", SubKeyCount=0x0, MaxSubKeyLength=0x0, MaxClassLength=0x0, ValueCount=0x1, MaxValueNameLength=0x9, MaxValueLength=0x122) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1028,4875]},"name":"RegEnumValue(Handle=0x698, Index=0x0, ValueName=\"yfeaxxbea\", Data=\"\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn.exe\"\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\yfeaxxbea\") -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,2828]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2828,1046]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0004"},{"address":{"type":"call","value":[1180,1852,2828,1049]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_CONNECT_RETRIES, Buffer=0x3) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,1050]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,1051]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_RECEIVE_TIMEOUT, Buffer=0x61a8) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,1053]},"name":"InternetConnect(InternetHandle=0xcc0004, ServerName=\"www.ip-adress.com\", ServerPort=0x80, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc000c"},{"address":{"type":"call","value":[1180,1852,2828,2364]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x1, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0004"},{"address":{"type":"call","value":[1180,1852,2828,2365]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_CONNECT_RETRIES, Buffer=0x3) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,2366]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,2367]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_RECEIVE_TIMEOUT, Buffer=0x61a8) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,2369]},"name":"InternetConnect(InternetHandle=0xcc0004, ServerName=\"www.ip-adress.com\", ServerPort=0x80, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc000c"},{"address":{"type":"call","value":[1180,1852,2828,4237]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5c92000, RegionSize=0x3e000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2828,4238]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5d13000, RegionSize=0x21000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2828,4239]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x6300000, RegionSize=0x102000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2828,4241]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x4c4"},{"address":{"type":"call","value":[1180,1852,2828,4242]},"name":"Process32First(ProcessName=\"[System Process]\", ProcessId=0x0) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4293]},"name":"Module32First(ModuleName=\"pyw.exe\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4294]},"name":"Module32Next(ModuleName=\"ntdll.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4295]},"name":"Module32Next(ModuleName=\"kernel32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4296]},"name":"Module32Next(ModuleName=\"KERNELBASE.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4297]},"name":"Module32Next(ModuleName=\"VERSION.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4298]},"name":"Module32Next(ModuleName=\"msvcrt.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4299]},"name":"Module32Next(ModuleName=\"USER32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4300]},"name":"Module32Next(ModuleName=\"GDI32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4301]},"name":"Module32Next(ModuleName=\"LPK.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4302]},"name":"Module32Next(ModuleName=\"USP10.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4303]},"name":"Module32Next(ModuleName=\"ADVAPI32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4304]},"name":"Module32Next(ModuleName=\"sechost.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4305]},"name":"Module32Next(ModuleName=\"RPCRT4.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4306]},"name":"Module32Next(ModuleName=\"SspiCli.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4307]},"name":"Module32Next(ModuleName=\"CRYPTBASE.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4308]},"name":"Module32Next(ModuleName=\"SHELL32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4309]},"name":"Module32Next(ModuleName=\"SHLWAPI.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4310]},"name":"Module32Next(ModuleName=\"IMM32.DLL\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4311]},"name":"Module32Next(ModuleName=\"MSCTF.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4312]},"name":"Module32Next(ModuleName=\"api-ms-win-core-synch-l1-2-0.DLL\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4313]},"name":"Module32Next(ModuleName=\"ole32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4314]},"name":"Module32Next(ModuleName=\"apphelp.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4315]},"name":"Module32Next(ModuleName=\"CRYPT32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4316]},"name":"Module32Next(ModuleName=\"MSASN1.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4317]},"name":"Module32Next(ModuleName=\"WS2_32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4318]},"name":"Module32Next(ModuleName=\"NSI.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4319]},"name":"Module32Next(ModuleName=\"PSAPI.DLL\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4320]},"name":"Module32Next(ModuleName=\"bcrypt.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4321]},"name":"Module32Next(ModuleName=\"ntmarta.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4322]},"name":"Module32Next(ModuleName=\"WLDAP32.dll\", ModuleID=0x1, ProcessId=0x1680) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4327]},"name":"Module32First(ModuleName=\"pythonw.exe\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4328]},"name":"Module32Next(ModuleName=\"ntdll.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4329]},"name":"Module32Next(ModuleName=\"kernel32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4330]},"name":"Module32Next(ModuleName=\"KERNELBASE.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4331]},"name":"Module32Next(ModuleName=\"python37.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4332]},"name":"Module32Next(ModuleName=\"VERSION.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4333]},"name":"Module32Next(ModuleName=\"msvcrt.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4334]},"name":"Module32Next(ModuleName=\"SHLWAPI.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4335]},"name":"Module32Next(ModuleName=\"GDI32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4336]},"name":"Module32Next(ModuleName=\"USER32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4337]},"name":"Module32Next(ModuleName=\"ADVAPI32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4338]},"name":"Module32Next(ModuleName=\"sechost.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4339]},"name":"Module32Next(ModuleName=\"RPCRT4.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4340]},"name":"Module32Next(ModuleName=\"SspiCli.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4341]},"name":"Module32Next(ModuleName=\"CRYPTBASE.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4342]},"name":"Module32Next(ModuleName=\"LPK.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4343]},"name":"Module32Next(ModuleName=\"USP10.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4344]},"name":"Module32Next(ModuleName=\"WS2_32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4345]},"name":"Module32Next(ModuleName=\"NSI.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4346]},"name":"Module32Next(ModuleName=\"VCRUNTIME140.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4347]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-runtime-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4348]},"name":"Module32Next(ModuleName=\"ucrtbase.DLL\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4349]},"name":"Module32Next(ModuleName=\"api-ms-win-core-localization-l1-2-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4350]},"name":"Module32Next(ModuleName=\"api-ms-win-core-processthreads-l1-1-1.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4351]},"name":"Module32Next(ModuleName=\"api-ms-win-core-file-l1-2-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4352]},"name":"Module32Next(ModuleName=\"api-ms-win-core-timezone-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4353]},"name":"Module32Next(ModuleName=\"api-ms-win-core-file-l2-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4354]},"name":"Module32Next(ModuleName=\"api-ms-win-core-synch-l1-2-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4355]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-string-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4356]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-heap-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4357]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-stdio-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4358]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-convert-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4359]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-math-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4360]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-locale-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4361]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-time-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4362]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-environment-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4363]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-process-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4364]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-conio-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4365]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-filesystem-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4366]},"name":"Module32Next(ModuleName=\"IMM32.DLL\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4367]},"name":"Module32Next(ModuleName=\"MSCTF.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4368]},"name":"Module32Next(ModuleName=\"CRYPTSP.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4369]},"name":"Module32Next(ModuleName=\"rsaenh.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4370]},"name":"Module32Next(ModuleName=\"python3.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4371]},"name":"Module32Next(ModuleName=\"_hashlib.pyd\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4372]},"name":"Module32Next(ModuleName=\"libcrypto-1_1.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4373]},"name":"Module32Next(ModuleName=\"bcrypt.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4374]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-utility-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4375]},"name":"Module32Next(ModuleName=\"_socket.pyd\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4376]},"name":"Module32Next(ModuleName=\"select.pyd\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4377]},"name":"Module32Next(ModuleName=\"_bz2.pyd\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4378]},"name":"Module32Next(ModuleName=\"_lzma.pyd\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4379]},"name":"Module32Next(ModuleName=\"_ssl.pyd\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4380]},"name":"Module32Next(ModuleName=\"CRYPT32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4381]},"name":"Module32Next(ModuleName=\"MSASN1.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4382]},"name":"Module32Next(ModuleName=\"libssl-1_1.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4383]},"name":"Module32Next(ModuleName=\"mswsock.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4384]},"name":"Module32Next(ModuleName=\"wshtcpip.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4385]},"name":"Module32Next(ModuleName=\"apphelp.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4386]},"name":"Module32Next(ModuleName=\"PSAPI.DLL\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4387]},"name":"Module32Next(ModuleName=\"SHELL32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4388]},"name":"Module32Next(ModuleName=\"ntmarta.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4389]},"name":"Module32Next(ModuleName=\"WLDAP32.dll\", ModuleID=0x1, ProcessId=0x1712) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4412]},"name":"Module32First(ModuleName=\"pythonw.exe\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4413]},"name":"Module32Next(ModuleName=\"ntdll.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4414]},"name":"Module32Next(ModuleName=\"kernel32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4415]},"name":"Module32Next(ModuleName=\"KERNELBASE.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4416]},"name":"Module32Next(ModuleName=\"python37.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4417]},"name":"Module32Next(ModuleName=\"VERSION.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4418]},"name":"Module32Next(ModuleName=\"msvcrt.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4419]},"name":"Module32Next(ModuleName=\"SHLWAPI.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4420]},"name":"Module32Next(ModuleName=\"GDI32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4421]},"name":"Module32Next(ModuleName=\"USER32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4422]},"name":"Module32Next(ModuleName=\"ADVAPI32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4423]},"name":"Module32Next(ModuleName=\"sechost.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4424]},"name":"Module32Next(ModuleName=\"RPCRT4.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4425]},"name":"Module32Next(ModuleName=\"SspiCli.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4426]},"name":"Module32Next(ModuleName=\"CRYPTBASE.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4427]},"name":"Module32Next(ModuleName=\"LPK.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4428]},"name":"Module32Next(ModuleName=\"USP10.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4429]},"name":"Module32Next(ModuleName=\"WS2_32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4430]},"name":"Module32Next(ModuleName=\"NSI.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4431]},"name":"Module32Next(ModuleName=\"VCRUNTIME140.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4432]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-runtime-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4433]},"name":"Module32Next(ModuleName=\"ucrtbase.DLL\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4434]},"name":"Module32Next(ModuleName=\"api-ms-win-core-localization-l1-2-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4435]},"name":"Module32Next(ModuleName=\"api-ms-win-core-processthreads-l1-1-1.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4436]},"name":"Module32Next(ModuleName=\"api-ms-win-core-file-l1-2-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4437]},"name":"Module32Next(ModuleName=\"api-ms-win-core-timezone-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4438]},"name":"Module32Next(ModuleName=\"api-ms-win-core-file-l2-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4439]},"name":"Module32Next(ModuleName=\"api-ms-win-core-synch-l1-2-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4440]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-string-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4441]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-heap-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4442]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-stdio-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4443]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-convert-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4444]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-math-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4445]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-locale-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4446]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-time-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4447]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-environment-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4448]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-process-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4449]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-conio-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4450]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-filesystem-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4451]},"name":"Module32Next(ModuleName=\"IMM32.DLL\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4452]},"name":"Module32Next(ModuleName=\"MSCTF.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4453]},"name":"Module32Next(ModuleName=\"CRYPTSP.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4454]},"name":"Module32Next(ModuleName=\"rsaenh.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4455]},"name":"Module32Next(ModuleName=\"python3.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4456]},"name":"Module32Next(ModuleName=\"_socket.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4457]},"name":"Module32Next(ModuleName=\"select.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4458]},"name":"Module32Next(ModuleName=\"_hashlib.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4459]},"name":"Module32Next(ModuleName=\"libcrypto-1_1.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4460]},"name":"Module32Next(ModuleName=\"bcrypt.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4461]},"name":"Module32Next(ModuleName=\"api-ms-win-crt-utility-l1-1-0.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4462]},"name":"Module32Next(ModuleName=\"_ctypes.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4463]},"name":"Module32Next(ModuleName=\"ole32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4464]},"name":"Module32Next(ModuleName=\"OLEAUT32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4465]},"name":"Module32Next(ModuleName=\"_bz2.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4466]},"name":"Module32Next(ModuleName=\"_lzma.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4467]},"name":"Module32Next(ModuleName=\"_ssl.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4468]},"name":"Module32Next(ModuleName=\"CRYPT32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4469]},"name":"Module32Next(ModuleName=\"MSASN1.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4470]},"name":"Module32Next(ModuleName=\"libssl-1_1.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4471]},"name":"Module32Next(ModuleName=\"pdh.DLL\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4472]},"name":"Module32Next(ModuleName=\"unicodedata.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4473]},"name":"Module32Next(ModuleName=\"mswsock.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4474]},"name":"Module32Next(ModuleName=\"wshtcpip.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4475]},"name":"Module32Next(ModuleName=\"uxtheme.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4476]},"name":"Module32Next(ModuleName=\"_elementtree.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4477]},"name":"Module32Next(ModuleName=\"pyexpat.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4478]},"name":"Module32Next(ModuleName=\"_imaging.cp37-win32.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4479]},"name":"Module32Next(ModuleName=\"apphelp.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4480]},"name":"Module32Next(ModuleName=\"_decimal.pyd\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4481]},"name":"Module32Next(ModuleName=\"PSAPI.DLL\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4482]},"name":"Module32Next(ModuleName=\"SHELL32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4483]},"name":"Module32Next(ModuleName=\"ntmarta.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4484]},"name":"Module32Next(ModuleName=\"WLDAP32.dll\", ModuleID=0x1, ProcessId=0x2456) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4489]},"name":"Module32First(ModuleName=\"explorer.exe\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4490]},"name":"Module32Next(ModuleName=\"ntdll.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4491]},"name":"Module32Next(ModuleName=\"kernel32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4492]},"name":"Module32Next(ModuleName=\"KERNELBASE.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4493]},"name":"Module32Next(ModuleName=\"CRYPT32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4494]},"name":"Module32Next(ModuleName=\"msvcrt.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4495]},"name":"Module32Next(ModuleName=\"MSASN1.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4496]},"name":"Module32Next(ModuleName=\"WS2_32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4497]},"name":"Module32Next(ModuleName=\"RPCRT4.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4498]},"name":"Module32Next(ModuleName=\"SspiCli.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4499]},"name":"Module32Next(ModuleName=\"CRYPTBASE.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4500]},"name":"Module32Next(ModuleName=\"sechost.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4501]},"name":"Module32Next(ModuleName=\"NSI.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4502]},"name":"Module32Next(ModuleName=\"USER32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4503]},"name":"Module32Next(ModuleName=\"GDI32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4504]},"name":"Module32Next(ModuleName=\"LPK.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4505]},"name":"Module32Next(ModuleName=\"USP10.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4506]},"name":"Module32Next(ModuleName=\"ADVAPI32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4507]},"name":"Module32Next(ModuleName=\"ole32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4508]},"name":"Module32Next(ModuleName=\"SHLWAPI.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4509]},"name":"Module32Next(ModuleName=\"PSAPI.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4510]},"name":"Module32Next(ModuleName=\"bcrypt.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4511]},"name":"Module32Next(ModuleName=\"SHELL32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4512]},"name":"Module32Next(ModuleName=\"OLEAUT32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4513]},"name":"Module32Next(ModuleName=\"EXPLORERFRAME.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4514]},"name":"Module32Next(ModuleName=\"DUser.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4515]},"name":"Module32Next(ModuleName=\"DUI70.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4516]},"name":"Module32Next(ModuleName=\"IMM32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4517]},"name":"Module32Next(ModuleName=\"MSCTF.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4518]},"name":"Module32Next(ModuleName=\"UxTheme.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4519]},"name":"Module32Next(ModuleName=\"POWRPROF.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4520]},"name":"Module32Next(ModuleName=\"SETUPAPI.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4521]},"name":"Module32Next(ModuleName=\"CFGMGR32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4522]},"name":"Module32Next(ModuleName=\"DEVOBJ.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4523]},"name":"Module32Next(ModuleName=\"dwmapi.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4524]},"name":"Module32Next(ModuleName=\"slc.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4525]},"name":"Module32Next(ModuleName=\"gdiplus.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4526]},"name":"Module32Next(ModuleName=\"Secur32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4527]},"name":"Module32Next(ModuleName=\"PROPSYS.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4528]},"name":"Module32Next(ModuleName=\"api-ms-win-core-synch-l1-2-0.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4529]},"name":"Module32Next(ModuleName=\"IPHLPAPI.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4530]},"name":"Module32Next(ModuleName=\"WINNSI.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4531]},"name":"Module32Next(ModuleName=\"CRYPTSP.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4532]},"name":"Module32Next(ModuleName=\"rsaenh.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4533]},"name":"Module32Next(ModuleName=\"wininet.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4534]},"name":"Module32Next(ModuleName=\"urlmon.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4535]},"name":"Module32Next(ModuleName=\"XmlLite.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4536]},"name":"Module32Next(ModuleName=\"iertutil.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4537]},"name":"Module32Next(ModuleName=\"ntmarta.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4538]},"name":"Module32Next(ModuleName=\"WLDAP32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4539]},"name":"Module32Next(ModuleName=\"comctl32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4540]},"name":"Module32Next(ModuleName=\"profapi.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4541]},"name":"Module32Next(ModuleName=\"dnsapi.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4542]},"name":"Module32Next(ModuleName=\"RASAPI32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4543]},"name":"Module32Next(ModuleName=\"rasman.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4544]},"name":"Module32Next(ModuleName=\"rtutils.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4545]},"name":"Module32Next(ModuleName=\"sensapi.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4546]},"name":"Module32Next(ModuleName=\"NLAapi.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4547]},"name":"Module32Next(ModuleName=\"USERENV.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4548]},"name":"Module32Next(ModuleName=\"wintrust.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4549]},"name":"Module32Next(ModuleName=\"schannel.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4550]},"name":"Module32Next(ModuleName=\"rasadhlp.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4551]},"name":"Module32Next(ModuleName=\"napinsp.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4552]},"name":"Module32Next(ModuleName=\"pnrpnsp.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4553]},"name":"Module32Next(ModuleName=\"mswsock.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4554]},"name":"Module32Next(ModuleName=\"winrnr.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4555]},"name":"Module32Next(ModuleName=\"wshtcpip.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4556]},"name":"Module32Next(ModuleName=\"wship6.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4557]},"name":"Module32Next(ModuleName=\"fwpuclnt.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4558]},"name":"Module32Next(ModuleName=\"CLBCatQ.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4559]},"name":"Module32Next(ModuleName=\"RpcRtRemote.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4560]},"name":"Module32Next(ModuleName=\"DHCPCSVC.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4561]},"name":"Module32Next(ModuleName=\"dhcpcsvc6.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4562]},"name":"Module32Next(ModuleName=\"VERSION.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4563]},"name":"Module32Next(ModuleName=\"apphelp.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4564]},"name":"Module32Next(ModuleName=\"taskschd.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4565]},"name":"Module32Next(ModuleName=\"mpr.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4566]},"name":"Module32Next(ModuleName=\"netapi32.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4567]},"name":"Module32Next(ModuleName=\"SAMCLI.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4568]},"name":"Module32Next(ModuleName=\"WKSCLI.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4569]},"name":"Module32Next(ModuleName=\"netutils.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4570]},"name":"Module32Next(ModuleName=\"srvcli.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4571]},"name":"Module32Next(ModuleName=\"LOGONCLI.DLL\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4572]},"name":"Module32Next(ModuleName=\"cscapi.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4573]},"name":"Module32Next(ModuleName=\"drprov.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4574]},"name":"Module32Next(ModuleName=\"WINSTA.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4575]},"name":"Module32Next(ModuleName=\"ntlanman.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4576]},"name":"Module32Next(ModuleName=\"davclnt.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4577]},"name":"Module32Next(ModuleName=\"DAVHLPR.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4578]},"name":"Module32Next(ModuleName=\"browcli.dll\", ModuleID=0x1, ProcessId=0x1852) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2828,4585]},"name":"socket(af=AF_INET, type=SOCK_STREAM, protocol=IPPROTO_TCP, socket=0x1220) -> 0x4c4"}]},{"address":{"type":"thread","value":[1180,1852,2832]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2832,965]},"name":"NtWaitForSingleObject(Handle=0x1e4, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,967]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x240, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,986]},"name":"FindResourceEx(Module=0x750000, Type=\"#10\", Name=0x11, Language=0x0) -> 0x77b098"},{"address":{"type":"call","value":[1180,1852,2832,992]},"name":"NtWaitForSingleObject(Handle=0x224, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,994]},"name":"NtWaitForSingleObject(Handle=0x234, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,996]},"name":"NtWaitForSingleObject(Handle=0x23c, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,998]},"name":"NtWaitForSingleObject(Handle=0x244, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,1000]},"name":"NtWaitForSingleObject(Handle=0x250, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,1002]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x2856) -> 0x230"},{"address":{"type":"call","value":[1180,1852,2832,1481]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x00(\\x0b\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,1482]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,1483]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,1491]},"name":"NtWaitForSingleObject(Handle=0x224, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,1496]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x2208) -> 0x540"},{"address":{"type":"call","value":[1180,1852,2832,1942]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x00\\xa0\\x08\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,1943]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,1944]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,1953]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x2616) -> 0x158"},{"address":{"type":"call","value":[1180,1852,2832,2499]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x008\n\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,2500]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,2501]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,2510]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x1400) -> 0x464"},{"address":{"type":"call","value":[1180,1852,2832,3127]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x00x\\x05\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,3128]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,3129]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,3138]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x1876) -> 0x628"},{"address":{"type":"call","value":[1180,1852,2832,3296]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x00T\\x07\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,3297]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,3298]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,3307]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x676) -> 0x600"},{"address":{"type":"call","value":[1180,1852,2832,3796]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x00\\xa4\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,3797]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,3798]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,3807]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x2700) -> 0x660"},{"address":{"type":"call","value":[1180,1852,2832,4000]},"name":"NtQueryInformationThread(ThreadHandle=0x4d99c40, ThreadInformationClass=ThreadBasicInformation, ThreadInformation=\"\\x03\\x01\\x00\\x00\\x99Iv\\x00<\\x07\\x00\\x00\\x8c\n\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", ThreadId=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,4001]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0x4d99c40, TargetProcessHandle=0xffffffff, TargetHandle=0x0, Options=0x0) -> INVALID_HANDLE"},{"address":{"type":"call","value":[1180,1852,2832,4002]},"name":"NtTerminateThread(ThreadHandle=0x4d99c40, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2832,4011]},"name":"CreateThread(StartRoutine=0x757f20, Parameter=0x4d99c40, CreationFlags=0x0, ThreadId=0x1808) -> 0x674"}]},{"address":{"type":"thread","value":[1180,1852,2856]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2856,1007]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x539000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1022]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1023]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1025]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1026]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1027]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1028]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1029]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1030]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1031]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1032]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1033]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1034]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1035]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1036]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1037]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1038]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1039]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1040]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1041]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1042]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2856,1048]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0008"},{"address":{"type":"call","value":[1180,1852,2856,1055]},"name":"InternetSetOption(InternetHandle=0xcc0008, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2856,1058]},"name":"InternetConnect(InternetHandle=0xcc0008, ServerName=\"216.201.159.118\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0014"},{"address":{"type":"call","value":[1180,1852,2856,3263]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x1, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0008"},{"address":{"type":"call","value":[1180,1852,2856,3265]},"name":"InternetSetOption(InternetHandle=0xcc0008, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2856,3268]},"name":"InternetConnect(InternetHandle=0xcc0008, ServerName=\"216.201.159.118\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0014"}]},{"address":{"type":"thread","value":[1180,1852,2784]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2784,1062]},"name":"LdrGetProcedureAddress(ModuleName=\"RASAPI32.dll\", ModuleHandle=0x72890000, FunctionName=\"RasConnectionNotificationW\", Ordinal=0x0, FunctionAddress=0x728931f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2784,1342]},"name":"getaddrinfo(NodeName=\"wpad\", ServiceName=\"\") -> WSAHOST_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,2784,4721]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5931000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,2836]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2836,1068]},"name":"LdrGetProcedureAddress(ModuleName=\"sechost.dll\", ModuleHandle=0x76d40000, FunctionName=\"NotifyServiceStatusChangeA\", Ordinal=0x0, FunctionAddress=0x76d4a11d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2836,1069]},"name":"LdrLoadDll(Flags=0x0, FileName=\"CRYPTBASE.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2836,1070]},"name":"LdrGetProcedureAddress(ModuleName=\"CRYPTBASE.dll\", ModuleHandle=0x757f0000, FunctionName=\"SystemFunction036\", Ordinal=0x0, FunctionAddress=0x757f12f0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2836,1071]},"name":"NtOpenThread(ThreadHandle=0x34c, DesiredAccess=THREAD_SET_CONTEXT, ProcessId=0x1852, ThreadId=0x2836) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2836,1077]},"name":"NtOpenThread(ThreadHandle=0x378, DesiredAccess=THREAD_SET_CONTEXT, ProcessId=0x1852, ThreadId=0x2836) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,2320]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2320,1080]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x39c, Options=0x2) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,236]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,236,1085]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x53a000, RegionSize=0x6000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1086]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ole32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1087]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoInitializeEx\", Ordinal=0x0, FunctionAddress=0x7758097d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1089]},"name":"NtQuerySystemInformation(SystemInformationClass=FILE_SUPERSEDE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1091]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegDeleteTreeA\", Ordinal=0x0, FunctionAddress=0x776e378f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1092]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegDeleteTreeW\", Ordinal=0x0, FunctionAddress=0x776e377f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1099]},"name":"gethostname(HostName=\"comp-PC\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1101]},"name":"getaddrinfo(NodeName=\"comp-PC\", ServiceName=\"\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1102]},"name":"gethostname(HostName=\"comp-PC\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1103]},"name":"getaddrinfo(NodeName=\"comp-PC\", ServiceName=\"\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1104]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoCreateInstance\", Ordinal=0x0, FunctionAddress=0x77589c5b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1106]},"name":"CoCreateInstance(rclsid=\"DCB00C01-570F-4A9B-8D69-199FDBA5723B\", ClsContext=CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER, riid=\"DCB00000-570F-4A9B-8D69-199FDBA5723B\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1113]},"name":"NtOpenKey(KeyHandle=0x4cc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1121]},"name":"NtOpenKey(KeyHandle=0x4cc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1129]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoTaskMemAlloc\", Ordinal=0x0, FunctionAddress=0x7758e9fc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1130]},"name":"LdrLoadDll(Flags=0x0, FileName=\"OLEAUT32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1133]},"name":"NtOpenKey(KeyHandle=0x4cc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1142]},"name":"RegOpenKeyEx(Registry=0x4ca, SubKey=\"TreatAs\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1143]},"name":"NtQueryKey(KeyHandle=0x4ca, KeyInformation=\"\", KeyInformationClass=0x3) -> BUFFER_TOO_SMALL"},{"address":{"type":"call","value":[1180,1852,236,1144]},"name":"NtQueryKey(KeyHandle=0x4ca, KeyInformation=\"\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\", KeyInformationClass=0x3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1145]},"name":"RegOpenKeyEx(Registry=0x4ca, SubKey=\"Progid\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1147]},"name":"RegOpenKeyEx(Registry=0x4ce, SubKey=\"Progid\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1157]},"name":"RegOpenKeyEx(Registry=0x4ca, SubKey=\"InprocHandler32\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1158]},"name":"RegOpenKeyEx(Registry=0x4ca, SubKey=\"InprocHandler\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1160]},"name":"NtOpenKey(KeyHandle=0x4cc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1164]},"name":"RegOpenKeyEx(Registry=0x4ca, SubKey=\"TreatAs\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1166]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\SysWOW64\\oleaut32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1167]},"name":"LdrGetProcedureAddress(ModuleName=\"OLEAUT32.dll\", ModuleHandle=0x77880000, FunctionName=\"DllGetClassObject\", Ordinal=0x0, FunctionAddress=0x7788c54d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1168]},"name":"LdrGetProcedureAddress(ModuleName=\"OLEAUT32.dll\", ModuleHandle=0x77880000, FunctionName=\"DllCanUnloadNow\", Ordinal=0x0, FunctionAddress=0x77883fae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1169]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ADVAPI32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1170]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"RegOpenKeyW\", Ordinal=0x0, FunctionAddress=0x776b2389) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1171]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\OleAut\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1173]},"name":"NtOpenKey(KeyHandle=0x4cc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1181]},"name":"NtOpenKey(KeyHandle=0x4cc, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1215]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoTaskMemFree\", Ordinal=0x0, FunctionAddress=0x77596f61) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1216]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"StringFromIID\", Ordinal=0x0, FunctionAddress=0x77553cc6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1217]},"name":"RegOpenKeyEx(Registry=HKEY_CURRENT_USER, SubKey=\"Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad\", Handle=0x4c8, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1218]},"name":"RegOpenKeyEx(Registry=0x4c8, SubKey=\"{E529480E-F7A1-4923-843A-F7D2F243A5B1}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1219]},"name":"RegQueryValueEx(Handle=0x4c8, ValueName=\"WpadLastNetwork\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1220]},"name":"RegQueryValueEx(Handle=0x4c8, ValueName=\"WpadLastNetwork\", Data=\"{B96C99BA-98AE-4228-B27D-94716BF99810}\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1221]},"name":"RegQueryValueEx(Handle=0x270, ValueName=\"AutoProxyDetectType\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,236,1222]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1223]},"name":"LdrLoadDll(Flags=0x0, FileName=\"IPHLPAPI.DLL\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1224]},"name":"LdrGetProcedureAddress(ModuleName=\"IPHLPAPI.DLL\", ModuleHandle=0x757c0000, FunctionName=\"GetAdaptersAddresses\", Ordinal=0x0, FunctionAddress=0x757c6a4d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1225]},"name":"LdrLoadDll(Flags=0x0, FileName=\"DHCPCSVC.DLL\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1226]},"name":"LdrGetProcedureAddress(ModuleName=\"DHCPCSVC.DLL\", ModuleHandle=0x72310000, FunctionName=\"DhcpRequestParams\", Ordinal=0x0, FunctionAddress=0x72313a5c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1228]},"name":"GetAdaptersAddresses() -> 0x6f"},{"address":{"type":"call","value":[1180,1852,236,1346]},"name":"CoCreateInstance(rclsid=\"DCB00C01-570F-4A9B-8D69-199FDBA5723B\", ClsContext=CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER, riid=\"DCB00000-570F-4A9B-8D69-199FDBA5723B\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1349]},"name":"LdrLoadDll(Flags=0x0, FileName=\"OLEAUT32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1350]},"name":"LdrGetProcedureAddress(ModuleName=\"OLEAUT32.dll\", ModuleHandle=0x77880000, FunctionName=\"\", Ordinal=0x2, FunctionAddress=0x77884728) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1351]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoTaskMemFree\", Ordinal=0x0, FunctionAddress=0x77596f61) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1352]},"name":"RegCreateKeyEx(Registry=0x4c8, SubKey=\"{E529480E-F7A1-4923-843A-F7D2F243A5B1}\", Class=\"\", Access=KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS, Handle=0x4e8, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\", Disposition=REG_CREATED_NEW_KEY) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1354]},"name":"RegSetValueEx(Handle=0x4e8, ValueName=\"WpadDecisionReason\", Type=REG_DWORD, Buffer=0x1, BufferLength=0x4, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadDecisionReason\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1355]},"name":"RegSetValueEx(Handle=0x4e8, ValueName=\"WpadDecisionTime\", Type=REG_BINARY, Buffer=\"\\xb0B\\xad\\xa75\\xf5\\xd6\\x01\", BufferLength=0x8, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadDecisionTime\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1356]},"name":"RegSetValueEx(Handle=0x4e8, ValueName=\"WpadDecision\", Type=REG_DWORD, Buffer=0x3, BufferLength=0x4, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadDecision\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1357]},"name":"RegSetValueEx(Handle=0x4e8, ValueName=\"WpadNetworkName\", Type=REG_SZ, Buffer=\"Network 2\", BufferLength=0x22, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadNetworkName\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1359]},"name":"RegOpenKeyEx(Registry=0x4c8, SubKey=\"{E529480E-F7A1-4923-843A-F7D2F243A5B1}\", Handle=0x4e8, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1360]},"name":"RegCreateKeyEx(Registry=0x4e8, SubKey=\"be-56-7b-0a-70-d1\", Class=\"\", Access=KEY_READ, Handle=0x4cc, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\be-56-7b-0a-70-d1\", Disposition=REG_CREATED_NEW_KEY) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1362]},"name":"RegCreateKeyEx(Registry=0x4c8, SubKey=\"be-56-7b-0a-70-d1\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x4cc, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\", Disposition=REG_CREATED_NEW_KEY) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1363]},"name":"RegSetValueEx(Handle=0x4cc, ValueName=\"WpadDecisionReason\", Type=REG_DWORD, Buffer=0x1, BufferLength=0x4, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\\WpadDecisionReason\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1364]},"name":"RegSetValueEx(Handle=0x4cc, ValueName=\"WpadDecisionTime\", Type=REG_BINARY, Buffer=\"\\xb0B\\xad\\xa75\\xf5\\xd6\\x01\", BufferLength=0x8, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\\WpadDecisionTime\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1365]},"name":"RegSetValueEx(Handle=0x4cc, ValueName=\"WpadDecision\", Type=REG_DWORD, Buffer=0x3, BufferLength=0x4, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\\WpadDecision\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1369]},"name":"NtCreateMutant(Handle=0x4e8, MutexName=\"IESQMMUTEX_0_208\", InitialOwner=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1375]},"name":"NtWaitForSingleObject(Handle=0x2e8, Milliseconds=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1376]},"name":"RegQueryValueEx(Handle=0x308, ValueName=\"EnableFileTracing\", Data=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\explorer_RASAPI32\\EnableFileTracing\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1378]},"name":"RegQueryValueEx(Handle=0x308, ValueName=\"EnableConsoleTracing\", Data=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\explorer_RASAPI32\\EnableConsoleTracing\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1382]},"name":"RegNotifyChangeKeyValue(FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\explorer_RASAPI32\\\", NotifyFilter=0xe, WatchSubtree=0x0, Asynchronous=0x1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1383]},"name":"RegQueryValueEx(Handle=0x31c, ValueName=\"EnableFileTracing\", Data=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\explorer_RASMANCS\\EnableFileTracing\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1385]},"name":"RegQueryValueEx(Handle=0x31c, ValueName=\"EnableConsoleTracing\", Data=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\explorer_RASMANCS\\EnableConsoleTracing\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1389]},"name":"RegNotifyChangeKeyValue(FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\explorer_RASMANCS\\\", NotifyFilter=0xe, WatchSubtree=0x0, Asynchronous=0x1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1390]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\", Handle=0x4cc, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1395]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\", Handle=0x4cc, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1403]},"name":"RegOpenKeyEx(Registry=HKEY_USERS, SubKey=\"S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\", Handle=0x4e8, FullName=\"HKEY_USERS\\S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1404]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1405]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", Data=\"%USERPROFILE%\\AppData\\Roaming\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1406]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x4e4, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1412]},"name":"NtCreateFile(FileHandle=0x4cc, DesiredAccess=FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1419]},"name":"NtCreateFile(FileHandle=0x4cc, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_READONLY, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1420]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0xa74000, RegionSize=0x5000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1421]},"name":"NtReadFile(FileHandle=0x4cc, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk\", Buffer=\"\", Length=0x0) -> END_OF_FILE"},{"address":{"type":"call","value":[1180,1852,236,1429]},"name":"RegOpenKeyEx(Registry=HKEY_USERS, SubKey=\"S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\", Handle=0x4e8, FullName=\"HKEY_USERS\\S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1430]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1431]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", Data=\"%USERPROFILE%\\AppData\\Roaming\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1432]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x4e4, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1438]},"name":"RegOpenKeyEx(Registry=HKEY_USERS, SubKey=\"S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\", Handle=0x4e8, FullName=\"HKEY_USERS\\S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1439]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1440]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", Data=\"%USERPROFILE%\\AppData\\Roaming\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1441]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x4e4, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1447]},"name":"RegOpenKeyEx(Registry=HKEY_USERS, SubKey=\"S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\", Handle=0x4e8, FullName=\"HKEY_USERS\\S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1448]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1449]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"AppData\", Data=\"%USERPROFILE%\\AppData\\Roaming\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1450]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\", Handle=0x4e4, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2237850072-885592287-911325625-1000\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1458]},"name":"NtOpenSection(SectionHandle=0x0, DesiredAccess=0x4, ObjectAttributes=\"SENS Information Cache\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,236,1461]},"name":"gethostname(HostName=\"comp-PC\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1462]},"name":"getaddrinfo(NodeName=\"comp-PC\", ServiceName=\"\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1464]},"name":"RegCreateKeyEx(Registry=0x36c, SubKey=\"Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections\", Class=\"\", Access=KEY_QUERY_VALUE, Handle=0x4e8, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1465]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"DefaultConnectionSettings\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1466]},"name":"RegQueryValueEx(Handle=0x4e8, ValueName=\"DefaultConnectionSettings\", Data=\"F\\x00\\x00\\x00\\x05\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xa0\\xc0\\x0en\\x85\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x80\\x00\\x00\\x00\\x00\\x00\\x00-\\xb8\\x18ACSp\\x01\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x03\\xbd_\\x00\\x00`\\x1e]\\x00\\xb8\\xe8Y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x01-\\x82_\\x00\\x08P\\x05-v\\x99\\xad\\xde\\x99\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xcf-v\\xdc1]\\x00\\xdc1]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x002]\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xc0\\xa8z\\x8d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xda\\xda\\xda\\xda\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\xaf\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x2]\\x00x2]\\x00\", FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1467]},"name":"RegCreateKeyEx(Registry=0x36c, SubKey=\"Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x4cc, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1470]},"name":"RegSetValueEx(Handle=0x4cc, ValueName=\"DefaultConnectionSettings\", Type=REG_BINARY, Buffer=\"F\\x00\\x00\\x00\\x06\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x87\\xa8\\xa75\\xf5\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x84.\\xc2\\xdb\\x98\\xb1\\xcc\\xb1\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x03\\xbd_\\x00\\x00`\\x1e]\\x00\\xb8\\xe8Y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x01-\\x82_\\x00\\x08P\\x05-v\\x99\\xad\\xde\\x99\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xcf-v\\xdc1]\\x00\\xdc1]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x002]\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xac\\x14\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xda\\xda\\xda\\xda\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\xaf\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x2]\\x00x2]\\x00\", BufferLength=0x312, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,1472]},"name":"RegSetValueEx(Handle=0x4c8, ValueName=\"WpadLastNetwork\", Type=REG_SZ, Buffer=\"{E529480E-F7A1-4923-843A-F7D2F243A5B1}\", BufferLength=0x78, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,2143]},"name":"LdrGetProcedureAddress(ModuleName=\"ole32.dll\", ModuleHandle=0x77540000, FunctionName=\"CoUninitialize\", Ordinal=0x0, FunctionAddress=0x77588623) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,2156]},"name":"LdrLoadDll(Flags=0x0, FileName=\"OLEAUT32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,236,2170]},"name":"NtTerminateThread(ThreadHandle=0x0, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,2284]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2284,2013]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x580, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2284,4920]},"name":"NtTerminateThread(ThreadHandle=0x0, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,2208]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2208,1515]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1516]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1517]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1518]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1519]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1520]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1521]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1522]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1523]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1524]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1525]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1526]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1527]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1528]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1529]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1530]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1531]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1532]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1533]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1534]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2208,1537]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc001c"},{"address":{"type":"call","value":[1180,1852,2208,1539]},"name":"InternetSetOption(InternetHandle=0xcc001c, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2208,1542]},"name":"InternetConnect(InternetHandle=0xcc001c, ServerName=\"65.173.74.217\", ServerPort=0x2083, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0020"},{"address":{"type":"call","value":[1180,1852,2208,3283]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x1, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc001c"},{"address":{"type":"call","value":[1180,1852,2208,3285]},"name":"InternetSetOption(InternetHandle=0xcc001c, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2208,3288]},"name":"InternetConnect(InternetHandle=0xcc001c, ServerName=\"65.173.74.217\", ServerPort=0x2083, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0020"}]},{"address":{"type":"thread","value":[1180,1852,1476]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1476,1599]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5c90000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1600]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5c90000, RegionSize=0x42000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1602]},"name":"NtCreateFile(FileHandle=0x56c, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\comp@adobe[1].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1606]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1607]},"name":"NtQueryInformationFile(FileHandle=0x570, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1608]},"name":"NtSetInformationFile(FileHandle=0x570, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1614]},"name":"NtCreateFile(FileHandle=0x560, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\comp@win-rar[2].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1618]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1619]},"name":"NtQueryInformationFile(FileHandle=0x570, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"h\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1620]},"name":"NtSetInformationFile(FileHandle=0x570, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1637]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@bing[2].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1641]},"name":"NtCreateFile(FileHandle=0x574, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1642]},"name":"NtQueryInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"\\xf8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1643]},"name":"NtSetInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"\\xf4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1648]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@google[2].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1652]},"name":"NtCreateFile(FileHandle=0x574, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1653]},"name":"NtQueryInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"0\\x02\\x00\\x00\\x00\\x00\\x00\\x00*\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1654]},"name":"NtSetInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"*\\x02\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1659]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@msn[2].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1663]},"name":"NtCreateFile(FileHandle=0x574, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1664]},"name":"NtQueryInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00c\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1665]},"name":"NtSetInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"c\\x03\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1670]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@support.microsoft[1].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1674]},"name":"NtCreateFile(FileHandle=0x574, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1675]},"name":"NtQueryInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1676]},"name":"NtSetInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"\\xb1\\x04\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1681]},"name":"NtCreateFile(FileHandle=0x570, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\comp@www.bing[1].txt\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1685]},"name":"NtCreateFile(FileHandle=0x574, DesiredAccess=GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", CreateDisposition=FILE_OPEN_IF, ShareAccess=0x0, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1686]},"name":"NtQueryInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FileStandardInformation, FileInformation=\"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1687]},"name":"NtSetInformationFile(FileHandle=0x574, HandleName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Jxoqwnx\\jxoqwn32.dll\", FileInformationClass=FilePositionInformation, FileInformation=\"\\x99\\x05\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1476,1703]},"name":"NtTerminateThread(ThreadHandle=0x0, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,2616]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2616,1972]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1973]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1974]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1975]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1976]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1977]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1978]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1979]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1980]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1981]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1982]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1983]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1984]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1985]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1986]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1987]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1988]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1989]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1990]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1991]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2616,1994]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0028"},{"address":{"type":"call","value":[1180,1852,2616,1996]},"name":"InternetSetOption(InternetHandle=0xcc0028, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2616,1999]},"name":"InternetConnect(InternetHandle=0xcc0028, ServerName=\"66.222.88.126\", ServerPort=0x995, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc002c"},{"address":{"type":"call","value":[1180,1852,2616,3987]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x1, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0028"},{"address":{"type":"call","value":[1180,1852,2616,3989]},"name":"InternetSetOption(InternetHandle=0xcc0028, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2616,3992]},"name":"InternetConnect(InternetHandle=0xcc0028, ServerName=\"66.222.88.126\", ServerPort=0x995, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc002c"}]},{"address":{"type":"thread","value":[1180,1852,1400]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1400,2529]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2530]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2531]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2532]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2533]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2534]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2535]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2536]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2537]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2538]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2539]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2540]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2541]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2542]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2543]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2544]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2545]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2546]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2547]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2548]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1400,2551]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0034"},{"address":{"type":"call","value":[1180,1852,1400,2553]},"name":"InternetSetOption(InternetHandle=0xcc0034, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,1400,2556]},"name":"InternetConnect(InternetHandle=0xcc0034, ServerName=\"71.190.202.120\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0038"},{"address":{"type":"call","value":[1180,1852,1400,4901]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x1, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0004"},{"address":{"type":"call","value":[1180,1852,1400,4903]},"name":"InternetSetOption(InternetHandle=0xcc0004, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,1400,4906]},"name":"InternetConnect(InternetHandle=0xcc0004, ServerName=\"71.190.202.120\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc000c"}]},{"address":{"type":"thread","value":[1180,1852,1020]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1020,2635]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2636]},"name":"LdrLoadDll(Flags=0x0, FileName=\"mpr.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2642]},"name":"LdrGetProcedureAddress(ModuleName=\"mpr.dll\", ModuleHandle=0x72390000, FunctionName=\"WNetOpenEnumW\", Ordinal=0x0, FunctionAddress=0x72392f06) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2643]},"name":"LdrGetProcedureAddress(ModuleName=\"mpr.dll\", ModuleHandle=0x72390000, FunctionName=\"WNetEnumResourceW\", Ordinal=0x0, FunctionAddress=0x72393058) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2644]},"name":"LdrGetProcedureAddress(ModuleName=\"mpr.dll\", ModuleHandle=0x72390000, FunctionName=\"WNetAddConnection2W\", Ordinal=0x0, FunctionAddress=0x72394744) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2645]},"name":"LdrGetProcedureAddress(ModuleName=\"mpr.dll\", ModuleHandle=0x72390000, FunctionName=\"WNetCloseEnum\", Ordinal=0x0, FunctionAddress=0x72392dd6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2646]},"name":"LdrGetProcedureAddress(ModuleName=\"mpr.dll\", ModuleHandle=0x72390000, FunctionName=\"WNetCancelConnection2W\", Ordinal=0x0, FunctionAddress=0x72398cd1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2647]},"name":"LdrLoadDll(Flags=0x0, FileName=\"advapi32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2648]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"OpenSCManagerW\", Ordinal=0x0, FunctionAddress=0x776ac9cc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2649]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"CreateServiceW\", Ordinal=0x0, FunctionAddress=0x776c70a4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2650]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"StartServiceW\", Ordinal=0x0, FunctionAddress=0x776a78dc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2651]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"DeleteService\", Ordinal=0x0, FunctionAddress=0x776c70d4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2652]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"CloseServiceHandle\", Ordinal=0x0, FunctionAddress=0x776b35cc) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2653]},"name":"LdrLoadDll(Flags=0x0, FileName=\"netapi32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2656]},"name":"LdrGetProcedureAddress(ModuleName=\"netapi32.dll\", ModuleHandle=0x75540000, FunctionName=\"NetApiBufferFree\", Ordinal=0x0, FunctionAddress=0x755313d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2657]},"name":"LdrGetProcedureAddress(ModuleName=\"netapi32.dll\", ModuleHandle=0x75540000, FunctionName=\"NetShareEnum\", Ordinal=0x0, FunctionAddress=0x754c3f33) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2658]},"name":"LdrGetProcedureAddress(ModuleName=\"netapi32.dll\", ModuleHandle=0x75540000, FunctionName=\"NetUserEnum\", Ordinal=0x0, FunctionAddress=0x723859cf) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2659]},"name":"LdrGetProcedureAddress(ModuleName=\"netapi32.dll\", ModuleHandle=0x75540000, FunctionName=\"NetGetDCName\", Ordinal=0x0, FunctionAddress=0x72355eb2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2660]},"name":"LdrGetProcedureAddress(ModuleName=\"netapi32.dll\", ModuleHandle=0x75540000, FunctionName=\"NetWkstaGetInfo\", Ordinal=0x0, FunctionAddress=0x75545570) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2663]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wkscli.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2664]},"name":"LdrGetProcedureAddress(ModuleName=\"WKSCLI.DLL\", ModuleHandle=0x754b0000, FunctionName=\"NetWkstaGetInfo\", Ordinal=0x0, FunctionAddress=0x754b2d9c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2665]},"name":"NtCreateFile(FileHandle=0x5c8, DesiredAccess=GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\PIPE\\wkssvc\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2666]},"name":"NtSetInformationFile(FileHandle=0x5c8, HandleName=\"\\Device\\NamedPipe\\wkssvc\", FileInformationClass=FilePipeInformation, FileInformation=\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2667]},"name":"NtSetInformationFile(FileHandle=0x5c8, HandleName=\"\\Device\\NamedPipe\\wkssvc\", FileInformationClass=FileIoStatusBlockRangeInformation, FileInformation=\"\\x02\\x00\\x00\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2668]},"name":"NtSetInformationFile(FileHandle=0x5c8, HandleName=\"\\Device\\NamedPipe\\wkssvc\", FileInformationClass=FileCompletionInformation, FileInformation=\"|\\x01\\x00\\x00\\xc0\\x92\\xa3\\x00\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2669]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"Software\\Policies\\Microsoft\\Windows NT\\Rpc\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc\") -> 0x2"},{"address":{"type":"call","value":[1180,1852,1020,2672]},"name":"LdrLoadDll(Flags=0x0, FileName=\"cscapi.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2676]},"name":"LdrGetProcedureAddress(ModuleName=\"cscapi.dll\", ModuleHandle=0x72330000, FunctionName=\"CscNetApiGetInterface\", Ordinal=0x0, FunctionAddress=0x72331e45) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2687]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"system\\CurrentControlSet\", Handle=0x5f0, FullName=\"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2714]},"name":"LdrLoadDll(Flags=0x0, FileName=\"USER32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2715]},"name":"LdrGetProcedureAddress(ModuleName=\"USER32.dll\", ModuleHandle=0x77750000, FunctionName=\"LoadStringW\", Ordinal=0x0, FunctionAddress=0x77768eb9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2716]},"name":"NtCreateFile(FileHandle=0x5f0, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\SysWOW64\\en-US\\mpr.dll.mui\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_DELETE, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2718]},"name":"NtMapViewOfSection(SectionHandle=0x5f4, ProcessHandle=0xffffffff, BaseAddress=0x36a0000, SectionOffset=0x5b4ef40, ViewSize=0x1000, Win32Protect=PAGE_WRITECOPY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2720]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\drprov.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2732]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetCaps\", Ordinal=0x0, FunctionAddress=0x722f1568) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2733]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetUser\", Ordinal=0x0, FunctionAddress=0x72392a98) -> ENTRYPOINT_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,2734]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPAddConnection\", Ordinal=0x0, FunctionAddress=0x722f338f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2735]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPAddConnection3\", Ordinal=0x0, FunctionAddress=0x722f1d4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2736]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetReconnectFlags\", Ordinal=0x0, FunctionAddress=0x72392a60) -> ENTRYPOINT_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,2737]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPCancelConnection\", Ordinal=0x0, FunctionAddress=0x722f2d28) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2738]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetConnection\", Ordinal=0x0, FunctionAddress=0x722f2a53) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2739]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetConnection3\", Ordinal=0x0, FunctionAddress=0x72392a28) -> ENTRYPOINT_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,2740]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetUniversalName\", Ordinal=0x0, FunctionAddress=0x722f317f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2741]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPOpenEnum\", Ordinal=0x0, FunctionAddress=0x722f170e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2742]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPEnumResource\", Ordinal=0x0, FunctionAddress=0x722f2897) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2743]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPCloseEnum\", Ordinal=0x0, FunctionAddress=0x722f2916) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2744]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetResourceParent\", Ordinal=0x0, FunctionAddress=0x722f2ef3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2745]},"name":"LdrGetProcedureAddress(ModuleName=\"drprov.dll\", ModuleHandle=0x722f0000, FunctionName=\"NPGetResourceInformation\", Ordinal=0x0, FunctionAddress=0x722f1b21) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2746]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\ntlanman.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2903]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetCaps\", Ordinal=0x0, FunctionAddress=0x722a18b0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2904]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetUser\", Ordinal=0x0, FunctionAddress=0x722aa93c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2905]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPAddConnection\", Ordinal=0x0, FunctionAddress=0x722aa96a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2906]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPAddConnection3\", Ordinal=0x0, FunctionAddress=0x722a327b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2907]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetReconnectFlags\", Ordinal=0x0, FunctionAddress=0x722aa919) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2908]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPCancelConnection\", Ordinal=0x0, FunctionAddress=0x722aabd1) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2909]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetConnection\", Ordinal=0x0, FunctionAddress=0x722aa6e4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2910]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetConnection3\", Ordinal=0x0, FunctionAddress=0x722aa6f4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2911]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetUniversalName\", Ordinal=0x0, FunctionAddress=0x722aa76d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2912]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetConnectionPerformance\", Ordinal=0x0, FunctionAddress=0x722aa8eb) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2913]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPOpenEnum\", Ordinal=0x0, FunctionAddress=0x722a215b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2914]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPEnumResource\", Ordinal=0x0, FunctionAddress=0x722a1e75) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2915]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPCloseEnum\", Ordinal=0x0, FunctionAddress=0x722a1f38) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2916]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPFormatNetworkName\", Ordinal=0x0, FunctionAddress=0x722aa77d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2917]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetResourceParent\", Ordinal=0x0, FunctionAddress=0x722a303a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2918]},"name":"LdrGetProcedureAddress(ModuleName=\"ntlanman.dll\", ModuleHandle=0x722a0000, FunctionName=\"NPGetResourceInformation\", Ordinal=0x0, FunctionAddress=0x722a297f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2919]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\davclnt.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2957]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetCaps\", Ordinal=0x0, FunctionAddress=0x722819d0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2958]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetUser\", Ordinal=0x0, FunctionAddress=0x7228bef9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2959]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPAddConnection\", Ordinal=0x0, FunctionAddress=0x72290755) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2960]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPAddConnection3\", Ordinal=0x0, FunctionAddress=0x722843e8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2961]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetReconnectFlags\", Ordinal=0x0, FunctionAddress=0x72392a60) -> ENTRYPOINT_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,2962]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPCancelConnection\", Ordinal=0x0, FunctionAddress=0x7228c81f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2963]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetConnection\", Ordinal=0x0, FunctionAddress=0x7228c351) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2964]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetConnection3\", Ordinal=0x0, FunctionAddress=0x72392a28) -> ENTRYPOINT_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,2965]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetUniversalName\", Ordinal=0x0, FunctionAddress=0x7228d067) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2966]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPOpenEnum\", Ordinal=0x0, FunctionAddress=0x72282738) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2967]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPEnumResource\", Ordinal=0x0, FunctionAddress=0x72282b75) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2968]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPCloseEnum\", Ordinal=0x0, FunctionAddress=0x72282a19) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2969]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPFormatNetworkName\", Ordinal=0x0, FunctionAddress=0x7228d645) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2970]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetResourceParent\", Ordinal=0x0, FunctionAddress=0x7228cb49) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2971]},"name":"LdrGetProcedureAddress(ModuleName=\"davclnt.dll\", ModuleHandle=0x72280000, FunctionName=\"NPGetResourceInformation\", Ordinal=0x0, FunctionAddress=0x722907a4) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2972]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\drprov.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2973]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\ntlanman.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2974]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\davclnt.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2975]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5c00000, RegionSize=0x81000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2980]},"name":"LdrLoadDll(Flags=0x0, FileName=\"ADVAPI32.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2981]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"LookupAccountSidW\", Ordinal=0x0, FunctionAddress=0x776b47a8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,2982]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x776a0000, FunctionName=\"CreateWellKnownSid\", Ordinal=0x0, FunctionAddress=0x776b4752) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3006]},"name":"LdrLoadDll(Flags=0x0, FileName=\"RPCRT4.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3007]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcStringBindingComposeW\", Ordinal=0x0, FunctionAddress=0x771939f8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3008]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcBindingFromStringBindingW\", Ordinal=0x0, FunctionAddress=0x77193791) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3009]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcStringFreeW\", Ordinal=0x0, FunctionAddress=0x77193c0d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3010]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcBindingSetAuthInfoExW\", Ordinal=0x0, FunctionAddress=0x77193c75) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3014]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"NdrClientCall2\", Ordinal=0x0, FunctionAddress=0x77220005) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3037]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcBindingFree\", Ordinal=0x0, FunctionAddress=0x7718a9a8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3038]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\drprov.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3039]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5f30000, RegionSize=0x81000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3040]},"name":"NtOpenFile(FileHandle=0x0, DesiredAccess=SYNCHRONIZE, FileName=\"\\Device\\RdpDr\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,3043]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wkscli.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3044]},"name":"LdrGetProcedureAddress(ModuleName=\"WKSCLI.DLL\", ModuleHandle=0x754b0000, FunctionName=\"NetWkstaGetInfo\", Ordinal=0x0, FunctionAddress=0x754b2d9c) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3046]},"name":"LdrLoadDll(Flags=0x0, FileName=\"netutils.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3047]},"name":"LdrGetProcedureAddress(ModuleName=\"netutils.dll\", ModuleHandle=0x75530000, FunctionName=\"NetApiBufferFree\", Ordinal=0x0, FunctionAddress=0x755313d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3049]},"name":"LdrLoadDll(Flags=0x0, FileName=\"browcli.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3050]},"name":"LdrGetProcedureAddress(ModuleName=\"browcli.dll\", ModuleHandle=0x72260000, FunctionName=\"NetServerEnum\", Ordinal=0x0, FunctionAddress=0x72262f61) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3051]},"name":"LdrLoadDll(Flags=0x0, FileName=\"API-MS-WIN-Service-Management-L1-1-0.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3052]},"name":"LdrGetProcedureAddress(ModuleName=\"sechost.dll\", ModuleHandle=0x76d40000, FunctionName=\"OpenSCManagerW\", Ordinal=0x0, FunctionAddress=0x76d463ad) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3054]},"name":"LdrGetProcedureAddress(ModuleName=\"sechost.dll\", ModuleHandle=0x76d40000, FunctionName=\"OpenServiceW\", Ordinal=0x0, FunctionAddress=0x76d4714b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3056]},"name":"LdrLoadDll(Flags=0x0, FileName=\"API-MS-WIN-Service-winsvc-L1-1-0.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3057]},"name":"LdrGetProcedureAddress(ModuleName=\"sechost.dll\", ModuleHandle=0x76d40000, FunctionName=\"QueryServiceStatus\", Ordinal=0x0, FunctionAddress=0x76d44e4b) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3058]},"name":"LdrGetProcedureAddress(ModuleName=\"sechost.dll\", ModuleHandle=0x76d40000, FunctionName=\"CloseServiceHandle\", Ordinal=0x0, FunctionAddress=0x76d44dc3) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3059]},"name":"LdrLoadDll(Flags=0x0, FileName=\"cscapi.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3060]},"name":"LdrGetProcedureAddress(ModuleName=\"cscapi.dll\", ModuleHandle=0x72330000, FunctionName=\"CscNetApiGetInterface\", Ordinal=0x0, FunctionAddress=0x72331e45) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3061]},"name":"LdrLoadDll(Flags=0x0, FileName=\"netutils.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3062]},"name":"LdrGetProcedureAddress(ModuleName=\"netutils.dll\", ModuleHandle=0x75530000, FunctionName=\"NetApiBufferAllocate\", Ordinal=0x0, FunctionAddress=0x75531415) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3063]},"name":"NtOpenFile(FileHandle=0x628, DesiredAccess=GENERIC_READ|GENERIC_WRITE|SYNCHRONIZE, FileName=\"\\Device\\LanmanDatagramReceiver\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3067]},"name":"LdrGetProcedureAddress(ModuleName=\"netutils.dll\", ModuleHandle=0x75530000, FunctionName=\"NetApiBufferFree\", Ordinal=0x0, FunctionAddress=0x755313d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3068]},"name":"LdrGetProcedureAddress(ModuleName=\"WKSCLI.DLL\", ModuleHandle=0x754b0000, FunctionName=\"NetWkstaUserGetInfo\", Ordinal=0x0, FunctionAddress=0x754b372f) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3070]},"name":"LdrGetProcedureAddress(ModuleName=\"netutils.dll\", ModuleHandle=0x75530000, FunctionName=\"NetpwNameCompare\", Ordinal=0x0, FunctionAddress=0x75531f31) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3071]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\ntlanman.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3072]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5f30000, RegionSize=0x81000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3073]},"name":"RegOpenKeyEx(Registry=HKEY_LOCAL_MACHINE, SubKey=\"System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider\", Handle=0x628, FullName=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3081]},"name":"LdrGetProcedureAddress(ModuleName=\"netutils.dll\", ModuleHandle=0x75530000, FunctionName=\"NetpwNameCanonicalize\", Ordinal=0x0, FunctionAddress=0x75531c30) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3082]},"name":"NtOpenFile(FileHandle=0x628, DesiredAccess=GENERIC_READ|GENERIC_WRITE|SYNCHRONIZE, FileName=\"\\Device\\LanmanDatagramReceiver\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3086]},"name":"LdrLoadDll(Flags=0x0, FileName=\"C:\\Windows\\System32\\ntlanman.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3087]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5fc0000, RegionSize=0x81000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3091]},"name":"LdrLoadDll(Flags=0x0, FileName=\"RPCRT4.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3092]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcStringBindingComposeW\", Ordinal=0x0, FunctionAddress=0x771939f8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3093]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcBindingFromStringBindingW\", Ordinal=0x0, FunctionAddress=0x77193791) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3094]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcStringFreeW\", Ordinal=0x0, FunctionAddress=0x77193c0d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3095]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"NdrClientCall2\", Ordinal=0x0, FunctionAddress=0x77220005) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3096]},"name":"NtCreateFile(FileHandle=0x0, DesiredAccess=GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"\\??\\PIPE\\DAV RPC SERVICE\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1180,1852,1020,3099]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"I_RpcExceptionFilter\", Ordinal=0x0, FunctionAddress=0x77197e79) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3100]},"name":"LdrGetProcedureAddress(ModuleName=\"RPCRT4.dll\", ModuleHandle=0x77170000, FunctionName=\"RpcBindingFree\", Ordinal=0x0, FunctionAddress=0x7718a9a8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1020,3113]},"name":"NtTerminateThread(ThreadHandle=0x0, ExitStatus=0x0, ThreadId=0x0, ProcessId=0x0) -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,968]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,968,3004]},"name":"LdrLoadDll(Flags=0x0, FileName=\"msvcrt.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,968,3005]},"name":"LdrGetProcedureAddress(ModuleName=\"msvcrt.dll\", ModuleHandle=0x75cc0000, FunctionName=\"qsort\", Ordinal=0x0, FunctionAddress=0x75ccd3e6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,968,3029]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0040"},{"address":{"type":"call","value":[1180,1852,968,3031]},"name":"InternetSetOption(InternetHandle=0xcc0040, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,968,3034]},"name":"InternetConnect(InternetHandle=0xcc0040, ServerName=\"www.ip-adress.com\", ServerPort=0x80, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0044"}]},{"address":{"type":"thread","value":[1180,1852,1876]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1876,3155]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3156]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3157]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3158]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3159]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3160]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3161]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3162]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3163]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3164]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3165]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3166]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3167]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3168]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3169]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3170]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3171]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3172]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3173]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3174]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,3179]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc004c"},{"address":{"type":"call","value":[1180,1852,1876,3181]},"name":"InternetSetOption(InternetHandle=0xcc004c, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,1876,3184]},"name":"InternetConnect(InternetHandle=0xcc004c, ServerName=\"216.109.9.227\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0050"},{"address":{"type":"call","value":[1180,1852,1876,5139]},"name":"NtCreateSection(SectionHandle=0x5c0, DesiredAccess=STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE, ObjectAttributes=\"\", FileHandle=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1876,5140]},"name":"NtMapViewOfSection(SectionHandle=0x5c0, ProcessHandle=0xffffffff, BaseAddress=0x47b0000, SectionOffset=0x5f6e438, ViewSize=0x1000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[1180,1852,676]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,676,3326]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3327]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3328]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3329]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3330]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3331]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3332]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3333]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3334]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3335]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3336]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3337]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3338]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3339]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3340]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3341]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3342]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3343]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3344]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3345]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,676,3348]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0058"},{"address":{"type":"call","value":[1180,1852,676,3350]},"name":"InternetSetOption(InternetHandle=0xcc0058, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,676,3353]},"name":"InternetConnect(InternetHandle=0xcc0058, ServerName=\"47.40.29.239\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc005c"}]},{"address":{"type":"thread","value":[1180,1852,1200]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1200,3769]},"name":"LdrLoadDll(Flags=0x0, FileName=\"msvcrt.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1200,3770]},"name":"LdrGetProcedureAddress(ModuleName=\"msvcrt.dll\", ModuleHandle=0x75cc0000, FunctionName=\"qsort\", Ordinal=0x0, FunctionAddress=0x75ccd3e6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1200,3783]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5cd2000, RegionSize=0x41000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,1200,3788]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0064"},{"address":{"type":"call","value":[1180,1852,1200,3790]},"name":"InternetSetOption(InternetHandle=0xcc0064, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,1200,3793]},"name":"InternetConnect(InternetHandle=0xcc0064, ServerName=\"www.ip-adress.com\", ServerPort=0x80, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0068"}]},{"address":{"type":"thread","value":[1180,1852,2700]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2700,3826]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3827]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3828]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3829]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3830]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3831]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3832]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3833]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3834]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3835]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3836]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3837]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3838]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3839]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3840]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3841]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3842]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3843]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3844]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3845]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2700,3848]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0070"},{"address":{"type":"call","value":[1180,1852,2700,3850]},"name":"InternetSetOption(InternetHandle=0xcc0070, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2700,3853]},"name":"InternetConnect(InternetHandle=0xcc0070, ServerName=\"185.219.83.73\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0074"}]},{"address":{"type":"thread","value":[1180,1852,1808]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,1808,4030]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x75af1222) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4031]},"name":"LdrLoadDll(Flags=0x0, FileName=\"wininet.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4032]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenA\", Ordinal=0x0, FunctionAddress=0x76d9f18e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4033]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetOpenUrlA\", Ordinal=0x0, FunctionAddress=0x76db30e9) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4034]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCloseHandle\", Ordinal=0x0, FunctionAddress=0x76d8ab41) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4035]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpQueryInfoA\", Ordinal=0x0, FunctionAddress=0x76d8a336) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4036]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetReadFile\", Ordinal=0x0, FunctionAddress=0x76d8b3fe) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4037]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetSetOptionA\", Ordinal=0x0, FunctionAddress=0x76d875e0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4038]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetQueryOptionA\", Ordinal=0x0, FunctionAddress=0x76d81b4e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4039]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetConnectA\", Ordinal=0x0, FunctionAddress=0x76d949ea) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4040]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpOpenRequestA\", Ordinal=0x0, FunctionAddress=0x76d94c7e) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4041]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"HttpSendRequestA\", Ordinal=0x0, FunctionAddress=0x76e01ab8) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4042]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetCrackUrlA\", Ordinal=0x0, FunctionAddress=0x76d7d07d) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4043]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpDeleteFileA\", Ordinal=0x0, FunctionAddress=0x76df80f5) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4044]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetWriteFile\", Ordinal=0x0, FunctionAddress=0x76da46d2) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4045]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpOpenFileA\", Ordinal=0x0, FunctionAddress=0x76df92ce) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4046]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"FtpGetFileA\", Ordinal=0x0, FunctionAddress=0x76df6835) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4047]},"name":"LdrGetProcedureAddress(ModuleName=\"wininet.dll\", ModuleHandle=0x76d70000, FunctionName=\"InternetGetLastResponseInfoA\", Ordinal=0x0, FunctionAddress=0x76deaaae) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4048]},"name":"LdrLoadDll(Flags=0x0, FileName=\"urlmon.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4049]},"name":"LdrGetProcedureAddress(ModuleName=\"urlmon.dll\", ModuleHandle=0x76c00000, FunctionName=\"ObtainUserAgentString\", Ordinal=0x0, FunctionAddress=0x76c2d01a) -> 0x0"},{"address":{"type":"call","value":[1180,1852,1808,4052]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc007c"},{"address":{"type":"call","value":[1180,1852,1808,4054]},"name":"InternetSetOption(InternetHandle=0xcc007c, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,1808,4057]},"name":"InternetConnect(InternetHandle=0xcc007c, ServerName=\"63.140.135.35\", ServerPort=0x443, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0080"}]},{"address":{"type":"thread","value":[1180,1852,2444]},"matched_calls":[{"address":{"type":"call","value":[1180,1852,2444,5051]},"name":"LdrLoadDll(Flags=0x0, FileName=\"msvcrt.dll\", BaseAddress=0x0) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2444,5052]},"name":"LdrGetProcedureAddress(ModuleName=\"msvcrt.dll\", ModuleHandle=0x75cc0000, FunctionName=\"qsort\", Ordinal=0x0, FunctionAddress=0x75ccd3e6) -> 0x0"},{"address":{"type":"call","value":[1180,1852,2444,5065]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5d34000, RegionSize=0x41000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1180,1852,2444,5070]},"name":"InternetOpen(Agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\", AccessType=0x0, ProxyName=\"\", ProxyBypass=\"\", Flags=0x0) -> 0xcc0034"},{"address":{"type":"call","value":[1180,1852,2444,5072]},"name":"InternetSetOption(InternetHandle=0xcc0034, Option=INTERNET_OPTION_CONNECT_TIMEOUT, Buffer=0x3a98) -> 0x1"},{"address":{"type":"call","value":[1180,1852,2444,5075]},"name":"InternetConnect(InternetHandle=0xcc0034, ServerName=\"www.ip-adress.com\", ServerPort=0x80, Username=\"\", Password=\"\", Service=0x3, Flags=0x0) -> 0xcc0038"}]}]},{"address":{"type":"process","value":[792,1224]},"name":"dwm.exe","matched_threads":[{"address":{"type":"thread","value":[792,1224,1660]},"matched_calls":[{"address":{"type":"call","value":[792,1224,1660,8]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x1b9b000, RegionSize=0x5000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[792,1224,2540]},"matched_calls":[{"address":{"type":"call","value":[792,1224,2540,38]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x77a35980) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,130]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x77a6bf30) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,183]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0x174, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,213]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x77910000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,726]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x7feff390000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,748]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,751]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,753]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,755]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,757]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,759]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,761]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,763]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,765]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,767]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,769]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,771]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,773]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,775]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,777]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,779]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,781]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,783]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,785]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,787]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,789]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,791]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,793]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,795]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,797]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,799]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,801]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,803]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,805]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,807]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,809]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,811]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,813]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,815]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,817]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,819]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,821]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,823]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,825]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,827]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,829]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,831]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,833]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,835]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,837]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,839]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,841]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,843]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,845]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,847]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,849]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,851]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,853]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,855]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,857]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,859]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,861]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,863]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,865]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,867]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,869]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,871]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,873]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,875]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,877]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,879]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,881]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,883]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,885]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,887]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,889]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,891]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,893]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,895]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,897]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,899]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,901]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,903]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,905]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,907]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,909]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,911]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,913]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,915]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,917]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,919]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,921]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,923]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,925]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,927]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,929]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,931]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,933]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,935]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,937]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,939]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,941]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,943]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,945]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,947]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,949]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,951]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,953]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,955]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,957]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,959]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,961]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,963]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,965]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,967]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,969]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,971]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,973]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,975]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,977]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,979]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,981]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,983]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,985]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,987]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,989]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,991]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,993]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,995]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,997]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,999]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1001]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1003]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1005]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1007]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1009]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1011]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1013]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1015]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1017]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1019]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1021]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1023]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1025]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1027]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1029]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1031]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1033]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1035]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1037]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1039]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1041]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1043]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1045]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1047]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1049]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1051]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1053]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1055]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1057]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1059]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1061]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1063]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1065]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1067]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1069]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1071]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1073]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1075]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1077]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1079]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1081]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1083]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1085]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1087]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1089]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1091]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1093]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1095]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1097]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1099]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1101]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1103]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1105]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1107]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1109]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1111]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1113]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1115]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1117]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1119]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1121]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1123]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1125]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1127]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1129]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1131]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1133]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1135]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1137]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1139]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1141]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1143]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1145]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1147]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1149]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1151]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1153]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1155]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1157]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1159]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1161]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1163]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1165]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1167]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1169]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1171]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1173]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1175]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1177]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1179]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1181]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1183]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1185]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1187]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1189]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1191]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1193]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1195]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1197]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1199]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1201]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1203]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1205]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1207]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1209]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1211]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1213]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1215]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1217]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1219]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1221]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1223]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1225]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1227]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1229]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1231]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1233]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1235]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1237]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1239]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1241]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1243]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1245]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1247]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1249]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1251]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1253]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1255]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1257]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1259]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1261]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1263]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1265]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1267]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1269]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1271]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1273]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1275]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1277]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1279]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1281]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1283]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1285]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1287]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1289]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1291]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1293]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1295]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1297]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1299]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1301]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1303]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1305]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1307]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1309]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1311]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1313]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1315]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1317]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1319]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1321]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1323]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1325]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1327]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1329]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1331]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1333]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1335]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1337]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1339]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1341]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1343]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1345]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1347]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1349]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1351]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1353]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1355]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1357]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1359]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1361]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1363]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1365]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1367]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1369]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1371]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1373]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1375]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1377]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1379]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1381]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1383]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1385]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1387]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1389]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1391]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1393]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1395]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1397]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1399]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1401]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1403]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1405]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1407]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1409]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1411]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1413]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1415]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1417]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1419]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1421]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1423]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1425]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1427]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1429]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1431]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1433]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1435]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1437]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1439]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1441]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1443]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1445]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1447]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1449]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1451]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1453]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1455]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1457]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1459]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1461]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1463]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1465]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1467]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1469]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1471]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1473]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1475]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1477]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1479]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1481]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1483]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1485]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1487]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1489]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1491]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1493]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1495]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1497]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1499]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1501]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1503]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1505]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1507]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1509]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1511]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1513]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1515]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1517]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1519]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1521]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1523]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1525]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1527]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1529]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1531]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1533]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1535]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1537]},"name":"NtMapViewOfSection(SectionHandle=0x1d0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eb0000, SectionOffset=0x4a1fc00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1540]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1228) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1544]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1240) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1548]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1244) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1552]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1528) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1556]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1108) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1559]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1660) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1562]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1328) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1565]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x2772) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1585]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1228) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1589]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1240) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1593]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1244) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1597]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1528) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1601]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1108) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1605]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1660) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1609]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x1328) -> 0x0"},{"address":{"type":"call","value":[792,1224,2540,1613]},"name":"NtOpenThread(ThreadHandle=0x1d0, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1224, ThreadId=0x2772) -> 0x0"}]},{"address":{"type":"thread","value":[792,1224,1504]},"matched_calls":[{"address":{"type":"call","value":[792,1224,1504,1634]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0x1e8, Options=0x2) -> 0x0"}]}]},{"address":{"type":"process","value":[1200,1248]},"name":"explorer.exe","matched_threads":[{"address":{"type":"thread","value":[1200,1248,1460]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,1460,28]},"name":"NtMapViewOfSection(SectionHandle=0x63c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x2720000, SectionOffset=0x2aff460, ViewSize=0x1000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,31]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"WerRegisterMemoryBlock\", Ordinal=0x0, FunctionAddress=0x77aae4c0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5894]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5910]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5916]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5922]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5926]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5939]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5943]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5947]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5951]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5955]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5959]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5963]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5967]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5971]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5977]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5981]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5986]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5990]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,5996]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,6065]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"SOFTWARE\\Microsoft\\CTF\\KnownClasses\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1460,6147]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,6155]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,6161]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1460,6167]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"}]},{"address":{"type":"thread","value":[1200,1248,2544]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,2544,53]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x77a41de0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,67]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x77a35980) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,147]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"GetProcAddress\", Ordinal=0x0, FunctionAddress=0x77a41de0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,157]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x77a6bf30) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,191]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegOpenKeyExA\", Ordinal=0x0, FunctionAddress=0x7feff3bd6b0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,192]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegCreateKeyExA\", Ordinal=0x0, FunctionAddress=0x7feff3b4390) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,193]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegQueryInfoKeyA\", Ordinal=0x0, FunctionAddress=0x7feff3c5cb0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,194]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegEnumValueA\", Ordinal=0x0, FunctionAddress=0x7feff3affa0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,195]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegEnumKeyExA\", Ordinal=0x0, FunctionAddress=0x7feff3b43f0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,196]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegSetValueExA\", Ordinal=0x0, FunctionAddress=0x7feff3b4440) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,197]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegQueryValueExA\", Ordinal=0x0, FunctionAddress=0x7feff3c4060) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,198]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegCloseKey\", Ordinal=0x0, FunctionAddress=0x7feff3c4240) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,199]},"name":"LdrGetProcedureAddress(ModuleName=\"ADVAPI32.dll\", ModuleHandle=0x7feff3a0000, FunctionName=\"RegDeleteValueA\", Ordinal=0x0, FunctionAddress=0x7feff3b0590) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,209]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0x228, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,254]},"name":"LdrGetProcedureAddress(ModuleName=\"WININET.dll\", ModuleHandle=0x7feffac0000, FunctionName=\"HttpAddRequestHeadersA\", Ordinal=0x0, FunctionAddress=0x7feffaedec0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,282]},"name":"LdrGetProcedureAddress(ModuleName=\"WININET.dll\", ModuleHandle=0x7feffac0000, FunctionName=\"HttpAddRequestHeadersA\", Ordinal=0x0, FunctionAddress=0x7feffaedec0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,292]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x77910000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,294]},"name":"LdrGetProcedureAddress(ModuleName=\"ntdll.dll\", ModuleHandle=0x77b40000, FunctionName=\"LdrLoadDll\", Ordinal=0x0, FunctionAddress=0x77c2ada0) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,312]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x7fefe0b0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,442]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1010]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1012]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1014]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1016]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1018]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1020]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1022]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1024]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1026]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1028]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1030]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1032]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1034]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1036]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1038]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1040]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1042]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1044]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1046]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1048]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1050]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1052]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1054]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1056]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1058]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1060]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1062]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1064]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1066]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1068]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1070]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1072]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1074]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1076]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1078]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1080]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1082]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1084]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1086]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1088]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1090]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1092]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1094]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1096]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1098]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1100]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1102]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1104]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1106]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1108]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1110]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1112]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1114]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1116]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1118]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1120]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1122]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1124]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1126]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1128]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1130]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1132]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1134]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1136]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1138]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1140]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1142]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1144]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1146]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1148]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1150]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1152]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1154]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1156]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1158]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1160]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1162]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1164]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1166]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1168]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1170]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1172]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1174]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1176]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1178]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1180]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1182]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1184]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1186]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1188]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1190]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1192]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1194]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1196]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1198]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1200]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1202]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1204]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1206]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1208]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1210]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1212]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1214]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1216]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1218]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1220]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1222]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1224]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1226]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1228]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1230]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1232]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1234]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1236]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1238]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1240]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1242]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1244]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1246]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1248]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1250]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1252]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1254]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1256]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1258]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1260]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1262]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1264]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1266]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1268]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1270]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1272]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1274]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1276]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1278]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1280]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1282]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1284]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1286]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1288]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1290]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1292]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1294]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1296]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1298]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1300]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1302]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1304]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1306]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1308]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1310]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1312]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1314]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1316]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1318]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1320]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1322]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1324]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1326]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1328]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1330]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1332]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1334]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1336]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1338]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1340]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1342]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1344]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1346]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1348]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1350]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1352]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1354]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1356]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1358]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1360]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1362]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1364]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1366]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1368]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1370]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1372]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1374]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1376]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1378]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1380]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1382]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1384]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1386]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1388]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1390]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1392]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1394]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1396]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1398]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1400]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1402]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1404]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1406]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1408]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1410]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1412]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1414]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1416]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1418]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1420]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1422]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1424]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1426]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1428]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1430]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1432]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1434]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1436]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1438]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1440]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1442]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1444]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1446]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1448]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1450]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1452]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1454]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1456]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1458]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1460]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1462]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1464]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1466]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1468]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1470]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1472]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1474]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1476]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1478]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1480]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1482]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1484]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1486]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1488]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1490]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1492]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1494]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1496]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1498]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1500]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1502]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1504]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1506]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1508]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1510]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1512]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1514]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1516]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1518]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1520]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1522]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1524]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1526]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1528]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1530]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1532]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1534]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1536]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1538]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1541]},"name":"NtMapViewOfSection(SectionHandle=0x40c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x731fb00, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1543]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1252) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1547]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1276) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1551]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1432) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1555]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1460) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1559]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1468) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1563]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1560) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1567]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1656) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1571]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1720) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1575]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1724) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1579]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1860) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1583]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1700) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1587]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x844) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1591]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2304) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1595]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2324) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1599]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2328) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1603]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2352) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1607]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2416) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1611]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2508) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1615]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2516) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1619]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2572) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1623]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x424) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1627]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x3036) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1630]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2012) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1633]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2716) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1636]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2196) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1676]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1252) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1680]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1276) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1684]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1432) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1688]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1460) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1692]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1468) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1696]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1560) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1700]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1656) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1704]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1720) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1708]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1724) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1712]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1860) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1716]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x1700) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1720]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x844) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1724]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2304) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1728]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2324) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1732]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2328) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1736]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2352) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1740]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2416) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1744]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2508) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1748]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2516) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1752]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2572) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1756]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x424) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1760]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x3036) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1764]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2012) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1768]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2716) -> 0x0"},{"address":{"type":"call","value":[1200,1248,2544,1772]},"name":"NtOpenThread(ThreadHandle=0x40c, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1248, ThreadId=0x2196) -> 0x0"}]},{"address":{"type":"thread","value":[1200,1248,1860]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,1860,1812]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.001\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1815]},"name":"RegEnumKey(Handle=0xffffffff80000000, Index=0x2, Name=\".386\", FullName=\"HKEY_CLASSES_ROOT\\.386\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1818]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"system\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.386\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1824]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.3g2\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3g2\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1826]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".3g2\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3g2\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1827]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.3g2\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3g2\\OpenWithProgids\\VLC.3g2\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1832]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3ga\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1839]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.3gp\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1841]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".3gp\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1842]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.3gp\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp\\OpenWithProgids\\VLC.3gp\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1848]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.3gp2\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp2\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1850]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".3gp2\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp2\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1851]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.3gp2\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp2\\OpenWithProgids\\VLC.3gp2\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1857]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.3gpp\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gpp\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1859]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".3gpp\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gpp\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1860]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.3gpp\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gpp\\OpenWithProgids\\VLC.3gpp\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1865]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.669\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1871]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.7z\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1877]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1883]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a52\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1889]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"audio\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1894]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.aac\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1896]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".AAC\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.AAC\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1897]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.aac\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.AAC\\OpenWithProgids\\VLC.aac\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1902]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ac3\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1908]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"audio\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1913]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.adt\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1915]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ADT\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADT\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1916]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.adt\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADT\\OpenWithProgids\\VLC.adt\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1921]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"audio\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1926]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.adts\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1928]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ADTS\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADTS\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1929]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.adts\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADTS\\OpenWithProgids\\VLC.adts\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1934]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ai\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1942]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.aif\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aif\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1944]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".aif\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aif\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1945]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.aif\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aif\\OpenWithProgids\\VLC.aif\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1952]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.aifc\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aifc\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1954]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".aifc\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aifc\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1955]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.aifc\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aifc\\OpenWithProgids\\VLC.aifc\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1962]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.aiff\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aiff\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1964]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".aiff\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aiff\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1965]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.aiff\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aiff\\OpenWithProgids\\VLC.aiff\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,1970]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.amr\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1976]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.amv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1982]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ani\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1988]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ans\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,1994]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aob\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2000]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ape\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2006]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.application\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2012]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.appref-ms\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2018]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aps\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2024]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.arj\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2030]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.art\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2036]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asa\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2042]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2048]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ascx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2055]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.asf\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2057]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".asf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2058]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.asf\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asf\\OpenWithProgids\\VLC.asf\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2063]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2068]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2073]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2078]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2083]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2089]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2094]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2101]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.asx\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2103]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".asx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2104]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.asx\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asx\\OpenWithProgids\\VLC.asx\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2111]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.au\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.au\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2113]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".au\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.au\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2114]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.au\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.au\\OpenWithProgids\\VLC.au\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2120]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.avi\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.avi\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2122]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".avi\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.avi\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2123]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.avi\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.avi\\OpenWithProgids\\VLC.avi\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2128]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.b4s\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2140]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bcp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2146]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bik\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2152]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bin\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2158]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bkf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2164]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.blg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2171]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Paint.Picture\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bmp\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2173]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".bmp\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.bmp\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2174]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Paint.Picture\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.bmp\\OpenWithProgids\\Paint.Picture\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2179]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bsc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2185]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2191]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bz2\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2197]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2202]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2207]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c2r\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2214]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"WinRAR\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cab\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2216]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".cab\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.cab\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2217]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"WinRAR\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.cab\\OpenWithProgids\\WinRAR\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2222]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.caf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2228]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.camp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2234]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cat\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2240]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2246]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cda\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2252]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdmp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2258]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2264]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2270]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cgm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2276]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"system\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chk\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2281]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2287]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cls\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2296]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cod\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2305]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.compositefont\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2312]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"contact_wab_auto_file\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.contact\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2314]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".contact\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.contact\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2315]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"contact_wab_auto_file\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.contact\\OpenWithProgids\\contact_wab_auto_file\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2322]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2327]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2332]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2338]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crds\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2344]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2350]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2356]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cs\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2362]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csa\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2368]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csproj\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2374]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2379]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"CSSfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2381]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".css\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.css\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2382]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"CSSfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.css\\OpenWithProgids\\CSSfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2387]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2392]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2397]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cue\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2403]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cur\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2409]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2414]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2419]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dat\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2425]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.db\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2431]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2437]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbs\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2443]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dct\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2449]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2454]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2459]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.der\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2465]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.desklink\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2471]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diagcab\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2477]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diagcfg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2483]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diagpkg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2490]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Paint.Picture\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dib\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2492]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".dib\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dib\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2493]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Paint.Picture\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dib\\OpenWithProgids\\Paint.Picture\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2498]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dic\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2504]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.divx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2510]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2515]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2521]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"dllfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dll\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2523]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".dll\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dll\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2524]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"dllfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dll\\OpenWithProgids\\dllfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2529]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dl_\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2536]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.doc\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2542]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"docxfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.docx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2544]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".docx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.docx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2545]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"docxfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.docx\\OpenWithProgids\\docxfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2550]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dos\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2557]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dot\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2562]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2568]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"system\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drv\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2573]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsn\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2579]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2585]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsw\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2591]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dts\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2597]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2603]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"video\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2608]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"MediaCenter.DVR\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2610]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".DVR\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2611]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"MediaCenter.DVR\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR\\OpenWithProgids\\MediaCenter.DVR\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2617]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.dvr-ms\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR-MS\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2619]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".DVR-MS\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR-MS\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2620]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.dvr-ms\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR-MS\\OpenWithProgids\\VLC.dvr-ms\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2626]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Windows.XPSReachViewer\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dwfx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2628]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".dwfx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dwfx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2629]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Windows.XPSReachViewer\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dwfx\\OpenWithProgids\\Windows.XPSReachViewer\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2635]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Windows.XPSReachViewer\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.easmx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2637]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".easmx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.easmx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2638]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Windows.XPSReachViewer\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.easmx\\OpenWithProgids\\Windows.XPSReachViewer\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2644]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Windows.XPSReachViewer\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.edrwx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2646]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".edrwx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.edrwx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2647]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Windows.XPSReachViewer\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.edrwx\\OpenWithProgids\\Windows.XPSReachViewer\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2654]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"emffile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.emf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2656]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".emf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.emf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2657]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"emffile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.emf\\OpenWithProgids\\emffile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2663]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Windows.XPSReachViewer\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eprtx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2665]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".eprtx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.eprtx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2666]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Windows.XPSReachViewer\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.eprtx\\OpenWithProgids\\Windows.XPSReachViewer\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2671]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eps\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2677]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.etp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2683]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evo\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2689]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2695]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evtx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2702]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"exefile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2704]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".exe\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2705]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"exefile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids\\exefile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2710]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2716]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ext\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2722]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ex_\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2728]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eyb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2734]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.f4v\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2740]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.faq\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2746]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fif\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2752]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fky\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2758]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.flac\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2764]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.flv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2770]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2776]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2783]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"fonfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fon\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2785]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".fon\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.fon\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2786]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"fonfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.fon\\OpenWithProgids\\fonfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2791]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gadget\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2797]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ghi\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2804]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"giffile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2806]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".gif\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2807]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"giffile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\OpenWithProgids\\giffile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2812]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gmmp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2818]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.group\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2824]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.grp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2830]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gvi\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2836]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gxf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2842]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"compressed\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gz\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2848]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2853]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2858]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1C\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2864]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1D\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2870]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1F\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2876]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1H\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2882]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1K\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2888]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1Q\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2894]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1S\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2900]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1T\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2906]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1V\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2912]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1W\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2918]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hdp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2924]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hhc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2930]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hlp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2936]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2941]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2946]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hqx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2955]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2962]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"ChromeHTML\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\.htm\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2964]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".htm\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2965]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"ChromeHTML\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\OpenWithProgids\\ChromeHTML\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2971]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"ChromeHTML\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\.html\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2973]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".html\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2974]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"ChromeHTML\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\OpenWithProgids\\ChromeHTML\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,2979]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2985]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htw\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2991]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,2997]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3002]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3007]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.i\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3013]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ibq\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3019]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3025]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3031]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3038]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"icofile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ico\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3040]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ico\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ico\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3041]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"icofile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ico\\OpenWithProgids\\icofile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3046]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ics\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3052]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3058]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idq\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3064]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ifo\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3070]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ilk\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3076]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.imc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3082]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.img\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3088]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3093]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3098]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3104]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3109]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"inifile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3111]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ini\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3112]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"inifile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids\\inifile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3117]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3123]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3129]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3135]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.in_\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3141]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.iso\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3147]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.it\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3155]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.IVF\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3160]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jav\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3166]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3171]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3176]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jbf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3183]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"pjpegfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jfif\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3185]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".jfif\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jfif\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3186]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"pjpegfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jfif\\OpenWithProgids\\pjpegfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3191]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3197]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jod\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3204]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"jpegfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpe\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3206]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".jpe\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpe\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3207]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"jpegfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpe\\OpenWithProgids\\jpegfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3213]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"jpegfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpeg\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3215]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".jpeg\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpeg\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3216]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"jpegfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpeg\\OpenWithProgids\\jpegfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3222]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"jpegfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpg\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3224]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".jpg\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpg\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3225]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"jpegfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpg\\OpenWithProgids\\jpegfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3230]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3236]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.JSE\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3243]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Windows.XPSReachViewer\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3245]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".jtx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jtx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3246]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Windows.XPSReachViewer\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jtx\\OpenWithProgids\\Windows.XPSReachViewer\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3251]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.kci\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3257]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.label\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3263]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.latex\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3269]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lgn\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3275]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lha\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3281]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lib\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3287]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.library-ms\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3294]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"lnkfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lnk\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3296]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".lnk\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.lnk\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3297]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"lnkfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.lnk\\OpenWithProgids\\lnkfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3302]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"system\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.local\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3307]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.log\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3313]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lst\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3319]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3325]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lzh\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3331]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m14\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3338]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m1v\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m1v\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3340]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".m1v\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m1v\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3341]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m1v\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m1v\\OpenWithProgids\\VLC.m1v\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3347]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m2t\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2T\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3349]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".M2T\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2T\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3350]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m2t\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2T\\OpenWithProgids\\VLC.m2t\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3356]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m2ts\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2TS\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3358]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".M2TS\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2TS\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3359]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m2ts\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2TS\\OpenWithProgids\\VLC.m2ts\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3365]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m2v\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2V\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3367]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".M2V\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2V\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3368]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m2v\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2V\\OpenWithProgids\\VLC.m2v\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3375]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m3u\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3377]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".m3u\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m3u\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3378]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m3u\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m3u\\OpenWithProgids\\VLC.m3u\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3383]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u8\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3390]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m4a\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4a\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3392]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".m4a\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4a\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3393]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m4a\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4a\\OpenWithProgids\\VLC.m4a\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3399]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4b\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3405]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m4p\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4p\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3407]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".m4p\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4p\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3408]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m4p\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4p\\OpenWithProgids\\VLC.m4p\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3414]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.m4v\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4v\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3416]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".m4v\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4v\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3417]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.m4v\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4v\\OpenWithProgids\\VLC.m4v\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3422]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mak\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3428]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.man\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3434]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"system\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.manifest\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3439]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mapimail\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3445]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mcl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3452]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"mhtmlfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mht\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3454]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mht\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mht\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3455]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"mhtmlfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mht\\OpenWithProgids\\mhtmlfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3461]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"mhtmlfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mhtml\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3463]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mhtml\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mhtml\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3464]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"mhtmlfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mhtml\\OpenWithProgids\\mhtmlfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3471]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mid\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mid\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3473]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mid\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mid\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3474]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mid\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mid\\OpenWithProgids\\VLC.mid\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3481]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"WMP11.AssocFile.MIDI\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.midi\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3483]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".midi\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.midi\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3484]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"WMP11.AssocFile.MIDI\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.midi\\OpenWithProgids\\WMP11.AssocFile.MIDI\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3489]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mig\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3495]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mk\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3501]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mka\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3507]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mkv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3513]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3519]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3525]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mmf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3532]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mod\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MOD\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3534]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".MOD\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MOD\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3535]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mod\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MOD\\OpenWithProgids\\VLC.mod\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3541]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mov\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mov\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3543]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mov\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mov\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3544]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mov\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mov\\OpenWithProgids\\VLC.mov\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3549]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.movie\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3555]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp1\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3562]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mp2\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3564]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mp2\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3565]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mp2\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2\\OpenWithProgids\\VLC.mp2\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3571]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mp2v\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2v\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3573]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mp2v\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2v\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3574]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mp2v\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2v\\OpenWithProgids\\VLC.mp2v\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3580]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mp3\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp3\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3582]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mp3\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp3\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3583]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mp3\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp3\\OpenWithProgids\\VLC.mp3\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3589]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mp4\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3591]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mp4\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3592]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mp4\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4\\OpenWithProgids\\VLC.mp4\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3598]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mp4v\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4v\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3600]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mp4v\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4v\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3601]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mp4v\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4v\\OpenWithProgids\\VLC.mp4v\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3608]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mpa\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpa\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3610]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mpa\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpa\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3611]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mpa\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpa\\OpenWithProgids\\VLC.mpa\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3616]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3623]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mpe\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpe\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3625]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mpe\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpe\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3626]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mpe\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpe\\OpenWithProgids\\VLC.mpe\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3632]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mpeg\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3634]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mpeg\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpeg\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3635]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mpeg\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpeg\\OpenWithProgids\\VLC.mpeg\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3640]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg1\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3646]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg2\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3652]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg4\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3659]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mpg\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpg\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3661]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mpg\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpg\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3662]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mpg\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpg\\OpenWithProgids\\VLC.mpg\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3667]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpga\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3674]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mpv2\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpv2\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3676]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".mpv2\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpv2\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3677]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mpv2\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpv2\\OpenWithProgids\\VLC.mpv2\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3682]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3688]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msdvd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3695]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msg\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3703]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3709]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msrcincident\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3715]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msstyles\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3721]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msu\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3728]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.mts\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MTS\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3730]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".MTS\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MTS\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3731]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.mts\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MTS\\OpenWithProgids\\VLC.mts\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3736]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mtv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3742]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3748]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mxf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3754]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mydocs\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3760]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ncb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3766]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nfo\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3772]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nls\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3778]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nsv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3784]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nuv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3790]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3795]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3800]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.obj\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3807]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"ocxfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ocx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3809]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ocx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ocx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3810]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"ocxfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ocx\\OpenWithProgids\\ocxfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3815]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oc_\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3821]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3827]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odh\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3833]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3840]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"odtfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odt\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3842]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".odt\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.odt\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3843]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"odtfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.odt\\OpenWithProgids\\odtfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3848]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oga\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3854]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3860]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3866]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3872]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3878]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oma\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3884]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.opus\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3890]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.osdx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3897]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"otffile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.otf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3899]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".otf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.otf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3900]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"otffile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.otf\\OpenWithProgids\\otffile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,3905]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oxps\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3911]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p10\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3917]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p12\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3923]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7b\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3929]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7c\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3935]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7m\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3941]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7r\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3947]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7s\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3953]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pbk\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3959]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pch\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3965]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3971]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3977]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pds\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3983]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.perfmoncfg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3989]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,3995]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4001]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4006]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4011]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pic\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4020]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pko\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4026]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4031]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4036]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4041]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4046]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pls\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4052]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pma\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4058]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4064]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pml\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4070]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmr\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4076]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pnf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4083]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"pngfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4085]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".png\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4086]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"pngfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\OpenWithProgids\\pngfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4092]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pot\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4097]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppk\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4103]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pps\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4110]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppt\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4115]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4121]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4127]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.printerExport\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4133]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4139]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4145]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"Text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4150]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Microsoft.PowerShellXMLData.1\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4152]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ps1xml\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ps1xml\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4153]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Microsoft.PowerShellXMLData.1\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ps1xml\\OpenWithProgids\\Microsoft.PowerShellXMLData.1\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4158]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psc1\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4164]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4170]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd1\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4176]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psm1\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4182]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.py\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4188]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4194]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4200]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyo\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4206]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyw\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4212]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4218]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyzw\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4224]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qcp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4230]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qds\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4236]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r00\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4242]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r01\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4248]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r02\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4254]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r03\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4260]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r04\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4266]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r05\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4272]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r06\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4278]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r07\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4284]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r08\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4290]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r09\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4296]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r10\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4302]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r11\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4308]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r12\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4314]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r13\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4320]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r14\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4326]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r15\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4332]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r16\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4338]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r17\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4344]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r18\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4350]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r19\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4356]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r20\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4362]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r21\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4368]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r22\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4374]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r23\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4380]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r24\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4386]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r25\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4392]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r26\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4398]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r27\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4404]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r28\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4410]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r29\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4416]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ra\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4422]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ram\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4428]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rar\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4434]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rat\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4440]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4446]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc2\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4452]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rct\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4458]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.RDP\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4464]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rec\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4467]},"name":"RegEnumKey(Handle=0xffffffff80000000, Index=0x395, Name=\".reg\", FullName=\"HKEY_CLASSES_ROOT\\.reg\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4468]},"name":"RegOpenKeyEx(Registry=0xffffffff80000000, SubKey=\"SystemFileAssociations\\.reg\", Handle=0x0, FullName=\"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.reg\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4473]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.res\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4479]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.resmoncfg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4485]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rev\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4491]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rgs\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4498]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"rlefile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rle\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4500]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".rle\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rle\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4501]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"rlefile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rle\\OpenWithProgids\\rlefile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4506]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rll\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4512]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4520]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.rmi\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmi\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4522]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".rmi\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rmi\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4523]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.rmi\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rmi\\OpenWithProgids\\VLC.rmi\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4528]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmvb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4534]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4540]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4546]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rsp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4553]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"rtffile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rtf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4555]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".rtf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rtf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4556]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"rtffile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rtf\\OpenWithProgids\\rtffile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4561]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rul\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4567]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4573]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s3m\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4579]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sbr\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4585]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sc2\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4591]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4597]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4604]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"SHCmdFile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4606]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".scf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.scf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4607]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"SHCmdFile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.scf\\OpenWithProgids\\SHCmdFile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4612]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sch\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4618]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4627]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sct\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4633]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sdp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4640]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"SearchFolder\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.search-ms\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4642]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".search-ms\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.search-ms\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4643]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"SearchFolder\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.search-ms\\OpenWithProgids\\SearchFolder\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4648]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.searchConnector-ms\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4654]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4659]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4664]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sfcache\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4670]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.shtm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4676]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\.shtml\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4681]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"ChromeHTML\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\.shtml\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4683]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".shtml\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.shtml\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4684]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"ChromeHTML\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.shtml\\OpenWithProgids\\ChromeHTML\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4689]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sit\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4695]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.slupkg-ms\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4703]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.snd\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.snd\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4705]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".snd\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.snd\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4706]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.snd\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.snd\\OpenWithProgids\\VLC.snd\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4711]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sol\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4717]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sor\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4723]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4729]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4735]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4740]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4745]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.srf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4751]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sr_\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4757]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sst\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4763]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4769]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4775]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.svg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4781]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.swf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4787]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sym\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4793]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.symlink\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4800]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"sysfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sys\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4802]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".sys\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sys\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4803]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"sysfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sys\\OpenWithProgids\\sysfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4808]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sy_\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4814]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tab\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4820]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"compressed\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tar\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4826]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.taz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4832]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tbz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4838]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tbz2\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4844]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tdl\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4851]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.text\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4856]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"compressed\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tgz\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4862]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.theme\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4868]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.themepack\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4874]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.thp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4881]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"TIFImage.Document\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tif\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4883]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".tif\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tif\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4884]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"TIFImage.Document\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tif\\OpenWithProgids\\TIFImage.Document\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4890]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"TIFImage.Document\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tiff\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4892]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".tiff\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tiff\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4893]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"TIFImage.Document\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tiff\\OpenWithProgids\\TIFImage.Document\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4898]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4904]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlh\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4910]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tli\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4916]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4922]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tod\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4928]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4934]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.trg\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4941]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.ts\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TS\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4943]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".TS\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TS\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4944]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.ts\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TS\\OpenWithProgids\\VLC.ts\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4949]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4955]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4960]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4965]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tta\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,4972]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"ttcfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttc\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4974]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ttc\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttc\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4975]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"ttcfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttc\\OpenWithProgids\\ttcfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4981]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"ttffile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4983]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".ttf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4984]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"ttffile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttf\\OpenWithProgids\\ttffile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4990]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.tts\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TTS\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4992]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".TTS\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TTS\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4993]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.tts\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TTS\\OpenWithProgids\\VLC.tts\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,4999]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"txtfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5001]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".txt\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5002]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"txtfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\OpenWithProgids\\txtfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5007]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5013]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5019]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.UDL\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5025]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5031]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.URL\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5037]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.user\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5043]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.usr\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5049]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.uu\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5055]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.uue\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5061]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.VBE\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5067]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbproj\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5073]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbs\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5079]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5085]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5091]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcproj\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5097]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.viw\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5103]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vlc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5110]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.vob\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vob\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5112]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".vob\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.vob\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5113]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.vob\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.vob\\OpenWithProgids\\VLC.vob\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5118]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.voc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5124]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vqf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5130]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vro\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5136]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vspscc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5142]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vsscc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5148]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vssscc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5154]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"system\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vxd\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5159]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.w64\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5165]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wab\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5172]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.wav\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wav\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5174]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wav\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wav\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5175]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.wav\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wav\\OpenWithProgids\\VLC.wav\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5182]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"WMP11.AssocFile.WAX\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wax\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5184]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wax\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wax\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5185]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"WMP11.AssocFile.WAX\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wax\\OpenWithProgids\\WMP11.AssocFile.WAX\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5190]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wbcat\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5196]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wcx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5203]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"wdpfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wdp\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5205]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wdp\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wdp\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5206]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"wdpfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wdp\\OpenWithProgids\\wdpfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5211]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5217]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5223]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webpnp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5229]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wll\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5235]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wlt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5243]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"WMP11.AssocFile.ASF\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wm\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5245]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wm\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wm\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5246]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"WMP11.AssocFile.ASF\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wm\\OpenWithProgids\\WMP11.AssocFile.ASF\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5252]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.wma\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wma\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5254]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wma\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wma\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5255]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.wma\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wma\\OpenWithProgids\\VLC.wma\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5260]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMD\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5266]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmdb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5274]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"wmffile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmf\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5276]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wmf\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmf\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5277]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"wmffile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmf\\OpenWithProgids\\wmffile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5282]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmp\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5288]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMS\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5295]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.wmv\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmv\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5297]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wmv\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmv\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5298]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.wmv\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmv\\OpenWithProgids\\VLC.wmv\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5305]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"WMP11.AssocFile.ASX\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5307]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wmx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5308]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"WMP11.AssocFile.ASX\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmx\\OpenWithProgids\\WMP11.AssocFile.ASX\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5313]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"compressed\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmz\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5319]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"audio\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5324]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.wpl\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5326]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wpl\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wpl\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5327]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.wpl\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wpl\\OpenWithProgids\\VLC.wpl\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5333]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wri\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5338]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5344]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSF\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5350]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSH\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5356]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"compressed\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsz\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5363]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.wtv\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WTV\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5365]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".WTV\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.WTV\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5366]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.wtv\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.WTV\\OpenWithProgids\\VLC.wtv\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5371]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wtx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5377]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wv\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5385]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"VLC.wvx\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wvx\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5387]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".wvx\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wvx\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5388]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"VLC.wvx\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wvx\\OpenWithProgids\\VLC.wvx\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5393]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5398]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5403]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xa\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5409]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xaml\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5415]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xbap\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5421]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xesc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5427]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\.xht\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5433]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\.xhtml\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5439]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xix\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5445]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlb\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5451]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlc\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5458]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xls\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5464]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlt\\(Default)\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5469]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xm\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5476]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"xmlfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5478]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".xml\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xml\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5479]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"xmlfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xml\\OpenWithProgids\\xmlfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5485]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"Windows.XPSReachViewer\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xps\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5487]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".xps\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xps\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5488]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"Windows.XPSReachViewer\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xps\\OpenWithProgids\\Windows.XPSReachViewer\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5493]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xrm-ms\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5499]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsd\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5505]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"text\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5510]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"xslfile\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5512]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".xsl\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xsl\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5513]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"xslfile\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xsl\\OpenWithProgids\\xslfile\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5518]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xslt\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5524]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xspf\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5530]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xxe\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5536]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xz\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5542]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", Data=\"compressed\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z\\PerceivedType\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5548]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z96\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5554]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zfsendtotarget\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5561]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"\", Data=\"WinRAR.ZIP\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zip\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5563]},"name":"RegCreateKeyEx(Registry=0x308, SubKey=\".zip\\OpenWithProgids\", Class=\"\", Access=KEY_SET_VALUE, Handle=0x40c, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.zip\\OpenWithProgids\", Disposition=REG_OPENED_EXISTING_KEY) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5564]},"name":"RegSetValueEx(Handle=0x40c, ValueName=\"WinRAR.ZIP\", Type=REG_NONE, Buffer=\"\", BufferLength=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.zip\\OpenWithProgids\\WinRAR.ZIP\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1860,5569]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zipx\\PerceivedType\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1860,5575]},"name":"RegQueryValueEx(Handle=0x40e, ValueName=\"PerceivedType\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zpl\\PerceivedType\") -> 0x2"}]},{"address":{"type":"thread","value":[1200,1248,1656]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,1656,5602]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,5605]},"name":"NtOpenProcess(ProcessHandle=0x140, DesiredAccess=PROCESS_QUERY_LIMITED_INFORMATION, ProcessIdentifier=0x2360) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,5615]},"name":"NtOpenProcess(ProcessHandle=0x140, DesiredAccess=PROCESS_QUERY_LIMITED_INFORMATION, ProcessIdentifier=0x2360) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,5617]},"name":"NtOpenProcess(ProcessHandle=0x140, DesiredAccess=PROCESS_QUERY_LIMITED_INFORMATION, ProcessIdentifier=0x2360) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,5626]},"name":"NtOpenProcess(ProcessHandle=0x140, DesiredAccess=PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2360) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,6112]},"name":"CoCreateInstance(rclsid=\"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8\", ClsContext=CLSCTX_INPROC_SERVER, riid=\"BBD20037-BC0E-42F1-913F-E2936BB0EA0C\", ProgID=\"\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,6115]},"name":"NtOpenProcess(ProcessHandle=0xac0, DesiredAccess=PROCESS_QUERY_LIMITED_INFORMATION, ProcessIdentifier=0x1572) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,6125]},"name":"NtOpenProcess(ProcessHandle=0xac0, DesiredAccess=PROCESS_QUERY_LIMITED_INFORMATION, ProcessIdentifier=0x1572) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,6127]},"name":"NtOpenProcess(ProcessHandle=0xac0, DesiredAccess=PROCESS_QUERY_LIMITED_INFORMATION, ProcessIdentifier=0x1572) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1656,6136]},"name":"NtOpenProcess(ProcessHandle=0xac0, DesiredAccess=PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1572) -> 0x0"}]},{"address":{"type":"thread","value":[1200,1248,732]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,732,5904]},"name":"NtCreateFile(FileHandle=0x544, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\SysWOW64\\WerFault.exe\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_DELETE, FileAttributes=0x0, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,732,5906]},"name":"NtMapViewOfSection(SectionHandle=0x588, ProcessHandle=0xffffffffffffffff, BaseAddress=0x3760000, SectionOffset=0x0, ViewSize=0x5b000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x4000000e"},{"address":{"type":"call","value":[1200,1248,732,6171]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0xac0, Options=0x2) -> 0x0"}]},{"address":{"type":"thread","value":[1200,1248,2304]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,2304,6012]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Control Panel\\Personalization\\Desktop Slideshow\", Handle=0x564, FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2304,6019]},"name":"NtCreateFile(FileHandle=0x1, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Users\\comp\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\slideshow.ini\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, FileAttributes=0x0, ExistedBefore=\"no\", StackPivoted=\"no\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1200,1248,2304,6020]},"name":"RegQueryValueEx(Handle=0x564, ValueName=\"Interval\", FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Interval\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,2304,6021]},"name":"RegQueryValueEx(Handle=0x564, ValueName=\"Shuffle\", FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Shuffle\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,2304,6022]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Control Panel\\Personalization\\Desktop Slideshow\", Handle=0x544, FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2304,6023]},"name":"RegQueryValueEx(Handle=0x544, ValueName=\"AnimationDuration\", FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\AnimationDuration\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,2304,6025]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"Control Panel\\Personalization\\Desktop Slideshow\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Control Panel\\Personalization\\Desktop Slideshow\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,2304,6026]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Control Panel\\Personalization\\Desktop Slideshow\", Handle=0x544, FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,2304,6027]},"name":"RegQueryValueEx(Handle=0x544, ValueName=\"Flags\", FullName=\"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Flags\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,2304,6029]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"Control Panel\\Personalization\\Desktop Slideshow\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Control Panel\\Personalization\\Desktop Slideshow\") -> 0x2"}]},{"address":{"type":"thread","value":[1200,1248,1560]},"matched_calls":[{"address":{"type":"call","value":[1200,1248,1560,6221]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"\", Data=\"%SystemRoot%\\System32\\netshell.dll\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6222]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"LoadWithoutCOM\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6225]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6227]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"SortOrderIndex\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6229]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6230]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6232]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"SortOrderIndex\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6234]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6235]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6237]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"System.ItemNameDisplay\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6240]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6242]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6243]},"name":"NtOpenProcess(ProcessHandle=0x544, DesiredAccess=PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1248) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6245]},"name":"RegOpenKeyEx(Registry=0x168, SubKey=\"SessionInfo\\1\", Handle=0x544, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6246]},"name":"RegOpenKeyEx(Registry=0x544, SubKey=\"ControlPanel\\NameSpace\\NameCustomizations\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ControlPanel\\NameSpace\\NameCustomizations\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6248]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6250]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"LocalizedString\", Data=\"@%SystemRoot%\\system32\\prnfldr.dll,-8036\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6251]},"name":"NtOpenKey(KeyHandle=0x588, DesiredAccess=KEY_QUERY_VALUE, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6252]},"name":"NtQueryValueKey(KeyHandle=0x588, ValueName=\"StringCacheGeneration\", Type=REG_DWORD, Information=0x7, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6254]},"name":"NtOpenKey(KeyHandle=0x588, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000\", ObjectAttributes=\"HKEY_CURRENT_USER\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6255]},"name":"NtOpenKey(KeyHandle=0x548, DesiredAccess=KEY_READ|KEY_WRITE, ObjectAttributesHandle=0x588, ObjectAttributesName=\"Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6257]},"name":"NtSetValueKey(KeyHandle=0x548, ValueName=\"LanguageList\", Type=REG_MULTI_SZ, Buffer=\"\\x00\\x00\", BufferLength=0x20, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\LanguageList\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6258]},"name":"NtQueryValueKey(KeyHandle=0x548, ValueName=\"@C:\\Windows\\system32\\prnfldr.dll,-8036\", Type=REG_SZ, Information=\"Printers\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6262]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"System.ItemNameDisplay\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6265]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6267]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6268]},"name":"NtOpenProcess(ProcessHandle=0x544, DesiredAccess=PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x1248) -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6270]},"name":"RegOpenKeyEx(Registry=0x168, SubKey=\"SessionInfo\\1\", Handle=0x544, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6271]},"name":"RegOpenKeyEx(Registry=0x544, SubKey=\"ControlPanel\\NameSpace\\NameCustomizations\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ControlPanel\\NameSpace\\NameCustomizations\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6273]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6275]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"LocalizedString\", Data=\"@%SystemRoot%\\system32\\netshell.dll,-1200\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6276]},"name":"NtOpenKey(KeyHandle=0x548, DesiredAccess=KEY_QUERY_VALUE, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6277]},"name":"NtQueryValueKey(KeyHandle=0x548, ValueName=\"StringCacheGeneration\", Type=REG_DWORD, Information=0x7, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6279]},"name":"NtOpenKey(KeyHandle=0x548, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000\", ObjectAttributes=\"HKEY_CURRENT_USER\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6280]},"name":"NtOpenKey(KeyHandle=0x588, DesiredAccess=KEY_READ|KEY_WRITE, ObjectAttributesHandle=0x548, ObjectAttributesName=\"Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6282]},"name":"NtSetValueKey(KeyHandle=0x588, ValueName=\"LanguageList\", Type=REG_MULTI_SZ, Buffer=\"\\x00\\x00\", BufferLength=0x20, FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\LanguageList\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6283]},"name":"NtQueryValueKey(KeyHandle=0x588, ValueName=\"@C:\\Windows\\system32\\netshell.dll,-1200\", Type=REG_SZ, Information=\"Network Connections\", FullName=\"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6287]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"\", Data=\"%SystemRoot%\\System32\\netshell.dll\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)\") -> 0x0"},{"address":{"type":"call","value":[1200,1248,1560,6288]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"LoadWithoutCOM\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6291]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6293]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"SortOrderIndex\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6295]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6296]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6298]},"name":"RegQueryValueEx(Handle=0x546, ValueName=\"SortOrderIndex\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6300]},"name":"RegOpenKeyEx(Registry=0xffffffff80000002, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"},{"address":{"type":"call","value":[1200,1248,1560,6301]},"name":"RegOpenKeyEx(Registry=0xffffffff80000001, SubKey=\"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\", Handle=0x0, FullName=\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\") -> 0x2"}]}]},{"address":{"type":"process","value":[1248,1680]},"name":"pyw.exe","matched_threads":[{"address":{"type":"thread","value":[1248,1680,3044]},"matched_calls":[{"address":{"type":"call","value":[1248,1680,3044,37]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,129]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,183]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x11c, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,215]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x190000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,238]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf884, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,242]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,244]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,246]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,248]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,250]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,252]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,254]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,256]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,258]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,260]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,262]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,264]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,266]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,268]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,270]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,272]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,274]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,276]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,278]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,280]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,282]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,284]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,286]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,288]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,290]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,292]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,294]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,296]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,298]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,300]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,302]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,304]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,306]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,308]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,310]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,312]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,314]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,316]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,318]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,320]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,322]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,324]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,326]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,328]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,330]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,332]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,334]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,336]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,338]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,340]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,342]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,344]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,346]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,348]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,350]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,352]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,354]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,356]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,358]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,360]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,362]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,364]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,366]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,368]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,370]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,372]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,374]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,376]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,378]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,380]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,382]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,384]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,386]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,388]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,390]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,392]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,394]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,396]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,398]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,400]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,402]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,404]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,406]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,408]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,410]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,412]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,414]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,416]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,418]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,420]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,422]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,424]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,426]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,428]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,430]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,432]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,434]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,436]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,438]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,440]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,442]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,444]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,446]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,448]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,450]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,452]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,454]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,456]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,458]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,460]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,462]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,464]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,466]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,468]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,470]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,472]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,474]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,476]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,478]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,480]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,482]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,484]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,486]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,488]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,490]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,492]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,494]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,496]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,498]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,500]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,502]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,504]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,506]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,508]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,510]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,512]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,514]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,516]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,518]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,520]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,522]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,524]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,526]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,528]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,530]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,532]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,534]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,536]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,538]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,540]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,542]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,544]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,546]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,548]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,550]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,552]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,554]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,556]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,558]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,560]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,562]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,564]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,566]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,568]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,570]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,572]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,574]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,576]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,578]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,580]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,582]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,584]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,586]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,588]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,590]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,592]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,594]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,596]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,598]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,600]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,602]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,604]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,606]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,608]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,610]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,612]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,614]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,616]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,618]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,620]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,622]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,624]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,626]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,628]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,630]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,632]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,634]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,636]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,638]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,640]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,642]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,644]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,646]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,648]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,650]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,652]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,654]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,656]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,658]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,660]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,662]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,664]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,666]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,668]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,670]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,672]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,674]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,676]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,678]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,680]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,682]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,684]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,686]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,688]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,690]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,692]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,694]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,696]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,698]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,700]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,702]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,704]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,706]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,708]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,710]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,712]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,714]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,716]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,718]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,720]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,722]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,724]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,726]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,728]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,730]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,732]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,734]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,736]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,738]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,740]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,742]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,744]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,746]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,748]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,750]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,752]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,754]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,756]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,758]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,760]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,762]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,764]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,766]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,768]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,770]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,772]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,774]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,776]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,778]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,780]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,782]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,784]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,786]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,788]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,790]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,792]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,794]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,796]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,798]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,800]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,802]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,804]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,806]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,808]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,810]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,812]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,814]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,816]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,818]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,820]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,822]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,824]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,826]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,828]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,830]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,832]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,834]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,836]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,838]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,840]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,842]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,844]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,846]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,848]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,850]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,852]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,854]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,856]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,858]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,860]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,862]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,864]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,866]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,868]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,870]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,872]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,874]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,876]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,878]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,880]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,882]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,884]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,886]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,888]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,890]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,892]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,894]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,896]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,898]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,900]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,902]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,904]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,906]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,908]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,910]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,912]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,914]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,916]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,918]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,920]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,922]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,924]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,926]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,928]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,930]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,932]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,934]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,936]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,938]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,940]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,942]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,944]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,946]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,948]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,950]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,952]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,954]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,956]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,958]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,960]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,962]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,964]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,966]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,968]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,970]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,972]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,974]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,976]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,978]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,980]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,982]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,984]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,986]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,988]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,990]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,992]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,994]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,996]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,998]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1000]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1002]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1004]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1006]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1008]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1010]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1012]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1014]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1016]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1018]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1020]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1022]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1024]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1026]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1028]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1030]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1032]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1034]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1036]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1038]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1040]},"name":"NtMapViewOfSection(SectionHandle=0x178, ProcessHandle=0xffffffff, BaseAddress=0x2e0000, SectionOffset=0x6cf888, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1042]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x1684) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1046]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2632) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1050]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2628) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1054]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2880) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1058]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2600) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1062]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2128) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1066]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2864) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1086]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x1684) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1090]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2632) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1094]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2628) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1098]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2880) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1102]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2600) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1106]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2128) -> 0x0"},{"address":{"type":"call","value":[1248,1680,3044,1110]},"name":"NtOpenThread(ThreadHandle=0x178, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1680, ThreadId=0x2864) -> 0x0"}]},{"address":{"type":"thread","value":[1248,1680,552]},"matched_calls":[{"address":{"type":"call","value":[1248,1680,552,1138]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x11c, Options=0x2) -> 0x0"}]}]},{"address":{"type":"process","value":[1852,2420]},"name":"jxoqwn.exe","matched_threads":[{"address":{"type":"thread","value":[1852,2420,2524]},"matched_calls":[{"address":{"type":"call","value":[1852,2420,2524,8]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x44a0000, RegionSize=0xc0000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,9]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x44a0000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,24]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,25]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2420,2524,27]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,28]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2420,2524,30]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,31]},"name":"NtOpenKey(KeyHandle=0xdc, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,32]},"name":"NtOpenKey(KeyHandle=0xd8, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,33]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,34]},"name":"NtQueryValueKey(KeyHandle=0xd8, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,129]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[1852,2420,2524,130]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,131]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x800000, RegionSize=0x68000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,132]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,133]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x270000, RegionSize=0x6000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,137]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,141]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x3730000, RegionSize=0x6a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,208]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2420,2524,258]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x8a000, MemType=0x0, Protection=PAGE_READWRITE, OldProtection=PAGE_READONLY, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2420,2524,259]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x400, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2420,2524,261]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x40d000, Size=0x5a30, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2420,2524,263]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x417000, Size=0x51708, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2420,2524,264]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x469000, Size=0xe50, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2420,2524,283]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"}]}]},{"address":{"type":"process","value":[2820,2360]},"name":"WerFault.exe","matched_threads":[{"address":{"type":"thread","value":[2820,2360,1884]},"matched_calls":[{"address":{"type":"call","value":[2820,2360,1884,50]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x533000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[2820,2360,1788]},"matched_calls":[{"address":{"type":"call","value":[2820,2360,1788,92]},"name":"NtOpenProcess(ProcessHandle=0x118, DesiredAccess=PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x2420) -> 0x0"},{"address":{"type":"call","value":[2820,2360,1788,128]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x5d9000, RegionSize=0x11000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,2360,1788,165]},"name":"NtOpenKey(KeyHandle=0x60, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[2820,2360,1788,166]},"name":"NtQueryValueKey(KeyHandle=0x60, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]}]},{"address":{"type":"process","value":[1852,2724]},"name":"schtasks.exe","matched_threads":[{"address":{"type":"thread","value":[1852,2724,1816]},"matched_calls":[{"address":{"type":"call","value":[1852,2724,1816,18]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[1852,2724,1816,22]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x173000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,25]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x174000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,26]},"name":"NtOpenKey(KeyHandle=0xec, DesiredAccess=KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Policies\\Microsoft\\SQMClient\\Windows\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,27]},"name":"NtQueryValueKey(KeyHandle=0xec, ValueName=\"CEIPEnable\", Type=REG_DWORD, Information=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,35]},"name":"NtQueryValueKey(KeyHandle=0x30, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2724,1816,39]},"name":"NtCreateFile(FileHandle=0xec, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,41]},"name":"NtMapViewOfSection(SectionHandle=0xe4, ProcessHandle=0xffffffff, BaseAddress=0x3fc0000, SectionOffset=0x1ef500, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,44]},"name":"NtOpenKey(KeyHandle=0xec, DesiredAccess=KEY_QUERY_VALUE, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,45]},"name":"NtQueryValueKey(KeyHandle=0xec, ValueName=\"Disable\", Type=REG_DWORD, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,54]},"name":"NtOpenFile(FileHandle=0xe0, DesiredAccess=FILE_READ_ACCESS|SYNCHRONIZE, FileName=\"\\Device\\KsecDD\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,55]},"name":"DeviceIoControl(DeviceHandle=0xe0, IoControlCode=IOCTL_KSEC_RANDOM_FILL_BUFFER, InBuffer=\"\", OutBuffer=\"\n\\xf6\\xae\\xcc\\xb9\\xf4\\xf0H\\xb8^\\xa2\\x8b\\x00C|p\\xa8\\x89\\xe52\\xae\\xf1\\xcb\\xc8\\x11\\xba\\x8eC\\xde\\x7f\\xb2\\xe4\\x8b\\x1c\\xae*\\x1b\\xf5\\xee\\x02\\xfa\\xe3\\xf77\\xeeE\\x8dD\") -> 0x1"},{"address":{"type":"call","value":[1852,2724,1816,56]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x608000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,60]},"name":"NtMapViewOfSection(SectionHandle=0xfc, ProcessHandle=0xffffffff, BaseAddress=0x4290000, SectionOffset=0x1ec9ec, ViewSize=0xdf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,63]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4461000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,64]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4465000, RegionSize=0x11000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,65]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4476000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,66]},"name":"DeviceIoControl(DeviceHandle=0xe0, IoControlCode=IOCTL_KSEC_RANDOM_FILL_BUFFER, InBuffer=\"\", OutBuffer=\"(#\"\\xe3\\x18\\xa6wT\\xf9l\\xc00\\xbc~\\x04X\\xf3<\\xd4I7\\x92\\xd4\\x9d\\x90n0W\\x18\\x0b\\x84\\xf6\\x13\\xe4\\xd4\\xd6\\xd1\\xff\\xa6[\\x1bD\\xd4m\\xb7\\xd8\\xa3!\") -> 0x1"},{"address":{"type":"call","value":[1852,2724,1816,76]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x616000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,77]},"name":"NtOpenKey(KeyHandle=0x134, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,85]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x617000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,86]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x618000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,95]},"name":"NtOpenKey(KeyHandle=0x144, DesiredAccess=KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Policies\\Microsoft\\SQMClient\\Windows\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,96]},"name":"NtQueryValueKey(KeyHandle=0x144, ValueName=\"CEIPEnable\", Type=REG_DWORD, Information=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,106]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x175000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,969]},"name":"NtOpenKey(KeyHandle=0x68, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,1816,970]},"name":"NtQueryValueKey(KeyHandle=0x68, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[1852,2724,2016]},"matched_calls":[{"address":{"type":"call","value":[1852,2724,2016,138]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,231]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,284]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x160, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,285]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x643000, RegionSize=0x6000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,314]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x740000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,337]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6cc, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,339]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,341]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,343]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,345]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,347]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,349]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,351]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,353]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,355]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,357]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,359]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,361]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,363]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,365]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,367]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,369]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,371]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,373]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,375]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,377]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,379]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,381]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,383]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,385]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,387]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,389]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,391]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,393]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,395]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,397]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,399]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,401]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,403]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,405]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,407]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,409]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,411]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,413]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,415]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,417]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,419]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,421]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,423]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,425]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,427]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,429]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,431]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,433]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,435]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,437]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,439]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,441]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,443]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,445]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,447]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,449]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,451]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,453]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,455]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,457]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,459]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,461]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,463]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,465]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,467]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,469]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,471]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,473]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,475]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,477]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,479]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,481]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,483]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,485]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,487]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,489]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,491]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,493]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,495]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,497]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,499]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,501]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,503]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,505]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,507]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,509]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,511]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,513]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,515]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,517]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,519]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,521]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,523]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,525]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,527]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,529]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,531]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,533]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,535]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,537]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,539]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,541]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,543]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,545]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,547]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,549]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,551]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,553]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,555]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,557]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,559]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,561]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,563]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,565]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,567]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,569]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,571]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,573]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,575]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,577]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,579]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,581]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,583]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,585]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,587]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,589]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,591]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,593]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,595]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,597]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,599]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,601]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,603]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,605]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,607]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,609]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,611]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,613]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,615]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,617]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,619]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,621]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,623]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,625]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,627]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,629]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,631]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,633]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,635]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,637]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,639]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,641]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,643]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,645]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,647]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,649]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,651]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,653]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,655]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,657]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,659]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,661]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,663]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,665]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,667]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,669]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,671]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,673]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,675]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,677]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,679]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,681]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,683]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,685]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,687]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,689]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,691]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,693]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,695]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,697]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,699]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,701]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,703]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,705]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,707]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,709]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,711]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,713]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,715]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,717]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,719]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,721]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,723]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,725]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,727]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,729]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,731]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,733]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,735]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,737]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,739]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,741]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,743]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,745]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,747]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,749]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,751]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,753]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,755]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,757]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,759]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,761]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,763]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,765]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,767]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,769]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,771]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,773]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,775]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,777]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,779]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,781]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,783]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,785]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,787]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,789]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,791]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,793]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,795]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,797]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,799]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,801]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,803]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,805]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,807]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,809]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,811]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,813]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,815]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,817]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,819]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,821]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,823]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,825]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,827]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,829]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,831]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,833]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,835]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,837]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,839]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,841]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,843]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,845]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,847]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,849]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,851]},"name":"NtMapViewOfSection(SectionHandle=0x1a8, ProcessHandle=0xffffffff, BaseAddress=0x750000, SectionOffset=0x451f6d0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,853]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1816) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,857]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x3008) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,861]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x2988) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,865]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1428) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,869]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1640) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,873]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x2308) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,877]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1896) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,897]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1816) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,901]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x3008) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,905]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x2988) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,909]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1428) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,913]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1640) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,917]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x2308) -> 0x0"},{"address":{"type":"call","value":[1852,2724,2016,921]},"name":"NtOpenThread(ThreadHandle=0x1a8, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2724, ThreadId=0x1896) -> 0x0"}]}]},{"address":{"type":"process","value":[1852,2800]},"name":"schtasks.exe","matched_threads":[{"address":{"type":"thread","value":[1852,2800,640]},"matched_calls":[{"address":{"type":"call","value":[1852,2800,640,11]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[1852,2800,640,15]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4c3000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,17]},"name":"NtOpenKey(KeyHandle=0xec, DesiredAccess=KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Policies\\Microsoft\\SQMClient\\Windows\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,18]},"name":"NtQueryValueKey(KeyHandle=0xec, ValueName=\"CEIPEnable\", Type=REG_DWORD, Information=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,27]},"name":"NtQueryValueKey(KeyHandle=0x30, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2800,640,31]},"name":"NtCreateFile(FileHandle=0xec, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,33]},"name":"NtMapViewOfSection(SectionHandle=0xe8, ProcessHandle=0xffffffff, BaseAddress=0x41b0000, SectionOffset=0x1df720, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,36]},"name":"NtOpenKey(KeyHandle=0xec, DesiredAccess=KEY_QUERY_VALUE, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\WMR\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,37]},"name":"NtQueryValueKey(KeyHandle=0xec, ValueName=\"Disable\", Type=REG_DWORD, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,46]},"name":"NtOpenFile(FileHandle=0xe4, DesiredAccess=FILE_READ_ACCESS|SYNCHRONIZE, FileName=\"\\Device\\KsecDD\", ShareAccess=FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE) -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,47]},"name":"DeviceIoControl(DeviceHandle=0xe4, IoControlCode=IOCTL_KSEC_RANDOM_FILL_BUFFER, InBuffer=\"\", OutBuffer=\"\\x8bnx2\\xd9\\xb71t\\x963zh6\\x88\\x18\\xc82\\xeaC\\xa3{\\x01C\\x91\\x8f\\x855+\t\\xb7\\xdfR\\xcd\\x00\\x01_\\xfcQ\\x90N7\\xa7f\\xb8\\x14\\xb3w|\") -> 0x1"},{"address":{"type":"call","value":[1852,2800,640,48]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x318000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,52]},"name":"NtMapViewOfSection(SectionHandle=0xfc, ProcessHandle=0xffffffff, BaseAddress=0x4480000, SectionOffset=0x1dcc0c, ViewSize=0xdf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,55]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x45c1000, RegionSize=0x4000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,56]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x45c5000, RegionSize=0x11000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,57]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x45d6000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,58]},"name":"DeviceIoControl(DeviceHandle=0xe4, IoControlCode=IOCTL_KSEC_RANDOM_FILL_BUFFER, InBuffer=\"\", OutBuffer=\"]\\xfa\\xfe\\x02\\xcd\\xbf\\x8a\\xbfb=\\xe1\\xb0AfZa\\xb8A\\xd3\\xec\\xbaA\\xab\\xb04\\xecx\\x00\\xabV\\x10k \\x1f\\xc7QH\\x06e\\xb6W\\xb1\\x9a\\x03\\x9a\\xb7\\xf2\\x16\") -> 0x1"},{"address":{"type":"call","value":[1852,2800,640,68]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x326000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,69]},"name":"NtOpenKey(KeyHandle=0x134, DesiredAccess=MAXIMUM_ALLOWED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\User\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\", ObjectAttributes=\"HKEY_CURRENT_USER\\Software\\Classes\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,77]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x327000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,78]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x328000, RegionSize=0x2000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,87]},"name":"NtOpenKey(KeyHandle=0x144, DesiredAccess=KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Policies\\Microsoft\\SQMClient\\Windows\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,88]},"name":"NtQueryValueKey(KeyHandle=0x144, ValueName=\"CEIPEnable\", Type=REG_DWORD, Information=0x0, FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,90]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4c4000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,99]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4c5000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,1236]},"name":"NtOpenKey(KeyHandle=0x68, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,640,1237]},"name":"NtQueryValueKey(KeyHandle=0x68, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[1852,2800,3044]},"matched_calls":[{"address":{"type":"call","value":[1852,2800,3044,131]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,224]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,277]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x160, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,304]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x410000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,327]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f61c, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,331]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,333]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,335]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,337]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,339]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,341]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,343]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,345]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,347]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,349]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,351]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,353]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,355]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,357]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,359]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,361]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,363]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,365]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,367]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,369]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,371]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,373]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,375]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,377]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,379]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,381]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,383]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,385]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,387]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,389]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,391]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,393]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,395]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,397]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,399]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,401]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,403]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,405]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,407]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,409]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,411]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,413]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,415]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,417]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,419]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,421]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,423]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,425]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,427]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,429]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,431]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,433]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,435]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,437]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,439]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,441]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,443]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,445]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,447]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,449]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,451]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,453]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,455]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,457]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,459]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,461]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,463]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,465]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,467]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,469]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,471]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,473]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,475]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,477]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,479]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,481]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,483]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,485]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,487]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,489]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,491]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,493]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,495]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,497]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,499]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,501]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,503]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,505]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,507]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,509]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,511]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,513]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,515]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,517]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,519]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,521]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,523]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,525]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,527]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,529]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,531]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,533]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,535]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,537]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,539]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,541]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,543]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,545]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,547]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,549]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,551]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,553]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,555]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,557]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,559]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,561]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,563]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,565]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,567]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,569]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,571]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,573]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,575]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,577]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,579]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,581]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,583]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,585]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,587]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,589]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,591]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,593]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,595]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,597]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,599]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,601]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,603]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,605]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,607]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,609]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,611]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,613]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,615]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,617]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,619]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,621]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,623]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,625]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,627]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,629]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,631]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,633]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,635]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,637]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,639]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,641]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,643]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,645]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,647]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,649]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,651]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,653]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,655]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,657]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,659]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,661]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,663]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,665]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,667]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,669]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,671]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,673]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,675]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,677]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,679]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,681]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,683]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,685]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,687]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,689]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,691]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,693]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,695]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,697]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,699]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,701]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,703]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,705]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,707]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,709]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,711]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,713]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,715]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,717]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,719]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,721]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,723]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,725]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,727]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,729]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,731]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,733]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,735]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,737]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,739]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,741]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,743]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,745]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,747]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,749]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,751]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,753]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,755]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,757]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,759]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,761]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,763]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,765]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,767]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,769]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,771]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,773]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,775]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,777]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,779]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,781]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,783]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,785]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,787]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,789]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,791]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,793]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,795]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,797]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,799]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,801]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,803]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,805]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,807]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,809]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,811]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,813]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,815]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,817]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,819]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,821]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,823]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,825]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,827]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,829]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,831]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,833]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,835]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,837]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,839]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,841]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,843]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,845]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,847]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,849]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,851]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,853]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,855]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,857]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,859]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,861]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,863]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,865]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,867]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,869]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,871]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,873]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,875]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,877]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,879]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,881]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,883]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,885]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,887]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,889]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,891]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,893]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,895]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,897]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,899]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,901]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,903]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,905]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,907]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,909]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,911]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,913]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,915]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,917]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,919]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,921]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,923]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,925]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,927]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,929]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,931]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,933]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,935]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,937]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,939]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,941]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,943]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,945]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,947]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,949]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,951]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,953]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,955]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,957]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,959]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,961]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,963]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,965]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,967]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,969]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,971]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,973]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,975]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,977]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,979]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,981]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,983]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,985]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,987]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,989]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,991]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,993]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,995]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,997]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,999]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1001]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1003]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1005]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1007]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1009]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1011]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1013]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1015]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1017]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1019]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1021]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1023]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1025]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1027]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1029]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1031]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1033]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1035]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1037]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1039]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1041]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1043]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1045]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1047]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1049]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1051]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1053]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1055]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1057]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1059]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1061]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1063]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1065]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1067]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1069]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1071]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1073]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1075]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1077]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1079]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1081]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1083]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1085]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1087]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1089]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1091]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1093]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1095]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1097]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1099]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1101]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1103]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1105]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1107]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1109]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1111]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1113]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1115]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1117]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1119]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1121]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1123]},"name":"NtMapViewOfSection(SectionHandle=0x1a4, ProcessHandle=0xffffffff, BaseAddress=0x4a0000, SectionOffset=0x325f620, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1126]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x640) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1130]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x2780) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1134]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x868) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1138]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x1748) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1142]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x1320) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1146]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x2796) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1150]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x1592) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1170]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x640) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1174]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x2780) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1178]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x868) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1182]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x1748) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1186]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x1320) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1190]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x2796) -> 0x0"},{"address":{"type":"call","value":[1852,2800,3044,1194]},"name":"NtOpenThread(ThreadHandle=0x1a4, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x2800, ThreadId=0x1592) -> 0x0"}]}]},{"address":{"type":"process","value":[1852,2744]},"name":"jxoqwn.exe","matched_threads":[{"address":{"type":"thread","value":[1852,2744,2916]},"matched_calls":[{"address":{"type":"call","value":[1852,2744,2916,15]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1e90000, RegionSize=0xc0000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,16]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1e90000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,31]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,32]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2744,2916,34]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,35]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2744,2916,37]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,38]},"name":"NtOpenKey(KeyHandle=0xdc, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,39]},"name":"NtOpenKey(KeyHandle=0xd8, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,40]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,41]},"name":"NtQueryValueKey(KeyHandle=0xd8, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,136]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[1852,2744,2916,137]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,138]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4490000, RegionSize=0x68000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,139]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,140]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x230000, RegionSize=0x6000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,146]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,150]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4500000, RegionSize=0x6a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,217]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,266]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x8a000, MemType=0x0, Protection=PAGE_READWRITE, OldProtection=PAGE_READONLY, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2744,2916,267]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x400, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2744,2916,269]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x40d000, Size=0x5a30, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2744,2916,271]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x417000, Size=0x51708, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2744,2916,272]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x469000, Size=0xe50, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,2744,2916,291]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,355]},"name":"CreateToolhelp32Snapshot(Flags=TH32CS_SNAPPROCESS, ProcessId=0x0) -> 0x190"},{"address":{"type":"call","value":[1852,2744,2916,358]},"name":"NtQueryValueKey(KeyHandle=0x24, ValueName=\"00060101.00060101\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\00060101.00060101\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,2744,2916,362]},"name":"NtCreateFile(FileHandle=0x194, DesiredAccess=GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE, FileName=\"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls\", CreateDisposition=FILE_OPEN, ShareAccess=FILE_SHARE_READ, FileAttributes=FILE_ATTRIBUTE_NORMAL, ExistedBefore=\"yes\", StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,364]},"name":"NtMapViewOfSection(SectionHandle=0x198, ProcessHandle=0xffffffff, BaseAddress=0x47f0000, SectionOffset=0x18e860, ViewSize=0x2cf000, Win32Protect=PAGE_READONLY, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,478]},"name":"NtOpenProcess(ProcessHandle=0x190, DesiredAccess=PROCESS_DUP_HANDLE, ProcessIdentifier=0x2744) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,480]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4ac0000, RegionSize=0x100000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,481]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4ac0000, RegionSize=0x42000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,688]},"name":"FindResourceEx(Module=0x400000, Type=\"#10\", Name=0x2, Language=0x0) -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,689]},"name":"FindResourceEx(Module=0x400000, Type=\"#3\", Name=0x2, Language=0x0) -> 0x417118"},{"address":{"type":"call","value":[1852,2744,2916,711]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x56d000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,732]},"name":"NtOpenKey(KeyHandle=0x5c, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[1852,2744,2916,733]},"name":"NtQueryValueKey(KeyHandle=0x5c, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]},{"address":{"type":"thread","value":[1852,2744,2672]},"matched_calls":[{"address":{"type":"call","value":[1852,2744,2672,141]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x243000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]}]},{"address":{"type":"process","value":[1852,500]},"name":"jxoqwn.exe","matched_threads":[{"address":{"type":"thread","value":[1852,500,240]},"matched_calls":[{"address":{"type":"call","value":[1852,500,240,8]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1e50000, RegionSize=0xc0000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,9]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x1e50000, RegionSize=0x3000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,24]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,25]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,500,240,27]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,28]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=\"en-US\", FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US\") -> OBJECT_NAME_NOT_FOUND"},{"address":{"type":"call","value":[1852,500,240,30]},"name":"NtOpenKey(KeyHandle=0xe0, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,31]},"name":"NtOpenKey(KeyHandle=0xdc, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Locale\\Alternate Sorts\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,32]},"name":"NtOpenKey(KeyHandle=0xd8, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language Groups\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,33]},"name":"NtQueryValueKey(KeyHandle=0xe0, ValueName=0x409, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,34]},"name":"NtQueryValueKey(KeyHandle=0xd8, ValueName=0x1, Type=REG_SZ, Information=0x1, FullName=\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,129]},"name":"NtQueryValueKey(KeyHandle=0x0, ValueName=\"DisableUserModeCallbackFilter\", FullName=\"DisableUserModeCallbackFilter\") -> INVALID_HANDLE"},{"address":{"type":"call","value":[1852,500,240,132]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,500,240,133]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x4400000, RegionSize=0x68000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,134]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,500,240,135]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2b0000, RegionSize=0x6000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,139]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,500,240,143]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x44b0000, RegionSize=0x6a000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[1852,500,240,210]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[1852,500,240,259]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x8a000, MemType=0x0, Protection=PAGE_READWRITE, OldProtection=PAGE_READONLY, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,500,240,260]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x400000, Size=0x400, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,500,240,262]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x40d000, Size=0x5a30, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,500,240,264]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x417000, Size=0x51708, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,500,240,265]},"name":"VirtualProtectEx(ProcessHandle=0xffffffff, Address=0x469000, Size=0xe50, MemType=0x0, Protection=PAGE_READONLY, OldProtection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x1"},{"address":{"type":"call","value":[1852,500,240,284]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[1852,500,240,338]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x687000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]},{"address":{"type":"thread","value":[1852,500,900]},"matched_calls":[{"address":{"type":"call","value":[1852,500,900,130]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2c3000, RegionSize=0x1000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"}]}]},{"address":{"type":"process","value":[2820,1572]},"name":"WerFault.exe","matched_threads":[{"address":{"type":"thread","value":[2820,1572,2932]},"matched_calls":[{"address":{"type":"call","value":[2820,1572,2932,38]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x75af1832) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,130]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x75ae0000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x75b0da10) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,184]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffff, SourceHandle=0xfffffffe, TargetProcessHandle=0xffffffff, TargetHandle=0x25c, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,212]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x2580000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,235]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df84c, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,237]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,239]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,241]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,243]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,245]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,247]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,249]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,251]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,253]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,255]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,257]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,259]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,261]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,263]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,265]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,267]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,269]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,271]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,273]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,275]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,277]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,279]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,281]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,283]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,285]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,287]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,289]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,291]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,293]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,295]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,297]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,299]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,301]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,303]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,305]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,307]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,309]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,311]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,313]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,315]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,317]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,319]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,321]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,323]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,325]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,327]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,329]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,331]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,333]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,335]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,337]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,339]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,341]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,343]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,345]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,347]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,349]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,351]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,353]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,355]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,357]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,359]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,361]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,363]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,365]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,367]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,369]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,371]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,373]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,375]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,377]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,379]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,381]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,383]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,385]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,387]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,389]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,391]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,393]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,395]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,397]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,399]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,401]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,403]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,405]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,407]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,409]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,411]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,413]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,415]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,417]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,419]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,421]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,423]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,425]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,427]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,429]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,431]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,433]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,435]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,437]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,439]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,441]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,443]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,445]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,447]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,449]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,451]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,453]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,455]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,457]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,459]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,461]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,463]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,465]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,467]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,469]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,471]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,473]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,475]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,477]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,479]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,481]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,483]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,485]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,487]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,489]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,491]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,493]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,495]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,497]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,499]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,501]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,503]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,505]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,507]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,509]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,511]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,513]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,515]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,517]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,519]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,521]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,523]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,525]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,527]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,529]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,531]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,533]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,535]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,537]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,539]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,541]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,543]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,545]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,547]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,549]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,551]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,553]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,555]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,557]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,559]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,561]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,563]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,565]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,567]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,569]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,571]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,573]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,575]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,577]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,579]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,581]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,583]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,585]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,587]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,589]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,591]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,593]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,595]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,597]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,599]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,601]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,603]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,605]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,607]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,609]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,611]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,613]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,615]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,617]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,619]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,621]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,623]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,625]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,627]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,629]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,631]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,633]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,635]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,637]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,639]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,641]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,643]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,645]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,647]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,649]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,651]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,653]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,655]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,657]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,659]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,661]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,663]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,665]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,667]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,669]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,671]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,673]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,675]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,677]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,679]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,681]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,683]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,685]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,687]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,689]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,691]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,693]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,695]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,697]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,699]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,701]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,703]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,705]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,707]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,709]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,711]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,713]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,715]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,717]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,719]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,721]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,723]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,725]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,727]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,729]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,731]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,733]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,735]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,737]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,739]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,741]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,743]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,745]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,747]},"name":"NtMapViewOfSection(SectionHandle=0x290, ProcessHandle=0xffffffff, BaseAddress=0x2590000, SectionOffset=0x25df850, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,752]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2804) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,756]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2408) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,760]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x1640) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,764]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2308) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,768]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2336) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,772]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2780) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,776]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x1748) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,780]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x1320) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,784]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2760) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,804]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2804) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,808]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2408) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,812]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x1640) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,816]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2308) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,820]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2336) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,824]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2780) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,828]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x1748) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,832]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x1320) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2932,836]},"name":"NtOpenThread(ThreadHandle=0x290, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1572, ThreadId=0x2760) -> 0x0"}]},{"address":{"type":"thread","value":[2820,1572,2804]},"matched_calls":[{"address":{"type":"call","value":[2820,1572,2804,937]},"name":"NtOpenProcess(ProcessHandle=0x118, DesiredAccess=PROCESS_QUERY_INFORMATION, ProcessIdentifier=0x500) -> 0x0"},{"address":{"type":"call","value":[2820,1572,2804,972]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffff, BaseAddress=0x594a000, RegionSize=0x11000, Protection=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2804,1016]},"name":"NtOpenKey(KeyHandle=0x60, DesiredAccess=KEY_READ, ObjectAttributesHandle=0x0, ObjectAttributesName=\"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\", ObjectAttributes=\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\") -> 0x0"},{"address":{"type":"call","value":[2820,1572,2804,1017]},"name":"NtQueryValueKey(KeyHandle=0x60, ValueName=\"DisableMetaFiles\", FullName=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles\") -> OBJECT_NAME_NOT_FOUND"}]}]},{"address":{"type":"process","value":[2820,1912]},"name":"WerFault.exe","matched_threads":[{"address":{"type":"thread","value":[2820,1912,1216]},"matched_calls":[{"address":{"type":"call","value":[2820,1912,1216,39]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"VirtualAlloc\", Ordinal=0x0, FunctionAddress=0x77a35980) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,129]},"name":"LdrGetProcedureAddress(ModuleName=\"kernel32.dll\", ModuleHandle=0x77a20000, FunctionName=\"VirtualAllocEx\", Ordinal=0x0, FunctionAddress=0x77a6bf30) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,182]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0x24c, Options=0x2) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,211]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x77910000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,218]},"name":"NtAllocateVirtualMemory(ProcessHandle=0xffffffffffffffff, BaseAddress=0x7fefe0b0000, RegionSize=0x1000, Protection=PAGE_EXECUTE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,240]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,330]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,332]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,336]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,340]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,344]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,354]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,360]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,366]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,370]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,376]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,380]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,386]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,390]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,394]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,398]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,402]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,406]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,412]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,418]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,422]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,428]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,434]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,446]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,452]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,456]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,460]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,464]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,468]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,474]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,478]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,482]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,488]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,494]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,498]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,503]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,508]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,512]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,518]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,522]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,528]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,532]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,538]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,542]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,546]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,552]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,558]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,562]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,566]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,574]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,578]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,582]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,586]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,590]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,594]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,602]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,606]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,612]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,618]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,624]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,630]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,636]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,644]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,650]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,656]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,660]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,666]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,672]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,684]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,690]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,694]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,704]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,710]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,714]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,718]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,726]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,734]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,740]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,746]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,754]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,758]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,764]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,770]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,776]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,782]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,788]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,792]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,798]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,804]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,810]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,814]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,820]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,824]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,830]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,834]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,840]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,846]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,852]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,862]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,866]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,872]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,878]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,884]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,890]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,900]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,908]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,912]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,918]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,926]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,930]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,936]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,942]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,948]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,953]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,956]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,962]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,966]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,974]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,980]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,988]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,998]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1006]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1012]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1018]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1022]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1026]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1030]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1034]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1042]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1048]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1054]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1058]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1064]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1070]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1076]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1082]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1086]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1094]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1098]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1104]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1108]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1112]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1118]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1124]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1128]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1132]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1134]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1136]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1138]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1140]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1142]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1144]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1146]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1148]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1150]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1152]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1154]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1156]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1158]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1160]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1162]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1164]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1166]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1168]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1170]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1172]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1174]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1176]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1178]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1180]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1182]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1184]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1186]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1188]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1190]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1192]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1194]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1196]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1198]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1200]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1202]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1204]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1206]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1208]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1210]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1212]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1214]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1216]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1218]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1220]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1222]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1224]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1226]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1228]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1230]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1232]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1234]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1236]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1238]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1240]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1242]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1244]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1246]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1248]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1250]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1252]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1254]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1256]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1258]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1260]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1262]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1264]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1266]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1268]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1270]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1272]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1274]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1276]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1278]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1280]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1282]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1284]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1286]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1288]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1290]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1292]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1294]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1296]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1298]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1300]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1302]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1304]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1306]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1308]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1310]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1312]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1314]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1316]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1318]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1320]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1322]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1324]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1326]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1328]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1330]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1332]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1334]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1336]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1338]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1340]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1342]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1344]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1346]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1348]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1350]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1352]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1354]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1356]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1358]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1360]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1362]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1364]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1366]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1368]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1370]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1372]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1374]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1376]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1378]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1380]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1382]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1384]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1386]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1388]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1390]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1392]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1394]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1396]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1398]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1400]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1402]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1404]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1406]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1408]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1410]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1412]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1414]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1416]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1418]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1420]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1422]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1424]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1426]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1428]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1430]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1432]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1434]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1436]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1438]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1440]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1442]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1444]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1446]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1448]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1450]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1452]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1454]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1456]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1458]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1460]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1462]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1464]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1466]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1468]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1470]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1472]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1474]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1476]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1478]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1480]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1482]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1484]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1486]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1488]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1490]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1492]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1494]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1496]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1498]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1500]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1502]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1504]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1506]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1508]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1510]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1512]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1514]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1516]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1518]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1520]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1522]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1524]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1526]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1528]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1530]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1532]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1534]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1536]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1538]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1540]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1542]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1544]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1546]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1548]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1550]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1552]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1554]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1556]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1558]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1560]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1562]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1564]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1566]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1568]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1570]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1572]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1574]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1576]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1578]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1580]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1582]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1584]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1586]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1588]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1590]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1592]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1594]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1596]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1598]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1600]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1602]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1604]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1606]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1608]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1610]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1612]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1614]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1616]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1618]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1620]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1622]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1624]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1626]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1628]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1630]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1632]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1634]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1636]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1638]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1640]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1642]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1644]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1646]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1648]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1650]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1652]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1654]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1656]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1658]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1660]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1662]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1664]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1666]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1668]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1670]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1672]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1674]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1676]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1678]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1680]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1682]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1684]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1686]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1688]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1690]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1692]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1694]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1696]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1698]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1700]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1702]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1704]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1706]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1708]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1710]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1712]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1714]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1716]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1718]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1720]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1722]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1724]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1726]},"name":"NtMapViewOfSection(SectionHandle=0x278, ProcessHandle=0xffffffffffffffff, BaseAddress=0x22a0000, SectionOffset=0x5ddf5e0, ViewSize=0x4000, Win32Protect=PAGE_READWRITE, StackPivoted=\"no\") -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1728]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x492) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1732]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2520) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1736]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2100) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1740]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x1652) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1744]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2356) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1748]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x1884) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1751]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2332) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1754]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2588) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1757]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x860) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1777]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x492) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1781]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2520) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1785]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2100) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1789]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x1652) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1793]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2356) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1797]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x1884) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1801]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2332) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1805]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x2588) -> 0x0"},{"address":{"type":"call","value":[2820,1912,1216,1809]},"name":"NtOpenThread(ThreadHandle=0x278, DesiredAccess=THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, ProcessId=0x1912, ThreadId=0x860) -> 0x0"}]},{"address":{"type":"thread","value":[2820,1912,3068]},"matched_calls":[{"address":{"type":"call","value":[2820,1912,3068,1825]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0x24c, Options=0x2) -> 0x0"}]},{"address":{"type":"thread","value":[2820,1912,1368]},"matched_calls":[{"address":{"type":"call","value":[2820,1912,1368,1827]},"name":"NtDuplicateObject(SourceProcessHandle=0xffffffffffffffff, SourceHandle=0xfffffffffffffffe, TargetProcessHandle=0xffffffffffffffff, TargetHandle=0x288, Options=0x2) -> 0x0"}]}]}]},"feature_counts":{"file":4891,"processes":[{"address":{"type":"process","value":[2456,3052]},"count":1144},{"address":{"type":"process","value":[3052,2192]},"count":1097},{"address":{"type":"process","value":[3052,1180]},"count":934},{"address":{"type":"process","value":[3052,2852]},"count":2195},{"address":{"type":"process","value":[2852,2900]},"count":212},{"address":{"type":"process","value":[1180,1852]},"count":2033},{"address":{"type":"process","value":[792,1224]},"count":495},{"address":{"type":"process","value":[1200,1248]},"count":4633},{"address":{"type":"process","value":[1248,1680]},"count":482},{"address":{"type":"process","value":[1852,2420]},"count":648},{"address":{"type":"process","value":[2820,2360]},"count":256},{"address":{"type":"process","value":[1852,2724]},"count":669},{"address":{"type":"process","value":[1852,2800]},"count":649},{"address":{"type":"process","value":[1852,2744]},"count":906},{"address":{"type":"process","value":[1852,500]},"count":650},{"address":{"type":"process","value":[2820,1572]},"count":675},{"address":{"type":"process","value":[2820,1912]},"count":486}]}}},"rules":{"delay execution":{"meta":{"name":"delay execution","authors":["michael.hunhoff@mandiant.com","@ramen0x3f"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Anti-Behavioral Analysis","Dynamic Analysis Evasion","Delayed Execution"],"objective":"Anti-Behavioral Analysis","behavior":"Dynamic Analysis Evasion","method":"Delayed Execution","id":"B0003.003"}],"references":["https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions","https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp"],"examples":["al-khaser_x86.exe_:0x449770","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: delay execution\n authors:\n - michael.hunhoff@mandiant.com\n - \"@ramen0x3f\"\n lib: 'true'\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003]\n references:\n - https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp\n examples:\n - al-khaser_x86.exe_:0x449770\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6\n features:\n - or:\n - and:\n - os: windows\n - or:\n - api: kernel32.Sleep\n - api: kernel32.SleepEx\n - api: kernel32.WaitForSingleObject\n - api: kernel32.SignalObjectAndWait\n - api: kernel32.WaitForSingleObjectEx\n - api: kernel32.WaitForMultipleObjects\n - api: kernel32.WaitForMultipleObjectsEx\n - api: kernel32.RegisterWaitForSingleObject\n - api: WaitOnAddress\n - api: user32.MsgWaitForMultipleObjects\n - api: user32.MsgWaitForMultipleObjectsEx\n - api: NtDelayExecution\n - api: KeWaitForSingleObject\n - api: KeDelayExecutionThread\n - and:\n - os: linux\n - or:\n - api: sleep\n - api: usleep\n","matches":[[{"type":"thread","value":[2456,3052,1960]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"os","os":"linux"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"sleep"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"usleep"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.Sleep"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.SleepEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.WaitForSingleObject"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.SignalObjectAndWait"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.WaitForSingleObjectEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.WaitForMultipleObjects"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.WaitForMultipleObjectsEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.RegisterWaitForSingleObject"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"WaitOnAddress"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"user32.MsgWaitForMultipleObjects"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"user32.MsgWaitForMultipleObjectsEx"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtDelayExecution"}},"children":[],"locations":[{"type":"call","value":[2456,3052,1960,1]},{"type":"call","value":[2456,3052,1960,36]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"KeWaitForSingleObject"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"KeDelayExecutionThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"allocate memory":{"meta":{"name":"allocate memory","authors":["0x534a@mailbox.org","@mr-tz"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Memory","Allocate Memory"],"objective":"Memory","behavior":"Allocate Memory","method":"","id":"C0007"}],"references":[],"examples":["Practical Malware Analysis Lab 03-03.exe_:0x4010EA","563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: allocate memory\n authors:\n - 0x534a@mailbox.org\n - \"@mr-tz\"\n lib: 'true'\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Memory::Allocate Memory [C0007]\n examples:\n - Practical Malware Analysis Lab 03-03.exe_:0x4010EA\n - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA # ntdll.NtAllocateVirtualMemory\n features:\n - or:\n - api: kernel32.VirtualAlloc\n - api: kernel32.VirtualAllocEx\n - api: kernel32.VirtualAllocExNuma\n - api: NtAllocateVirtualMemory\n - api: ZwAllocateVirtualMemory\n - api: NtMapViewOfSection\n - api: ZwMapViewOfSection\n - and:\n - match: link function at runtime on Windows\n - or:\n - string: \"VirtualAlloc\"\n - string: \"VirtualAllocEx\"\n - string: \"VirtualAllocExNuma\"\n - string: \"NtAllocateVirtualMemory\"\n - string: \"ZwAllocateVirtualMemory\"\n - string: \"NtMapViewOfSection\"\n - string: \"ZwMapViewOfSection\"\n","matches":[[{"type":"thread","value":[2456,3052,1960]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2456,3052,1960,150]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2456,3052,3064]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,17]},{"type":"call","value":[2456,3052,3064,149]},{"type":"call","value":[2456,3052,3064,483]},{"type":"call","value":[2456,3052,3064,982]},{"type":"call","value":[2456,3052,3064,158]},{"type":"call","value":[2456,3052,3064,942]},{"type":"call","value":[2456,3052,3064,482]},{"type":"call","value":[2456,3052,3064,16]},{"type":"call","value":[2456,3052,3064,803]},{"type":"call","value":[2456,3052,3064,938]},{"type":"call","value":[2456,3052,3064,147]},{"type":"call","value":[2456,3052,3064,986]},{"type":"call","value":[2456,3052,3064,815]},{"type":"call","value":[2456,3052,3064,937]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,372]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,225]},{"type":"call","value":[2456,3052,3064,146]},{"type":"call","value":[2456,3052,3064,148]},{"type":"call","value":[2456,3052,3064,154]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,299]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2456,3052,2792]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,830]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2192,1476]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[3052,2192,1476,138]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2192,2204]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,142]},{"type":"call","value":[3052,2192,2204,345]},{"type":"call","value":[3052,2192,2204,150]},{"type":"call","value":[3052,2192,2204,477]},{"type":"call","value":[3052,2192,2204,140]},{"type":"call","value":[3052,2192,2204,478]},{"type":"call","value":[3052,2192,2204,16]},{"type":"call","value":[3052,2192,2204,17]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,365]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,217]},{"type":"call","value":[3052,2192,2204,139]},{"type":"call","value":[3052,2192,2204,146]},{"type":"call","value":[3052,2192,2204,141]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,291]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,1180,500]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,149]},{"type":"call","value":[3052,1180,500,479]},{"type":"call","value":[3052,1180,500,344]},{"type":"call","value":[3052,1180,500,717]},{"type":"call","value":[3052,1180,500,138]},{"type":"call","value":[3052,1180,500,16]},{"type":"call","value":[3052,1180,500,140]},{"type":"call","value":[3052,1180,500,15]},{"type":"call","value":[3052,1180,500,478]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,693]},{"type":"call","value":[3052,1180,500,694]},{"type":"call","value":[3052,1180,500,364]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,137]},{"type":"call","value":[3052,1180,500,216]},{"type":"call","value":[3052,1180,500,139]},{"type":"call","value":[3052,1180,500,145]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,290]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,690]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,1180,1692]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[3052,1180,1692,141]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2852,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,36]},{"type":"call","value":[3052,2852,2804,67]},{"type":"call","value":[3052,2852,2804,34]},{"type":"call","value":[3052,2852,2804,53]},{"type":"call","value":[3052,2852,2804,66]},{"type":"call","value":[3052,2852,2804,69]},{"type":"call","value":[3052,2852,2804,110]},{"type":"call","value":[3052,2852,2804,33]},{"type":"call","value":[3052,2852,2804,68]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,86]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2852,2868]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2868,1566]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2868,1382]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2868,1498]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2852,2900,3000]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2852,2900,3000,30]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2852,2900,3004]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2852,2900,3004,28]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2852,2900,2904]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,38]},{"type":"call","value":[2852,2900,2904,50]},{"type":"call","value":[2852,2900,2904,48]},{"type":"call","value":[2852,2900,2904,25]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2852,2900,2032]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2032,32]},{"type":"call","value":[2852,2900,2032,33]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,920]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,19]},{"type":"call","value":[1180,1852,920,54]},{"type":"call","value":[1180,1852,920,186]},{"type":"call","value":[1180,1852,920,25]},{"type":"call","value":[1180,1852,920,195]},{"type":"call","value":[1180,1852,920,185]},{"type":"call","value":[1180,1852,920,18]},{"type":"call","value":[1180,1852,920,53]},{"type":"call","value":[1180,1852,920,17]},{"type":"call","value":[1180,1852,920,184]},{"type":"call","value":[1180,1852,920,52]},{"type":"call","value":[1180,1852,920,20]},{"type":"call","value":[1180,1852,920,26]},{"type":"call","value":[1180,1852,920,55]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,30]},{"type":"call","value":[1180,1852,920,174]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,92]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2596]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2596,4870]},{"type":"call","value":[1180,1852,2596,1935]},{"type":"call","value":[1180,1852,2596,492]},{"type":"call","value":[1180,1852,2596,1279]},{"type":"call","value":[1180,1852,2596,4879]},{"type":"call","value":[1180,1852,2596,1276]},{"type":"call","value":[1180,1852,2596,4943]},{"type":"call","value":[1180,1852,2596,3207]},{"type":"call","value":[1180,1852,2596,4940]},{"type":"call","value":[1180,1852,2596,1239]},{"type":"call","value":[1180,1852,2596,1477]},{"type":"call","value":[1180,1852,2596,1855]},{"type":"call","value":[1180,1852,2596,1254]},{"type":"call","value":[1180,1852,2596,717]},{"type":"call","value":[1180,1852,2596,4863]},{"type":"call","value":[1180,1852,2596,302]},{"type":"call","value":[1180,1852,2596,1568]},{"type":"call","value":[1180,1852,2596,1861]},{"type":"call","value":[1180,1852,2596,4927]},{"type":"call","value":[1180,1852,2596,497]},{"type":"call","value":[1180,1852,2596,1336]},{"type":"call","value":[1180,1852,2596,1833]},{"type":"call","value":[1180,1852,2596,2016]},{"type":"call","value":[1180,1852,2596,1839]},{"type":"call","value":[1180,1852,2596,1238]},{"type":"call","value":[1180,1852,2596,4182]},{"type":"call","value":[1180,1852,2596,646]},{"type":"call","value":[1180,1852,2596,2873]},{"type":"call","value":[1180,1852,2596,1561]},{"type":"call","value":[1180,1852,2596,3120]},{"type":"call","value":[1180,1852,2596,1320]},{"type":"call","value":[1180,1852,2596,719]},{"type":"call","value":[1180,1852,2596,1558]},{"type":"call","value":[1180,1852,2596,1866]},{"type":"call","value":[1180,1852,2596,2879]},{"type":"call","value":[1180,1852,2596,1567]},{"type":"call","value":[1180,1852,2596,4926]},{"type":"call","value":[1180,1852,2596,4938]},{"type":"call","value":[1180,1852,2596,1097]},{"type":"call","value":[1180,1852,2596,496]},{"type":"call","value":[1180,1852,2596,1936]},{"type":"call","value":[1180,1852,2596,4935]},{"type":"call","value":[1180,1852,2596,5130]},{"type":"call","value":[1180,1852,2596,209]},{"type":"call","value":[1180,1852,2596,3208]},{"type":"call","value":[1180,1852,2596,1234]},{"type":"call","value":[1180,1852,2596,1231]},{"type":"call","value":[1180,1852,2596,706]},{"type":"call","value":[1180,1852,2596,2866]},{"type":"call","value":[1180,1852,2596,4858]},{"type":"call","value":[1180,1852,2596,4855]},{"type":"call","value":[1180,1852,2596,3360]},{"type":"call","value":[1180,1852,2596,489]},{"type":"call","value":[1180,1852,2596,2289]},{"type":"call","value":[1180,1852,2596,4928]},{"type":"call","value":[1180,1852,2596,1273]},{"type":"call","value":[1180,1852,2596,1633]},{"type":"call","value":[1180,1852,2596,498]},{"type":"call","value":[1180,1852,2596,3616]},{"type":"call","value":[1180,1852,2596,4882]},{"type":"call","value":[1180,1852,2596,5129]},{"type":"call","value":[1180,1852,2596,644]},{"type":"call","value":[1180,1852,2596,2017]},{"type":"call","value":[1180,1852,2596,2377]},{"type":"call","value":[1180,1852,2596,2868]},{"type":"call","value":[1180,1852,2596,5080]},{"type":"call","value":[1180,1852,2596,4851]},{"type":"call","value":[1180,1852,2596,180]},{"type":"call","value":[1180,1852,2596,1260]},{"type":"call","value":[1180,1852,2596,1858]},{"type":"call","value":[1180,1852,2596,1257]},{"type":"call","value":[1180,1852,2596,2889]},{"type":"call","value":[1180,1852,2596,1339]},{"type":"call","value":[1180,1852,2596,3859]},{"type":"call","value":[1180,1852,2596,4939]},{"type":"call","value":[1180,1852,2596,4228]},{"type":"call","value":[1180,1852,2596,4588]},{"type":"call","value":[1180,1852,2596,1836]},{"type":"call","value":[1180,1852,2596,701]},{"type":"call","value":[1180,1852,2596,2867]},{"type":"call","value":[1180,1852,2596,1317]},{"type":"call","value":[1180,1852,2596,4850]},{"type":"call","value":[1180,1852,2596,301]},{"type":"call","value":[1180,1852,2596,179]},{"type":"call","value":[1180,1852,2596,1564]},{"type":"call","value":[1180,1852,2596,3190]},{"type":"call","value":[1180,1852,2596,3123]},{"type":"call","value":[1180,1852,2596,307]},{"type":"call","value":[1180,1852,2596,3254]},{"type":"call","value":[1180,1852,2596,4932]},{"type":"call","value":[1180,1852,2596,1707]},{"type":"call","value":[1180,1852,2596,1237]},{"type":"call","value":[1180,1852,2596,645]},{"type":"call","value":[1180,1852,2596,2335]},{"type":"call","value":[1180,1852,2596,4852]},{"type":"call","value":[1180,1852,2596,718]},{"type":"call","value":[1180,1852,2596,3662]},{"type":"call","value":[1180,1852,2596,181]},{"type":"call","value":[1180,1852,2596,1325]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,764]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,764,304]},{"type":"call","value":[1180,1852,764,313]},{"type":"call","value":[1180,1852,764,316]},{"type":"call","value":[1180,1852,764,306]},{"type":"call","value":[1180,1852,764,303]},{"type":"call","value":[1180,1852,764,579]},{"type":"call","value":[1180,1852,764,315]},{"type":"call","value":[1180,1852,764,305]},{"type":"call","value":[1180,1852,764,314]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1180,1852,764,597]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1180,1852,764,372]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1180,1852,764,524]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1156]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,929]},{"type":"call","value":[1180,1852,1156,2344]},{"type":"call","value":[1180,1852,1156,5010]},{"type":"call","value":[1180,1852,1156,2948]},{"type":"call","value":[1180,1852,1156,806]},{"type":"call","value":[1180,1852,1156,4952]},{"type":"call","value":[1180,1852,1156,3727]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1028]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1028,944]},{"type":"call","value":[1180,1852,1028,945]},{"type":"call","value":[1180,1852,1028,3488]},{"type":"call","value":[1180,1852,1028,3489]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2828]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,4238]},{"type":"call","value":[1180,1852,2828,4239]},{"type":"call","value":[1180,1852,2828,4237]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2856]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2856,1007]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2784]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2784,4721]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,236]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1420]},{"type":"call","value":[1180,1852,236,1085]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1476]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1476,1599]},{"type":"call","value":[1180,1852,1476,1600]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1020]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1020,3087]},{"type":"call","value":[1180,1852,1020,2975]},{"type":"call","value":[1180,1852,1020,3072]},{"type":"call","value":[1180,1852,1020,3039]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1020,2718]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1876]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1876,5140]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1200]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1200,3783]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2444]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2444,5065]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[792,1224,1660]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[792,1224,1660,8]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[792,1224,2540]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[792,1224,2540,213]},{"type":"call","value":[792,1224,2540,726]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[792,1224,2540,865]},{"type":"call","value":[792,1224,2540,1411]},{"type":"call","value":[792,1224,2540,755]},{"type":"call","value":[792,1224,2540,993]},{"type":"call","value":[792,1224,2540,883]},{"type":"call","value":[792,1224,2540,1121]},{"type":"call","value":[792,1224,2540,1011]},{"type":"call","value":[792,1224,2540,1249]},{"type":"call","value":[792,1224,2540,1139]},{"type":"call","value":[792,1224,2540,1377]},{"type":"call","value":[792,1224,2540,1267]},{"type":"call","value":[792,1224,2540,1505]},{"type":"call","value":[792,1224,2540,849]},{"type":"call","value":[792,1224,2540,1395]},{"type":"call","value":[792,1224,2540,977]},{"type":"call","value":[792,1224,2540,1523]},{"type":"call","value":[792,1224,2540,748]},{"type":"call","value":[792,1224,2540,867]},{"type":"call","value":[792,1224,2540,1105]},{"type":"call","value":[792,1224,2540,995]},{"type":"call","value":[792,1224,2540,1233]},{"type":"call","value":[792,1224,2540,885]},{"type":"call","value":[792,1224,2540,1123]},{"type":"call","value":[792,1224,2540,1361]},{"type":"call","value":[792,1224,2540,1013]},{"type":"call","value":[792,1224,2540,1251]},{"type":"call","value":[792,1224,2540,1141]},{"type":"call","value":[792,1224,2540,1379]},{"type":"call","value":[792,1224,2540,1269]},{"type":"call","value":[792,1224,2540,1507]},{"type":"call","value":[792,1224,2540,851]},{"type":"call","value":[792,1224,2540,1397]},{"type":"call","value":[792,1224,2540,979]},{"type":"call","value":[792,1224,2540,1525]},{"type":"call","value":[792,1224,2540,869]},{"type":"call","value":[792,1224,2540,1107]},{"type":"call","value":[792,1224,2540,997]},{"type":"call","value":[792,1224,2540,1235]},{"type":"call","value":[792,1224,2540,1125]},{"type":"call","value":[792,1224,2540,1363]},{"type":"call","value":[792,1224,2540,1253]},{"type":"call","value":[792,1224,2540,1491]},{"type":"call","value":[792,1224,2540,835]},{"type":"call","value":[792,1224,2540,1381]},{"type":"call","value":[792,1224,2540,963]},{"type":"call","value":[792,1224,2540,1509]},{"type":"call","value":[792,1224,2540,853]},{"type":"call","value":[792,1224,2540,1399]},{"type":"call","value":[792,1224,2540,1091]},{"type":"call","value":[792,1224,2540,981]},{"type":"call","value":[792,1224,2540,1527]},{"type":"call","value":[792,1224,2540,871]},{"type":"call","value":[792,1224,2540,1109]},{"type":"call","value":[792,1224,2540,999]},{"type":"call","value":[792,1224,2540,1237]},{"type":"call","value":[792,1224,2540,1127]},{"type":"call","value":[792,1224,2540,1365]},{"type":"call","value":[792,1224,2540,1255]},{"type":"call","value":[792,1224,2540,1493]},{"type":"call","value":[792,1224,2540,837]},{"type":"call","value":[792,1224,2540,1383]},{"type":"call","value":[792,1224,2540,965]},{"type":"call","value":[792,1224,2540,1511]},{"type":"call","value":[792,1224,2540,855]},{"type":"call","value":[792,1224,2540,1093]},{"type":"call","value":[792,1224,2540,983]},{"type":"call","value":[792,1224,2540,1221]},{"type":"call","value":[792,1224,2540,1111]},{"type":"call","value":[792,1224,2540,1349]},{"type":"call","value":[792,1224,2540,1239]},{"type":"call","value":[792,1224,2540,1477]},{"type":"call","value":[792,1224,2540,1129]},{"type":"call","value":[792,1224,2540,821]},{"type":"call","value":[792,1224,2540,1367]},{"type":"call","value":[792,1224,2540,1257]},{"type":"call","value":[792,1224,2540,1495]},{"type":"call","value":[792,1224,2540,839]},{"type":"call","value":[792,1224,2540,1385]},{"type":"call","value":[792,1224,2540,967]},{"type":"call","value":[792,1224,2540,1513]},{"type":"call","value":[792,1224,2540,857]},{"type":"call","value":[792,1224,2540,1095]},{"type":"call","value":[792,1224,2540,985]},{"type":"call","value":[792,1224,2540,1223]},{"type":"call","value":[792,1224,2540,1113]},{"type":"call","value":[792,1224,2540,1351]},{"type":"call","value":[792,1224,2540,1241]},{"type":"call","value":[792,1224,2540,1479]},{"type":"call","value":[792,1224,2540,823]},{"type":"call","value":[792,1224,2540,1369]},{"type":"call","value":[792,1224,2540,951]},{"type":"call","value":[792,1224,2540,1497]},{"type":"call","value":[792,1224,2540,841]},{"type":"call","value":[792,1224,2540,1079]},{"type":"call","value":[792,1224,2540,969]},{"type":"call","value":[792,1224,2540,1207]},{"type":"call","value":[792,1224,2540,859]},{"type":"call","value":[792,1224,2540,1097]},{"type":"call","value":[792,1224,2540,1335]},{"type":"call","value":[792,1224,2540,987]},{"type":"call","value":[792,1224,2540,1225]},{"type":"call","value":[792,1224,2540,1115]},{"type":"call","value":[792,1224,2540,1353]},{"type":"call","value":[792,1224,2540,1243]},{"type":"call","value":[792,1224,2540,1481]},{"type":"call","value":[792,1224,2540,825]},{"type":"call","value":[792,1224,2540,1371]},{"type":"call","value":[792,1224,2540,953]},{"type":"call","value":[792,1224,2540,1499]},{"type":"call","value":[792,1224,2540,843]},{"type":"call","value":[792,1224,2540,1081]},{"type":"call","value":[792,1224,2540,971]},{"type":"call","value":[792,1224,2540,1209]},{"type":"call","value":[792,1224,2540,1099]},{"type":"call","value":[792,1224,2540,1337]},{"type":"call","value":[792,1224,2540,1227]},{"type":"call","value":[792,1224,2540,1465]},{"type":"call","value":[792,1224,2540,809]},{"type":"call","value":[792,1224,2540,1355]},{"type":"call","value":[792,1224,2540,937]},{"type":"call","value":[792,1224,2540,1483]},{"type":"call","value":[792,1224,2540,827]},{"type":"call","value":[792,1224,2540,1373]},{"type":"call","value":[792,1224,2540,1065]},{"type":"call","value":[792,1224,2540,955]},{"type":"call","value":[792,1224,2540,1501]},{"type":"call","value":[792,1224,2540,845]},{"type":"call","value":[792,1224,2540,1083]},{"type":"call","value":[792,1224,2540,973]},{"type":"call","value":[792,1224,2540,1211]},{"type":"call","value":[792,1224,2540,1101]},{"type":"call","value":[792,1224,2540,1339]},{"type":"call","value":[792,1224,2540,1229]},{"type":"call","value":[792,1224,2540,1467]},{"type":"call","value":[792,1224,2540,811]},{"type":"call","value":[792,1224,2540,1357]},{"type":"call","value":[792,1224,2540,939]},{"type":"call","value":[792,1224,2540,1485]},{"type":"call","value":[792,1224,2540,829]},{"type":"call","value":[792,1224,2540,1067]},{"type":"call","value":[792,1224,2540,957]},{"type":"call","value":[792,1224,2540,1195]},{"type":"call","value":[792,1224,2540,1085]},{"type":"call","value":[792,1224,2540,1323]},{"type":"call","value":[792,1224,2540,975]},{"type":"call","value":[792,1224,2540,1213]},{"type":"call","value":[792,1224,2540,1451]},{"type":"call","value":[792,1224,2540,1103]},{"type":"call","value":[792,1224,2540,1341]},{"type":"call","value":[792,1224,2540,1231]},{"type":"call","value":[792,1224,2540,1469]},{"type":"call","value":[792,1224,2540,813]},{"type":"call","value":[792,1224,2540,1359]},{"type":"call","value":[792,1224,2540,941]},{"type":"call","value":[792,1224,2540,1487]},{"type":"call","value":[792,1224,2540,831]},{"type":"call","value":[792,1224,2540,1069]},{"type":"call","value":[792,1224,2540,959]},{"type":"call","value":[792,1224,2540,1197]},{"type":"call","value":[792,1224,2540,1087]},{"type":"call","value":[792,1224,2540,1325]},{"type":"call","value":[792,1224,2540,1215]},{"type":"call","value":[792,1224,2540,1453]},{"type":"call","value":[792,1224,2540,797]},{"type":"call","value":[792,1224,2540,1343]},{"type":"call","value":[792,1224,2540,925]},{"type":"call","value":[792,1224,2540,1471]},{"type":"call","value":[792,1224,2540,815]},{"type":"call","value":[792,1224,2540,1053]},{"type":"call","value":[792,1224,2540,943]},{"type":"call","value":[792,1224,2540,1489]},{"type":"call","value":[792,1224,2540,1181]},{"type":"call","value":[792,1224,2540,833]},{"type":"call","value":[792,1224,2540,1071]},{"type":"call","value":[792,1224,2540,961]},{"type":"call","value":[792,1224,2540,1199]},{"type":"call","value":[792,1224,2540,1089]},{"type":"call","value":[792,1224,2540,1327]},{"type":"call","value":[792,1224,2540,1217]},{"type":"call","value":[792,1224,2540,1455]},{"type":"call","value":[792,1224,2540,799]},{"type":"call","value":[792,1224,2540,1345]},{"type":"call","value":[792,1224,2540,927]},{"type":"call","value":[792,1224,2540,1473]},{"type":"call","value":[792,1224,2540,817]},{"type":"call","value":[792,1224,2540,1055]},{"type":"call","value":[792,1224,2540,945]},{"type":"call","value":[792,1224,2540,1183]},{"type":"call","value":[792,1224,2540,1073]},{"type":"call","value":[792,1224,2540,1311]},{"type":"call","value":[792,1224,2540,1201]},{"type":"call","value":[792,1224,2540,1439]},{"type":"call","value":[792,1224,2540,783]},{"type":"call","value":[792,1224,2540,1329]},{"type":"call","value":[792,1224,2540,1219]},{"type":"call","value":[792,1224,2540,911]},{"type":"call","value":[792,1224,2540,1457]},{"type":"call","value":[792,1224,2540,801]},{"type":"call","value":[792,1224,2540,1347]},{"type":"call","value":[792,1224,2540,929]},{"type":"call","value":[792,1224,2540,1475]},{"type":"call","value":[792,1224,2540,819]},{"type":"call","value":[792,1224,2540,1057]},{"type":"call","value":[792,1224,2540,947]},{"type":"call","value":[792,1224,2540,1185]},{"type":"call","value":[792,1224,2540,1075]},{"type":"call","value":[792,1224,2540,1313]},{"type":"call","value":[792,1224,2540,1203]},{"type":"call","value":[792,1224,2540,1441]},{"type":"call","value":[792,1224,2540,785]},{"type":"call","value":[792,1224,2540,1331]},{"type":"call","value":[792,1224,2540,913]},{"type":"call","value":[792,1224,2540,1459]},{"type":"call","value":[792,1224,2540,803]},{"type":"call","value":[792,1224,2540,1041]},{"type":"call","value":[792,1224,2540,931]},{"type":"call","value":[792,1224,2540,1169]},{"type":"call","value":[792,1224,2540,1059]},{"type":"call","value":[792,1224,2540,1297]},{"type":"call","value":[792,1224,2540,949]},{"type":"call","value":[792,1224,2540,1187]},{"type":"call","value":[792,1224,2540,1425]},{"type":"call","value":[792,1224,2540,1077]},{"type":"call","value":[792,1224,2540,1315]},{"type":"call","value":[792,1224,2540,1205]},{"type":"call","value":[792,1224,2540,1443]},{"type":"call","value":[792,1224,2540,787]},{"type":"call","value":[792,1224,2540,1333]},{"type":"call","value":[792,1224,2540,915]},{"type":"call","value":[792,1224,2540,1461]},{"type":"call","value":[792,1224,2540,805]},{"type":"call","value":[792,1224,2540,1043]},{"type":"call","value":[792,1224,2540,933]},{"type":"call","value":[792,1224,2540,1171]},{"type":"call","value":[792,1224,2540,1061]},{"type":"call","value":[792,1224,2540,1299]},{"type":"call","value":[792,1224,2540,1189]},{"type":"call","value":[792,1224,2540,1427]},{"type":"call","value":[792,1224,2540,771]},{"type":"call","value":[792,1224,2540,1317]},{"type":"call","value":[792,1224,2540,899]},{"type":"call","value":[792,1224,2540,1445]},{"type":"call","value":[792,1224,2540,789]},{"type":"call","value":[792,1224,2540,1027]},{"type":"call","value":[792,1224,2540,917]},{"type":"call","value":[792,1224,2540,1463]},{"type":"call","value":[792,1224,2540,1155]},{"type":"call","value":[792,1224,2540,807]},{"type":"call","value":[792,1224,2540,1045]},{"type":"call","value":[792,1224,2540,935]},{"type":"call","value":[792,1224,2540,1173]},{"type":"call","value":[792,1224,2540,1063]},{"type":"call","value":[792,1224,2540,1301]},{"type":"call","value":[792,1224,2540,1191]},{"type":"call","value":[792,1224,2540,1429]},{"type":"call","value":[792,1224,2540,773]},{"type":"call","value":[792,1224,2540,1319]},{"type":"call","value":[792,1224,2540,901]},{"type":"call","value":[792,1224,2540,1447]},{"type":"call","value":[792,1224,2540,791]},{"type":"call","value":[792,1224,2540,1029]},{"type":"call","value":[792,1224,2540,919]},{"type":"call","value":[792,1224,2540,1157]},{"type":"call","value":[792,1224,2540,1047]},{"type":"call","value":[792,1224,2540,1285]},{"type":"call","value":[792,1224,2540,1175]},{"type":"call","value":[792,1224,2540,1413]},{"type":"call","value":[792,1224,2540,757]},{"type":"call","value":[792,1224,2540,1303]},{"type":"call","value":[792,1224,2540,1193]},{"type":"call","value":[792,1224,2540,1431]},{"type":"call","value":[792,1224,2540,775]},{"type":"call","value":[792,1224,2540,1321]},{"type":"call","value":[792,1224,2540,903]},{"type":"call","value":[792,1224,2540,1449]},{"type":"call","value":[792,1224,2540,793]},{"type":"call","value":[792,1224,2540,1031]},{"type":"call","value":[792,1224,2540,921]},{"type":"call","value":[792,1224,2540,1159]},{"type":"call","value":[792,1224,2540,1049]},{"type":"call","value":[792,1224,2540,1287]},{"type":"call","value":[792,1224,2540,1177]},{"type":"call","value":[792,1224,2540,1415]},{"type":"call","value":[792,1224,2540,759]},{"type":"call","value":[792,1224,2540,1305]},{"type":"call","value":[792,1224,2540,887]},{"type":"call","value":[792,1224,2540,1433]},{"type":"call","value":[792,1224,2540,777]},{"type":"call","value":[792,1224,2540,1015]},{"type":"call","value":[792,1224,2540,905]},{"type":"call","value":[792,1224,2540,1143]},{"type":"call","value":[792,1224,2540,795]},{"type":"call","value":[792,1224,2540,1033]},{"type":"call","value":[792,1224,2540,1271]},{"type":"call","value":[792,1224,2540,923]},{"type":"call","value":[792,1224,2540,1161]},{"type":"call","value":[792,1224,2540,1051]},{"type":"call","value":[792,1224,2540,1289]},{"type":"call","value":[792,1224,2540,1179]},{"type":"call","value":[792,1224,2540,1417]},{"type":"call","value":[792,1224,2540,761]},{"type":"call","value":[792,1224,2540,1307]},{"type":"call","value":[792,1224,2540,889]},{"type":"call","value":[792,1224,2540,1435]},{"type":"call","value":[792,1224,2540,779]},{"type":"call","value":[792,1224,2540,1017]},{"type":"call","value":[792,1224,2540,907]},{"type":"call","value":[792,1224,2540,1145]},{"type":"call","value":[792,1224,2540,1035]},{"type":"call","value":[792,1224,2540,1273]},{"type":"call","value":[792,1224,2540,1163]},{"type":"call","value":[792,1224,2540,1401]},{"type":"call","value":[792,1224,2540,1291]},{"type":"call","value":[792,1224,2540,1529]},{"type":"call","value":[792,1224,2540,873]},{"type":"call","value":[792,1224,2540,1419]},{"type":"call","value":[792,1224,2540,763]},{"type":"call","value":[792,1224,2540,1309]},{"type":"call","value":[792,1224,2540,1001]},{"type":"call","value":[792,1224,2540,891]},{"type":"call","value":[792,1224,2540,1437]},{"type":"call","value":[792,1224,2540,781]},{"type":"call","value":[792,1224,2540,1019]},{"type":"call","value":[792,1224,2540,909]},{"type":"call","value":[792,1224,2540,1147]},{"type":"call","value":[792,1224,2540,1037]},{"type":"call","value":[792,1224,2540,1275]},{"type":"call","value":[792,1224,2540,1165]},{"type":"call","value":[792,1224,2540,1403]},{"type":"call","value":[792,1224,2540,1293]},{"type":"call","value":[792,1224,2540,1531]},{"type":"call","value":[792,1224,2540,875]},{"type":"call","value":[792,1224,2540,1421]},{"type":"call","value":[792,1224,2540,765]},{"type":"call","value":[792,1224,2540,1003]},{"type":"call","value":[792,1224,2540,893]},{"type":"call","value":[792,1224,2540,1131]},{"type":"call","value":[792,1224,2540,1021]},{"type":"call","value":[792,1224,2540,1259]},{"type":"call","value":[792,1224,2540,1149]},{"type":"call","value":[792,1224,2540,1387]},{"type":"call","value":[792,1224,2540,1039]},{"type":"call","value":[792,1224,2540,1277]},{"type":"call","value":[792,1224,2540,1515]},{"type":"call","value":[792,1224,2540,1167]},{"type":"call","value":[792,1224,2540,1405]},{"type":"call","value":[792,1224,2540,1295]},{"type":"call","value":[792,1224,2540,1533]},{"type":"call","value":[792,1224,2540,877]},{"type":"call","value":[792,1224,2540,1423]},{"type":"call","value":[792,1224,2540,767]},{"type":"call","value":[792,1224,2540,1005]},{"type":"call","value":[792,1224,2540,895]},{"type":"call","value":[792,1224,2540,1133]},{"type":"call","value":[792,1224,2540,1023]},{"type":"call","value":[792,1224,2540,1261]},{"type":"call","value":[792,1224,2540,1151]},{"type":"call","value":[792,1224,2540,1389]},{"type":"call","value":[792,1224,2540,1279]},{"type":"call","value":[792,1224,2540,1517]},{"type":"call","value":[792,1224,2540,861]},{"type":"call","value":[792,1224,2540,1407]},{"type":"call","value":[792,1224,2540,751]},{"type":"call","value":[792,1224,2540,989]},{"type":"call","value":[792,1224,2540,1535]},{"type":"call","value":[792,1224,2540,879]},{"type":"call","value":[792,1224,2540,1117]},{"type":"call","value":[792,1224,2540,769]},{"type":"call","value":[792,1224,2540,1007]},{"type":"call","value":[792,1224,2540,1245]},{"type":"call","value":[792,1224,2540,897]},{"type":"call","value":[792,1224,2540,1135]},{"type":"call","value":[792,1224,2540,1025]},{"type":"call","value":[792,1224,2540,1263]},{"type":"call","value":[792,1224,2540,1153]},{"type":"call","value":[792,1224,2540,1391]},{"type":"call","value":[792,1224,2540,1281]},{"type":"call","value":[792,1224,2540,1519]},{"type":"call","value":[792,1224,2540,863]},{"type":"call","value":[792,1224,2540,1409]},{"type":"call","value":[792,1224,2540,753]},{"type":"call","value":[792,1224,2540,991]},{"type":"call","value":[792,1224,2540,1537]},{"type":"call","value":[792,1224,2540,881]},{"type":"call","value":[792,1224,2540,1119]},{"type":"call","value":[792,1224,2540,1009]},{"type":"call","value":[792,1224,2540,1247]},{"type":"call","value":[792,1224,2540,1137]},{"type":"call","value":[792,1224,2540,1375]},{"type":"call","value":[792,1224,2540,1265]},{"type":"call","value":[792,1224,2540,1503]},{"type":"call","value":[792,1224,2540,847]},{"type":"call","value":[792,1224,2540,1393]},{"type":"call","value":[792,1224,2540,1283]},{"type":"call","value":[792,1224,2540,1521]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[792,1224,2540,38]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[792,1224,2540,130]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,1460]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1460,28]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,2544]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2544,312]},{"type":"call","value":[1200,1248,2544,292]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2544,1138]},{"type":"call","value":[1200,1248,2544,1376]},{"type":"call","value":[1200,1248,2544,1202]},{"type":"call","value":[1200,1248,2544,1440]},{"type":"call","value":[1200,1248,2544,1266]},{"type":"call","value":[1200,1248,2544,1504]},{"type":"call","value":[1200,1248,2544,1330]},{"type":"call","value":[1200,1248,2544,1394]},{"type":"call","value":[1200,1248,2544,1458]},{"type":"call","value":[1200,1248,2544,1522]},{"type":"call","value":[1200,1248,2544,1040]},{"type":"call","value":[1200,1248,2544,1104]},{"type":"call","value":[1200,1248,2544,1168]},{"type":"call","value":[1200,1248,2544,1232]},{"type":"call","value":[1200,1248,2544,1058]},{"type":"call","value":[1200,1248,2544,1296]},{"type":"call","value":[1200,1248,2544,1122]},{"type":"call","value":[1200,1248,2544,1360]},{"type":"call","value":[1200,1248,2544,1186]},{"type":"call","value":[1200,1248,2544,1012]},{"type":"call","value":[1200,1248,2544,1424]},{"type":"call","value":[1200,1248,2544,1250]},{"type":"call","value":[1200,1248,2544,1076]},{"type":"call","value":[1200,1248,2544,1488]},{"type":"call","value":[1200,1248,2544,1314]},{"type":"call","value":[1200,1248,2544,1140]},{"type":"call","value":[1200,1248,2544,1378]},{"type":"call","value":[1200,1248,2544,1204]},{"type":"call","value":[1200,1248,2544,1442]},{"type":"call","value":[1200,1248,2544,1268]},{"type":"call","value":[1200,1248,2544,1506]},{"type":"call","value":[1200,1248,2544,1332]},{"type":"call","value":[1200,1248,2544,1396]},{"type":"call","value":[1200,1248,2544,1460]},{"type":"call","value":[1200,1248,2544,1524]},{"type":"call","value":[1200,1248,2544,1042]},{"type":"call","value":[1200,1248,2544,1106]},{"type":"call","value":[1200,1248,2544,1170]},{"type":"call","value":[1200,1248,2544,1234]},{"type":"call","value":[1200,1248,2544,1060]},{"type":"call","value":[1200,1248,2544,1298]},{"type":"call","value":[1200,1248,2544,1124]},{"type":"call","value":[1200,1248,2544,1362]},{"type":"call","value":[1200,1248,2544,1188]},{"type":"call","value":[1200,1248,2544,1426]},{"type":"call","value":[1200,1248,2544,1252]},{"type":"call","value":[1200,1248,2544,1490]},{"type":"call","value":[1200,1248,2544,1316]},{"type":"call","value":[1200,1248,2544,1380]},{"type":"call","value":[1200,1248,2544,1444]},{"type":"call","value":[1200,1248,2544,1508]},{"type":"call","value":[1200,1248,2544,1026]},{"type":"call","value":[1200,1248,2544,1090]},{"type":"call","value":[1200,1248,2544,1462]},{"type":"call","value":[1200,1248,2544,1154]},{"type":"call","value":[1200,1248,2544,1526]},{"type":"call","value":[1200,1248,2544,1218]},{"type":"call","value":[1200,1248,2544,1044]},{"type":"call","value":[1200,1248,2544,1108]},{"type":"call","value":[1200,1248,2544,1172]},{"type":"call","value":[1200,1248,2544,1236]},{"type":"call","value":[1200,1248,2544,1062]},{"type":"call","value":[1200,1248,2544,1300]},{"type":"call","value":[1200,1248,2544,1126]},{"type":"call","value":[1200,1248,2544,1364]},{"type":"call","value":[1200,1248,2544,1190]},{"type":"call","value":[1200,1248,2544,1428]},{"type":"call","value":[1200,1248,2544,1254]},{"type":"call","value":[1200,1248,2544,1492]},{"type":"call","value":[1200,1248,2544,1318]},{"type":"call","value":[1200,1248,2544,1382]},{"type":"call","value":[1200,1248,2544,1446]},{"type":"call","value":[1200,1248,2544,1510]},{"type":"call","value":[1200,1248,2544,1028]},{"type":"call","value":[1200,1248,2544,1092]},{"type":"call","value":[1200,1248,2544,1156]},{"type":"call","value":[1200,1248,2544,1220]},{"type":"call","value":[1200,1248,2544,1046]},{"type":"call","value":[1200,1248,2544,1284]},{"type":"call","value":[1200,1248,2544,1110]},{"type":"call","value":[1200,1248,2544,1348]},{"type":"call","value":[1200,1248,2544,1174]},{"type":"call","value":[1200,1248,2544,1412]},{"type":"call","value":[1200,1248,2544,1238]},{"type":"call","value":[1200,1248,2544,1476]},{"type":"call","value":[1200,1248,2544,1302]},{"type":"call","value":[1200,1248,2544,1366]},{"type":"call","value":[1200,1248,2544,1192]},{"type":"call","value":[1200,1248,2544,1430]},{"type":"call","value":[1200,1248,2544,1256]},{"type":"call","value":[1200,1248,2544,1494]},{"type":"call","value":[1200,1248,2544,1320]},{"type":"call","value":[1200,1248,2544,1384]},{"type":"call","value":[1200,1248,2544,1448]},{"type":"call","value":[1200,1248,2544,1512]},{"type":"call","value":[1200,1248,2544,1030]},{"type":"call","value":[1200,1248,2544,1094]},{"type":"call","value":[1200,1248,2544,1158]},{"type":"call","value":[1200,1248,2544,1222]},{"type":"call","value":[1200,1248,2544,1048]},{"type":"call","value":[1200,1248,2544,1286]},{"type":"call","value":[1200,1248,2544,1112]},{"type":"call","value":[1200,1248,2544,1350]},{"type":"call","value":[1200,1248,2544,1176]},{"type":"call","value":[1200,1248,2544,1414]},{"type":"call","value":[1200,1248,2544,1240]},{"type":"call","value":[1200,1248,2544,1478]},{"type":"call","value":[1200,1248,2544,1304]},{"type":"call","value":[1200,1248,2544,1368]},{"type":"call","value":[1200,1248,2544,1432]},{"type":"call","value":[1200,1248,2544,1496]},{"type":"call","value":[1200,1248,2544,1014]},{"type":"call","value":[1200,1248,2544,1078]},{"type":"call","value":[1200,1248,2544,1142]},{"type":"call","value":[1200,1248,2544,1206]},{"type":"call","value":[1200,1248,2544,1032]},{"type":"call","value":[1200,1248,2544,1270]},{"type":"call","value":[1200,1248,2544,1096]},{"type":"call","value":[1200,1248,2544,1334]},{"type":"call","value":[1200,1248,2544,1160]},{"type":"call","value":[1200,1248,2544,1398]},{"type":"call","value":[1200,1248,2544,1224]},{"type":"call","value":[1200,1248,2544,1050]},{"type":"call","value":[1200,1248,2544,1288]},{"type":"call","value":[1200,1248,2544,1114]},{"type":"call","value":[1200,1248,2544,1352]},{"type":"call","value":[1200,1248,2544,1178]},{"type":"call","value":[1200,1248,2544,1416]},{"type":"call","value":[1200,1248,2544,1242]},{"type":"call","value":[1200,1248,2544,1480]},{"type":"call","value":[1200,1248,2544,1306]},{"type":"call","value":[1200,1248,2544,1370]},{"type":"call","value":[1200,1248,2544,1434]},{"type":"call","value":[1200,1248,2544,1498]},{"type":"call","value":[1200,1248,2544,1016]},{"type":"call","value":[1200,1248,2544,1080]},{"type":"call","value":[1200,1248,2544,1144]},{"type":"call","value":[1200,1248,2544,1208]},{"type":"call","value":[1200,1248,2544,1034]},{"type":"call","value":[1200,1248,2544,1272]},{"type":"call","value":[1200,1248,2544,1098]},{"type":"call","value":[1200,1248,2544,1336]},{"type":"call","value":[1200,1248,2544,442]},{"type":"call","value":[1200,1248,2544,1162]},{"type":"call","value":[1200,1248,2544,1400]},{"type":"call","value":[1200,1248,2544,1226]},{"type":"call","value":[1200,1248,2544,1464]},{"type":"call","value":[1200,1248,2544,1290]},{"type":"call","value":[1200,1248,2544,1528]},{"type":"call","value":[1200,1248,2544,1354]},{"type":"call","value":[1200,1248,2544,1418]},{"type":"call","value":[1200,1248,2544,1482]},{"type":"call","value":[1200,1248,2544,1372]},{"type":"call","value":[1200,1248,2544,1064]},{"type":"call","value":[1200,1248,2544,1436]},{"type":"call","value":[1200,1248,2544,1128]},{"type":"call","value":[1200,1248,2544,1500]},{"type":"call","value":[1200,1248,2544,1018]},{"type":"call","value":[1200,1248,2544,1082]},{"type":"call","value":[1200,1248,2544,1146]},{"type":"call","value":[1200,1248,2544,1210]},{"type":"call","value":[1200,1248,2544,1036]},{"type":"call","value":[1200,1248,2544,1274]},{"type":"call","value":[1200,1248,2544,1100]},{"type":"call","value":[1200,1248,2544,1338]},{"type":"call","value":[1200,1248,2544,1164]},{"type":"call","value":[1200,1248,2544,1402]},{"type":"call","value":[1200,1248,2544,1228]},{"type":"call","value":[1200,1248,2544,1466]},{"type":"call","value":[1200,1248,2544,1292]},{"type":"call","value":[1200,1248,2544,1530]},{"type":"call","value":[1200,1248,2544,1356]},{"type":"call","value":[1200,1248,2544,1420]},{"type":"call","value":[1200,1248,2544,1484]},{"type":"call","value":[1200,1248,2544,1066]},{"type":"call","value":[1200,1248,2544,1130]},{"type":"call","value":[1200,1248,2544,1194]},{"type":"call","value":[1200,1248,2544,1020]},{"type":"call","value":[1200,1248,2544,1258]},{"type":"call","value":[1200,1248,2544,1084]},{"type":"call","value":[1200,1248,2544,1322]},{"type":"call","value":[1200,1248,2544,1148]},{"type":"call","value":[1200,1248,2544,1386]},{"type":"call","value":[1200,1248,2544,1212]},{"type":"call","value":[1200,1248,2544,1450]},{"type":"call","value":[1200,1248,2544,1276]},{"type":"call","value":[1200,1248,2544,1102]},{"type":"call","value":[1200,1248,2544,1514]},{"type":"call","value":[1200,1248,2544,1340]},{"type":"call","value":[1200,1248,2544,1166]},{"type":"call","value":[1200,1248,2544,1404]},{"type":"call","value":[1200,1248,2544,1230]},{"type":"call","value":[1200,1248,2544,1468]},{"type":"call","value":[1200,1248,2544,1294]},{"type":"call","value":[1200,1248,2544,1532]},{"type":"call","value":[1200,1248,2544,1358]},{"type":"call","value":[1200,1248,2544,1422]},{"type":"call","value":[1200,1248,2544,1541]},{"type":"call","value":[1200,1248,2544,1486]},{"type":"call","value":[1200,1248,2544,1068]},{"type":"call","value":[1200,1248,2544,1132]},{"type":"call","value":[1200,1248,2544,1196]},{"type":"call","value":[1200,1248,2544,1022]},{"type":"call","value":[1200,1248,2544,1260]},{"type":"call","value":[1200,1248,2544,1086]},{"type":"call","value":[1200,1248,2544,1324]},{"type":"call","value":[1200,1248,2544,1150]},{"type":"call","value":[1200,1248,2544,1388]},{"type":"call","value":[1200,1248,2544,1214]},{"type":"call","value":[1200,1248,2544,1452]},{"type":"call","value":[1200,1248,2544,1278]},{"type":"call","value":[1200,1248,2544,1516]},{"type":"call","value":[1200,1248,2544,1342]},{"type":"call","value":[1200,1248,2544,1406]},{"type":"call","value":[1200,1248,2544,1470]},{"type":"call","value":[1200,1248,2544,1534]},{"type":"call","value":[1200,1248,2544,1052]},{"type":"call","value":[1200,1248,2544,1116]},{"type":"call","value":[1200,1248,2544,1180]},{"type":"call","value":[1200,1248,2544,1244]},{"type":"call","value":[1200,1248,2544,1070]},{"type":"call","value":[1200,1248,2544,1308]},{"type":"call","value":[1200,1248,2544,1134]},{"type":"call","value":[1200,1248,2544,1198]},{"type":"call","value":[1200,1248,2544,1024]},{"type":"call","value":[1200,1248,2544,1262]},{"type":"call","value":[1200,1248,2544,1088]},{"type":"call","value":[1200,1248,2544,1326]},{"type":"call","value":[1200,1248,2544,1152]},{"type":"call","value":[1200,1248,2544,1390]},{"type":"call","value":[1200,1248,2544,1216]},{"type":"call","value":[1200,1248,2544,1454]},{"type":"call","value":[1200,1248,2544,1280]},{"type":"call","value":[1200,1248,2544,1518]},{"type":"call","value":[1200,1248,2544,1344]},{"type":"call","value":[1200,1248,2544,1408]},{"type":"call","value":[1200,1248,2544,1472]},{"type":"call","value":[1200,1248,2544,1536]},{"type":"call","value":[1200,1248,2544,1054]},{"type":"call","value":[1200,1248,2544,1118]},{"type":"call","value":[1200,1248,2544,1182]},{"type":"call","value":[1200,1248,2544,1246]},{"type":"call","value":[1200,1248,2544,1072]},{"type":"call","value":[1200,1248,2544,1310]},{"type":"call","value":[1200,1248,2544,1136]},{"type":"call","value":[1200,1248,2544,1374]},{"type":"call","value":[1200,1248,2544,1200]},{"type":"call","value":[1200,1248,2544,1438]},{"type":"call","value":[1200,1248,2544,1264]},{"type":"call","value":[1200,1248,2544,1502]},{"type":"call","value":[1200,1248,2544,1328]},{"type":"call","value":[1200,1248,2544,1392]},{"type":"call","value":[1200,1248,2544,1456]},{"type":"call","value":[1200,1248,2544,1282]},{"type":"call","value":[1200,1248,2544,1520]},{"type":"call","value":[1200,1248,2544,1346]},{"type":"call","value":[1200,1248,2544,1038]},{"type":"call","value":[1200,1248,2544,1410]},{"type":"call","value":[1200,1248,2544,1474]},{"type":"call","value":[1200,1248,2544,1538]},{"type":"call","value":[1200,1248,2544,1056]},{"type":"call","value":[1200,1248,2544,1120]},{"type":"call","value":[1200,1248,2544,1184]},{"type":"call","value":[1200,1248,2544,1010]},{"type":"call","value":[1200,1248,2544,1248]},{"type":"call","value":[1200,1248,2544,1074]},{"type":"call","value":[1200,1248,2544,1312]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2544,67]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2544,157]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,732]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1200,1248,732,5906]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1248,1680,3044]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1248,1680,3044,215]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1248,1680,3044,254]},{"type":"call","value":[1248,1680,3044,492]},{"type":"call","value":[1248,1680,3044,1038]},{"type":"call","value":[1248,1680,3044,382]},{"type":"call","value":[1248,1680,3044,620]},{"type":"call","value":[1248,1680,3044,510]},{"type":"call","value":[1248,1680,3044,748]},{"type":"call","value":[1248,1680,3044,638]},{"type":"call","value":[1248,1680,3044,876]},{"type":"call","value":[1248,1680,3044,766]},{"type":"call","value":[1248,1680,3044,1004]},{"type":"call","value":[1248,1680,3044,348]},{"type":"call","value":[1248,1680,3044,894]},{"type":"call","value":[1248,1680,3044,238]},{"type":"call","value":[1248,1680,3044,476]},{"type":"call","value":[1248,1680,3044,1022]},{"type":"call","value":[1248,1680,3044,366]},{"type":"call","value":[1248,1680,3044,604]},{"type":"call","value":[1248,1680,3044,494]},{"type":"call","value":[1248,1680,3044,732]},{"type":"call","value":[1248,1680,3044,622]},{"type":"call","value":[1248,1680,3044,860]},{"type":"call","value":[1248,1680,3044,512]},{"type":"call","value":[1248,1680,3044,750]},{"type":"call","value":[1248,1680,3044,988]},{"type":"call","value":[1248,1680,3044,640]},{"type":"call","value":[1248,1680,3044,878]},{"type":"call","value":[1248,1680,3044,768]},{"type":"call","value":[1248,1680,3044,1006]},{"type":"call","value":[1248,1680,3044,350]},{"type":"call","value":[1248,1680,3044,896]},{"type":"call","value":[1248,1680,3044,478]},{"type":"call","value":[1248,1680,3044,1024]},{"type":"call","value":[1248,1680,3044,368]},{"type":"call","value":[1248,1680,3044,606]},{"type":"call","value":[1248,1680,3044,496]},{"type":"call","value":[1248,1680,3044,734]},{"type":"call","value":[1248,1680,3044,624]},{"type":"call","value":[1248,1680,3044,862]},{"type":"call","value":[1248,1680,3044,752]},{"type":"call","value":[1248,1680,3044,990]},{"type":"call","value":[1248,1680,3044,334]},{"type":"call","value":[1248,1680,3044,880]},{"type":"call","value":[1248,1680,3044,462]},{"type":"call","value":[1248,1680,3044,1008]},{"type":"call","value":[1248,1680,3044,352]},{"type":"call","value":[1248,1680,3044,590]},{"type":"call","value":[1248,1680,3044,242]},{"type":"call","value":[1248,1680,3044,480]},{"type":"call","value":[1248,1680,3044,1026]},{"type":"call","value":[1248,1680,3044,718]},{"type":"call","value":[1248,1680,3044,370]},{"type":"call","value":[1248,1680,3044,608]},{"type":"call","value":[1248,1680,3044,498]},{"type":"call","value":[1248,1680,3044,736]},{"type":"call","value":[1248,1680,3044,626]},{"type":"call","value":[1248,1680,3044,864]},{"type":"call","value":[1248,1680,3044,754]},{"type":"call","value":[1248,1680,3044,992]},{"type":"call","value":[1248,1680,3044,336]},{"type":"call","value":[1248,1680,3044,882]},{"type":"call","value":[1248,1680,3044,464]},{"type":"call","value":[1248,1680,3044,1010]},{"type":"call","value":[1248,1680,3044,354]},{"type":"call","value":[1248,1680,3044,592]},{"type":"call","value":[1248,1680,3044,482]},{"type":"call","value":[1248,1680,3044,720]},{"type":"call","value":[1248,1680,3044,610]},{"type":"call","value":[1248,1680,3044,848]},{"type":"call","value":[1248,1680,3044,738]},{"type":"call","value":[1248,1680,3044,976]},{"type":"call","value":[1248,1680,3044,320]},{"type":"call","value":[1248,1680,3044,866]},{"type":"call","value":[1248,1680,3044,756]},{"type":"call","value":[1248,1680,3044,448]},{"type":"call","value":[1248,1680,3044,994]},{"type":"call","value":[1248,1680,3044,338]},{"type":"call","value":[1248,1680,3044,884]},{"type":"call","value":[1248,1680,3044,466]},{"type":"call","value":[1248,1680,3044,1012]},{"type":"call","value":[1248,1680,3044,356]},{"type":"call","value":[1248,1680,3044,594]},{"type":"call","value":[1248,1680,3044,484]},{"type":"call","value":[1248,1680,3044,722]},{"type":"call","value":[1248,1680,3044,612]},{"type":"call","value":[1248,1680,3044,850]},{"type":"call","value":[1248,1680,3044,740]},{"type":"call","value":[1248,1680,3044,978]},{"type":"call","value":[1248,1680,3044,322]},{"type":"call","value":[1248,1680,3044,868]},{"type":"call","value":[1248,1680,3044,450]},{"type":"call","value":[1248,1680,3044,996]},{"type":"call","value":[1248,1680,3044,340]},{"type":"call","value":[1248,1680,3044,578]},{"type":"call","value":[1248,1680,3044,468]},{"type":"call","value":[1248,1680,3044,706]},{"type":"call","value":[1248,1680,3044,596]},{"type":"call","value":[1248,1680,3044,834]},{"type":"call","value":[1248,1680,3044,486]},{"type":"call","value":[1248,1680,3044,724]},{"type":"call","value":[1248,1680,3044,962]},{"type":"call","value":[1248,1680,3044,614]},{"type":"call","value":[1248,1680,3044,852]},{"type":"call","value":[1248,1680,3044,742]},{"type":"call","value":[1248,1680,3044,980]},{"type":"call","value":[1248,1680,3044,324]},{"type":"call","value":[1248,1680,3044,870]},{"type":"call","value":[1248,1680,3044,452]},{"type":"call","value":[1248,1680,3044,998]},{"type":"call","value":[1248,1680,3044,342]},{"type":"call","value":[1248,1680,3044,580]},{"type":"call","value":[1248,1680,3044,470]},{"type":"call","value":[1248,1680,3044,708]},{"type":"call","value":[1248,1680,3044,598]},{"type":"call","value":[1248,1680,3044,836]},{"type":"call","value":[1248,1680,3044,726]},{"type":"call","value":[1248,1680,3044,964]},{"type":"call","value":[1248,1680,3044,308]},{"type":"call","value":[1248,1680,3044,854]},{"type":"call","value":[1248,1680,3044,436]},{"type":"call","value":[1248,1680,3044,982]},{"type":"call","value":[1248,1680,3044,326]},{"type":"call","value":[1248,1680,3044,564]},{"type":"call","value":[1248,1680,3044,454]},{"type":"call","value":[1248,1680,3044,1000]},{"type":"call","value":[1248,1680,3044,344]},{"type":"call","value":[1248,1680,3044,582]},{"type":"call","value":[1248,1680,3044,472]},{"type":"call","value":[1248,1680,3044,710]},{"type":"call","value":[1248,1680,3044,600]},{"type":"call","value":[1248,1680,3044,838]},{"type":"call","value":[1248,1680,3044,728]},{"type":"call","value":[1248,1680,3044,966]},{"type":"call","value":[1248,1680,3044,310]},{"type":"call","value":[1248,1680,3044,856]},{"type":"call","value":[1248,1680,3044,438]},{"type":"call","value":[1248,1680,3044,984]},{"type":"call","value":[1248,1680,3044,328]},{"type":"call","value":[1248,1680,3044,566]},{"type":"call","value":[1248,1680,3044,456]},{"type":"call","value":[1248,1680,3044,694]},{"type":"call","value":[1248,1680,3044,584]},{"type":"call","value":[1248,1680,3044,822]},{"type":"call","value":[1248,1680,3044,712]},{"type":"call","value":[1248,1680,3044,950]},{"type":"call","value":[1248,1680,3044,602]},{"type":"call","value":[1248,1680,3044,294]},{"type":"call","value":[1248,1680,3044,840]},{"type":"call","value":[1248,1680,3044,730]},{"type":"call","value":[1248,1680,3044,968]},{"type":"call","value":[1248,1680,3044,312]},{"type":"call","value":[1248,1680,3044,858]},{"type":"call","value":[1248,1680,3044,440]},{"type":"call","value":[1248,1680,3044,986]},{"type":"call","value":[1248,1680,3044,330]},{"type":"call","value":[1248,1680,3044,568]},{"type":"call","value":[1248,1680,3044,458]},{"type":"call","value":[1248,1680,3044,696]},{"type":"call","value":[1248,1680,3044,586]},{"type":"call","value":[1248,1680,3044,824]},{"type":"call","value":[1248,1680,3044,714]},{"type":"call","value":[1248,1680,3044,952]},{"type":"call","value":[1248,1680,3044,296]},{"type":"call","value":[1248,1680,3044,842]},{"type":"call","value":[1248,1680,3044,424]},{"type":"call","value":[1248,1680,3044,970]},{"type":"call","value":[1248,1680,3044,314]},{"type":"call","value":[1248,1680,3044,552]},{"type":"call","value":[1248,1680,3044,442]},{"type":"call","value":[1248,1680,3044,680]},{"type":"call","value":[1248,1680,3044,332]},{"type":"call","value":[1248,1680,3044,570]},{"type":"call","value":[1248,1680,3044,808]},{"type":"call","value":[1248,1680,3044,460]},{"type":"call","value":[1248,1680,3044,698]},{"type":"call","value":[1248,1680,3044,588]},{"type":"call","value":[1248,1680,3044,826]},{"type":"call","value":[1248,1680,3044,716]},{"type":"call","value":[1248,1680,3044,954]},{"type":"call","value":[1248,1680,3044,298]},{"type":"call","value":[1248,1680,3044,844]},{"type":"call","value":[1248,1680,3044,426]},{"type":"call","value":[1248,1680,3044,972]},{"type":"call","value":[1248,1680,3044,316]},{"type":"call","value":[1248,1680,3044,554]},{"type":"call","value":[1248,1680,3044,444]},{"type":"call","value":[1248,1680,3044,682]},{"type":"call","value":[1248,1680,3044,572]},{"type":"call","value":[1248,1680,3044,810]},{"type":"call","value":[1248,1680,3044,700]},{"type":"call","value":[1248,1680,3044,938]},{"type":"call","value":[1248,1680,3044,282]},{"type":"call","value":[1248,1680,3044,828]},{"type":"call","value":[1248,1680,3044,410]},{"type":"call","value":[1248,1680,3044,956]},{"type":"call","value":[1248,1680,3044,300]},{"type":"call","value":[1248,1680,3044,846]},{"type":"call","value":[1248,1680,3044,538]},{"type":"call","value":[1248,1680,3044,428]},{"type":"call","value":[1248,1680,3044,974]},{"type":"call","value":[1248,1680,3044,318]},{"type":"call","value":[1248,1680,3044,556]},{"type":"call","value":[1248,1680,3044,446]},{"type":"call","value":[1248,1680,3044,684]},{"type":"call","value":[1248,1680,3044,574]},{"type":"call","value":[1248,1680,3044,812]},{"type":"call","value":[1248,1680,3044,702]},{"type":"call","value":[1248,1680,3044,940]},{"type":"call","value":[1248,1680,3044,284]},{"type":"call","value":[1248,1680,3044,830]},{"type":"call","value":[1248,1680,3044,412]},{"type":"call","value":[1248,1680,3044,958]},{"type":"call","value":[1248,1680,3044,302]},{"type":"call","value":[1248,1680,3044,540]},{"type":"call","value":[1248,1680,3044,430]},{"type":"call","value":[1248,1680,3044,668]},{"type":"call","value":[1248,1680,3044,558]},{"type":"call","value":[1248,1680,3044,796]},{"type":"call","value":[1248,1680,3044,686]},{"type":"call","value":[1248,1680,3044,924]},{"type":"call","value":[1248,1680,3044,576]},{"type":"call","value":[1248,1680,3044,268]},{"type":"call","value":[1248,1680,3044,814]},{"type":"call","value":[1248,1680,3044,704]},{"type":"call","value":[1248,1680,3044,942]},{"type":"call","value":[1248,1680,3044,286]},{"type":"call","value":[1248,1680,3044,832]},{"type":"call","value":[1248,1680,3044,414]},{"type":"call","value":[1248,1680,3044,960]},{"type":"call","value":[1248,1680,3044,304]},{"type":"call","value":[1248,1680,3044,542]},{"type":"call","value":[1248,1680,3044,432]},{"type":"call","value":[1248,1680,3044,670]},{"type":"call","value":[1248,1680,3044,560]},{"type":"call","value":[1248,1680,3044,798]},{"type":"call","value":[1248,1680,3044,688]},{"type":"call","value":[1248,1680,3044,926]},{"type":"call","value":[1248,1680,3044,270]},{"type":"call","value":[1248,1680,3044,816]},{"type":"call","value":[1248,1680,3044,398]},{"type":"call","value":[1248,1680,3044,944]},{"type":"call","value":[1248,1680,3044,288]},{"type":"call","value":[1248,1680,3044,526]},{"type":"call","value":[1248,1680,3044,416]},{"type":"call","value":[1248,1680,3044,654]},{"type":"call","value":[1248,1680,3044,306]},{"type":"call","value":[1248,1680,3044,544]},{"type":"call","value":[1248,1680,3044,782]},{"type":"call","value":[1248,1680,3044,434]},{"type":"call","value":[1248,1680,3044,672]},{"type":"call","value":[1248,1680,3044,562]},{"type":"call","value":[1248,1680,3044,800]},{"type":"call","value":[1248,1680,3044,690]},{"type":"call","value":[1248,1680,3044,928]},{"type":"call","value":[1248,1680,3044,272]},{"type":"call","value":[1248,1680,3044,818]},{"type":"call","value":[1248,1680,3044,400]},{"type":"call","value":[1248,1680,3044,946]},{"type":"call","value":[1248,1680,3044,290]},{"type":"call","value":[1248,1680,3044,528]},{"type":"call","value":[1248,1680,3044,418]},{"type":"call","value":[1248,1680,3044,656]},{"type":"call","value":[1248,1680,3044,546]},{"type":"call","value":[1248,1680,3044,784]},{"type":"call","value":[1248,1680,3044,674]},{"type":"call","value":[1248,1680,3044,912]},{"type":"call","value":[1248,1680,3044,256]},{"type":"call","value":[1248,1680,3044,802]},{"type":"call","value":[1248,1680,3044,1040]},{"type":"call","value":[1248,1680,3044,692]},{"type":"call","value":[1248,1680,3044,384]},{"type":"call","value":[1248,1680,3044,930]},{"type":"call","value":[1248,1680,3044,274]},{"type":"call","value":[1248,1680,3044,820]},{"type":"call","value":[1248,1680,3044,402]},{"type":"call","value":[1248,1680,3044,948]},{"type":"call","value":[1248,1680,3044,292]},{"type":"call","value":[1248,1680,3044,530]},{"type":"call","value":[1248,1680,3044,420]},{"type":"call","value":[1248,1680,3044,658]},{"type":"call","value":[1248,1680,3044,548]},{"type":"call","value":[1248,1680,3044,786]},{"type":"call","value":[1248,1680,3044,676]},{"type":"call","value":[1248,1680,3044,914]},{"type":"call","value":[1248,1680,3044,258]},{"type":"call","value":[1248,1680,3044,804]},{"type":"call","value":[1248,1680,3044,386]},{"type":"call","value":[1248,1680,3044,932]},{"type":"call","value":[1248,1680,3044,276]},{"type":"call","value":[1248,1680,3044,514]},{"type":"call","value":[1248,1680,3044,404]},{"type":"call","value":[1248,1680,3044,642]},{"type":"call","value":[1248,1680,3044,532]},{"type":"call","value":[1248,1680,3044,770]},{"type":"call","value":[1248,1680,3044,422]},{"type":"call","value":[1248,1680,3044,660]},{"type":"call","value":[1248,1680,3044,898]},{"type":"call","value":[1248,1680,3044,550]},{"type":"call","value":[1248,1680,3044,788]},{"type":"call","value":[1248,1680,3044,678]},{"type":"call","value":[1248,1680,3044,916]},{"type":"call","value":[1248,1680,3044,260]},{"type":"call","value":[1248,1680,3044,806]},{"type":"call","value":[1248,1680,3044,388]},{"type":"call","value":[1248,1680,3044,934]},{"type":"call","value":[1248,1680,3044,278]},{"type":"call","value":[1248,1680,3044,516]},{"type":"call","value":[1248,1680,3044,406]},{"type":"call","value":[1248,1680,3044,644]},{"type":"call","value":[1248,1680,3044,534]},{"type":"call","value":[1248,1680,3044,772]},{"type":"call","value":[1248,1680,3044,662]},{"type":"call","value":[1248,1680,3044,900]},{"type":"call","value":[1248,1680,3044,244]},{"type":"call","value":[1248,1680,3044,790]},{"type":"call","value":[1248,1680,3044,1028]},{"type":"call","value":[1248,1680,3044,372]},{"type":"call","value":[1248,1680,3044,918]},{"type":"call","value":[1248,1680,3044,262]},{"type":"call","value":[1248,1680,3044,500]},{"type":"call","value":[1248,1680,3044,390]},{"type":"call","value":[1248,1680,3044,936]},{"type":"call","value":[1248,1680,3044,628]},{"type":"call","value":[1248,1680,3044,280]},{"type":"call","value":[1248,1680,3044,518]},{"type":"call","value":[1248,1680,3044,408]},{"type":"call","value":[1248,1680,3044,646]},{"type":"call","value":[1248,1680,3044,536]},{"type":"call","value":[1248,1680,3044,774]},{"type":"call","value":[1248,1680,3044,664]},{"type":"call","value":[1248,1680,3044,902]},{"type":"call","value":[1248,1680,3044,246]},{"type":"call","value":[1248,1680,3044,792]},{"type":"call","value":[1248,1680,3044,1030]},{"type":"call","value":[1248,1680,3044,374]},{"type":"call","value":[1248,1680,3044,920]},{"type":"call","value":[1248,1680,3044,264]},{"type":"call","value":[1248,1680,3044,502]},{"type":"call","value":[1248,1680,3044,392]},{"type":"call","value":[1248,1680,3044,630]},{"type":"call","value":[1248,1680,3044,520]},{"type":"call","value":[1248,1680,3044,758]},{"type":"call","value":[1248,1680,3044,648]},{"type":"call","value":[1248,1680,3044,886]},{"type":"call","value":[1248,1680,3044,776]},{"type":"call","value":[1248,1680,3044,1014]},{"type":"call","value":[1248,1680,3044,666]},{"type":"call","value":[1248,1680,3044,358]},{"type":"call","value":[1248,1680,3044,904]},{"type":"call","value":[1248,1680,3044,248]},{"type":"call","value":[1248,1680,3044,794]},{"type":"call","value":[1248,1680,3044,1032]},{"type":"call","value":[1248,1680,3044,376]},{"type":"call","value":[1248,1680,3044,922]},{"type":"call","value":[1248,1680,3044,266]},{"type":"call","value":[1248,1680,3044,504]},{"type":"call","value":[1248,1680,3044,394]},{"type":"call","value":[1248,1680,3044,632]},{"type":"call","value":[1248,1680,3044,522]},{"type":"call","value":[1248,1680,3044,760]},{"type":"call","value":[1248,1680,3044,650]},{"type":"call","value":[1248,1680,3044,888]},{"type":"call","value":[1248,1680,3044,778]},{"type":"call","value":[1248,1680,3044,1016]},{"type":"call","value":[1248,1680,3044,360]},{"type":"call","value":[1248,1680,3044,906]},{"type":"call","value":[1248,1680,3044,250]},{"type":"call","value":[1248,1680,3044,488]},{"type":"call","value":[1248,1680,3044,1034]},{"type":"call","value":[1248,1680,3044,378]},{"type":"call","value":[1248,1680,3044,616]},{"type":"call","value":[1248,1680,3044,506]},{"type":"call","value":[1248,1680,3044,744]},{"type":"call","value":[1248,1680,3044,396]},{"type":"call","value":[1248,1680,3044,634]},{"type":"call","value":[1248,1680,3044,872]},{"type":"call","value":[1248,1680,3044,524]},{"type":"call","value":[1248,1680,3044,762]},{"type":"call","value":[1248,1680,3044,652]},{"type":"call","value":[1248,1680,3044,890]},{"type":"call","value":[1248,1680,3044,780]},{"type":"call","value":[1248,1680,3044,1018]},{"type":"call","value":[1248,1680,3044,362]},{"type":"call","value":[1248,1680,3044,908]},{"type":"call","value":[1248,1680,3044,252]},{"type":"call","value":[1248,1680,3044,490]},{"type":"call","value":[1248,1680,3044,1036]},{"type":"call","value":[1248,1680,3044,380]},{"type":"call","value":[1248,1680,3044,618]},{"type":"call","value":[1248,1680,3044,508]},{"type":"call","value":[1248,1680,3044,746]},{"type":"call","value":[1248,1680,3044,636]},{"type":"call","value":[1248,1680,3044,874]},{"type":"call","value":[1248,1680,3044,764]},{"type":"call","value":[1248,1680,3044,1002]},{"type":"call","value":[1248,1680,3044,346]},{"type":"call","value":[1248,1680,3044,892]},{"type":"call","value":[1248,1680,3044,474]},{"type":"call","value":[1248,1680,3044,1020]},{"type":"call","value":[1248,1680,3044,364]},{"type":"call","value":[1248,1680,3044,910]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1248,1680,3044,37]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1248,1680,3044,129]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2420,2524]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2420,2524,141]},{"type":"call","value":[1852,2420,2524,8]},{"type":"call","value":[1852,2420,2524,9]},{"type":"call","value":[1852,2420,2524,133]},{"type":"call","value":[1852,2420,2524,131]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1852,2420,2524,208]},{"type":"call","value":[1852,2420,2524,130]},{"type":"call","value":[1852,2420,2524,137]},{"type":"call","value":[1852,2420,2524,132]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1852,2420,2524,283]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,2360,1884]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2820,2360,1884,50]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,2360,1788]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2820,2360,1788,128]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2724,1816]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,86]},{"type":"call","value":[1852,2724,1816,25]},{"type":"call","value":[1852,2724,1816,76]},{"type":"call","value":[1852,2724,1816,85]},{"type":"call","value":[1852,2724,1816,63]},{"type":"call","value":[1852,2724,1816,56]},{"type":"call","value":[1852,2724,1816,65]},{"type":"call","value":[1852,2724,1816,106]},{"type":"call","value":[1852,2724,1816,64]},{"type":"call","value":[1852,2724,1816,22]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,41]},{"type":"call","value":[1852,2724,1816,60]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2724,2016]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2724,2016,285]},{"type":"call","value":[1852,2724,2016,314]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1852,2724,2016,713]},{"type":"call","value":[1852,2724,2016,539]},{"type":"call","value":[1852,2724,2016,365]},{"type":"call","value":[1852,2724,2016,603]},{"type":"call","value":[1852,2724,2016,429]},{"type":"call","value":[1852,2724,2016,667]},{"type":"call","value":[1852,2724,2016,493]},{"type":"call","value":[1852,2724,2016,731]},{"type":"call","value":[1852,2724,2016,557]},{"type":"call","value":[1852,2724,2016,795]},{"type":"call","value":[1852,2724,2016,621]},{"type":"call","value":[1852,2724,2016,685]},{"type":"call","value":[1852,2724,2016,749]},{"type":"call","value":[1852,2724,2016,813]},{"type":"call","value":[1852,2724,2016,395]},{"type":"call","value":[1852,2724,2016,459]},{"type":"call","value":[1852,2724,2016,523]},{"type":"call","value":[1852,2724,2016,349]},{"type":"call","value":[1852,2724,2016,587]},{"type":"call","value":[1852,2724,2016,413]},{"type":"call","value":[1852,2724,2016,651]},{"type":"call","value":[1852,2724,2016,477]},{"type":"call","value":[1852,2724,2016,715]},{"type":"call","value":[1852,2724,2016,541]},{"type":"call","value":[1852,2724,2016,779]},{"type":"call","value":[1852,2724,2016,605]},{"type":"call","value":[1852,2724,2016,843]},{"type":"call","value":[1852,2724,2016,669]},{"type":"call","value":[1852,2724,2016,733]},{"type":"call","value":[1852,2724,2016,797]},{"type":"call","value":[1852,2724,2016,687]},{"type":"call","value":[1852,2724,2016,379]},{"type":"call","value":[1852,2724,2016,751]},{"type":"call","value":[1852,2724,2016,443]},{"type":"call","value":[1852,2724,2016,815]},{"type":"call","value":[1852,2724,2016,397]},{"type":"call","value":[1852,2724,2016,461]},{"type":"call","value":[1852,2724,2016,525]},{"type":"call","value":[1852,2724,2016,351]},{"type":"call","value":[1852,2724,2016,589]},{"type":"call","value":[1852,2724,2016,415]},{"type":"call","value":[1852,2724,2016,653]},{"type":"call","value":[1852,2724,2016,479]},{"type":"call","value":[1852,2724,2016,717]},{"type":"call","value":[1852,2724,2016,543]},{"type":"call","value":[1852,2724,2016,781]},{"type":"call","value":[1852,2724,2016,607]},{"type":"call","value":[1852,2724,2016,845]},{"type":"call","value":[1852,2724,2016,671]},{"type":"call","value":[1852,2724,2016,735]},{"type":"call","value":[1852,2724,2016,799]},{"type":"call","value":[1852,2724,2016,381]},{"type":"call","value":[1852,2724,2016,445]},{"type":"call","value":[1852,2724,2016,509]},{"type":"call","value":[1852,2724,2016,573]},{"type":"call","value":[1852,2724,2016,399]},{"type":"call","value":[1852,2724,2016,637]},{"type":"call","value":[1852,2724,2016,463]},{"type":"call","value":[1852,2724,2016,701]},{"type":"call","value":[1852,2724,2016,527]},{"type":"call","value":[1852,2724,2016,765]},{"type":"call","value":[1852,2724,2016,591]},{"type":"call","value":[1852,2724,2016,417]},{"type":"call","value":[1852,2724,2016,829]},{"type":"call","value":[1852,2724,2016,655]},{"type":"call","value":[1852,2724,2016,481]},{"type":"call","value":[1852,2724,2016,719]},{"type":"call","value":[1852,2724,2016,545]},{"type":"call","value":[1852,2724,2016,783]},{"type":"call","value":[1852,2724,2016,609]},{"type":"call","value":[1852,2724,2016,847]},{"type":"call","value":[1852,2724,2016,673]},{"type":"call","value":[1852,2724,2016,737]},{"type":"call","value":[1852,2724,2016,801]},{"type":"call","value":[1852,2724,2016,383]},{"type":"call","value":[1852,2724,2016,447]},{"type":"call","value":[1852,2724,2016,511]},{"type":"call","value":[1852,2724,2016,337]},{"type":"call","value":[1852,2724,2016,575]},{"type":"call","value":[1852,2724,2016,401]},{"type":"call","value":[1852,2724,2016,639]},{"type":"call","value":[1852,2724,2016,465]},{"type":"call","value":[1852,2724,2016,703]},{"type":"call","value":[1852,2724,2016,529]},{"type":"call","value":[1852,2724,2016,767]},{"type":"call","value":[1852,2724,2016,593]},{"type":"call","value":[1852,2724,2016,831]},{"type":"call","value":[1852,2724,2016,657]},{"type":"call","value":[1852,2724,2016,721]},{"type":"call","value":[1852,2724,2016,785]},{"type":"call","value":[1852,2724,2016,849]},{"type":"call","value":[1852,2724,2016,367]},{"type":"call","value":[1852,2724,2016,431]},{"type":"call","value":[1852,2724,2016,495]},{"type":"call","value":[1852,2724,2016,559]},{"type":"call","value":[1852,2724,2016,385]},{"type":"call","value":[1852,2724,2016,623]},{"type":"call","value":[1852,2724,2016,449]},{"type":"call","value":[1852,2724,2016,513]},{"type":"call","value":[1852,2724,2016,339]},{"type":"call","value":[1852,2724,2016,577]},{"type":"call","value":[1852,2724,2016,403]},{"type":"call","value":[1852,2724,2016,641]},{"type":"call","value":[1852,2724,2016,467]},{"type":"call","value":[1852,2724,2016,705]},{"type":"call","value":[1852,2724,2016,531]},{"type":"call","value":[1852,2724,2016,769]},{"type":"call","value":[1852,2724,2016,595]},{"type":"call","value":[1852,2724,2016,833]},{"type":"call","value":[1852,2724,2016,659]},{"type":"call","value":[1852,2724,2016,723]},{"type":"call","value":[1852,2724,2016,787]},{"type":"call","value":[1852,2724,2016,851]},{"type":"call","value":[1852,2724,2016,369]},{"type":"call","value":[1852,2724,2016,433]},{"type":"call","value":[1852,2724,2016,497]},{"type":"call","value":[1852,2724,2016,561]},{"type":"call","value":[1852,2724,2016,387]},{"type":"call","value":[1852,2724,2016,625]},{"type":"call","value":[1852,2724,2016,451]},{"type":"call","value":[1852,2724,2016,689]},{"type":"call","value":[1852,2724,2016,515]},{"type":"call","value":[1852,2724,2016,753]},{"type":"call","value":[1852,2724,2016,579]},{"type":"call","value":[1852,2724,2016,817]},{"type":"call","value":[1852,2724,2016,643]},{"type":"call","value":[1852,2724,2016,707]},{"type":"call","value":[1852,2724,2016,771]},{"type":"call","value":[1852,2724,2016,597]},{"type":"call","value":[1852,2724,2016,835]},{"type":"call","value":[1852,2724,2016,661]},{"type":"call","value":[1852,2724,2016,353]},{"type":"call","value":[1852,2724,2016,725]},{"type":"call","value":[1852,2724,2016,789]},{"type":"call","value":[1852,2724,2016,371]},{"type":"call","value":[1852,2724,2016,435]},{"type":"call","value":[1852,2724,2016,499]},{"type":"call","value":[1852,2724,2016,563]},{"type":"call","value":[1852,2724,2016,389]},{"type":"call","value":[1852,2724,2016,627]},{"type":"call","value":[1852,2724,2016,453]},{"type":"call","value":[1852,2724,2016,691]},{"type":"call","value":[1852,2724,2016,517]},{"type":"call","value":[1852,2724,2016,755]},{"type":"call","value":[1852,2724,2016,581]},{"type":"call","value":[1852,2724,2016,819]},{"type":"call","value":[1852,2724,2016,645]},{"type":"call","value":[1852,2724,2016,709]},{"type":"call","value":[1852,2724,2016,773]},{"type":"call","value":[1852,2724,2016,837]},{"type":"call","value":[1852,2724,2016,355]},{"type":"call","value":[1852,2724,2016,419]},{"type":"call","value":[1852,2724,2016,483]},{"type":"call","value":[1852,2724,2016,547]},{"type":"call","value":[1852,2724,2016,373]},{"type":"call","value":[1852,2724,2016,611]},{"type":"call","value":[1852,2724,2016,437]},{"type":"call","value":[1852,2724,2016,675]},{"type":"call","value":[1852,2724,2016,501]},{"type":"call","value":[1852,2724,2016,739]},{"type":"call","value":[1852,2724,2016,565]},{"type":"call","value":[1852,2724,2016,391]},{"type":"call","value":[1852,2724,2016,803]},{"type":"call","value":[1852,2724,2016,629]},{"type":"call","value":[1852,2724,2016,455]},{"type":"call","value":[1852,2724,2016,693]},{"type":"call","value":[1852,2724,2016,519]},{"type":"call","value":[1852,2724,2016,757]},{"type":"call","value":[1852,2724,2016,583]},{"type":"call","value":[1852,2724,2016,821]},{"type":"call","value":[1852,2724,2016,647]},{"type":"call","value":[1852,2724,2016,711]},{"type":"call","value":[1852,2724,2016,775]},{"type":"call","value":[1852,2724,2016,839]},{"type":"call","value":[1852,2724,2016,357]},{"type":"call","value":[1852,2724,2016,421]},{"type":"call","value":[1852,2724,2016,485]},{"type":"call","value":[1852,2724,2016,549]},{"type":"call","value":[1852,2724,2016,375]},{"type":"call","value":[1852,2724,2016,613]},{"type":"call","value":[1852,2724,2016,439]},{"type":"call","value":[1852,2724,2016,677]},{"type":"call","value":[1852,2724,2016,503]},{"type":"call","value":[1852,2724,2016,741]},{"type":"call","value":[1852,2724,2016,567]},{"type":"call","value":[1852,2724,2016,805]},{"type":"call","value":[1852,2724,2016,631]},{"type":"call","value":[1852,2724,2016,695]},{"type":"call","value":[1852,2724,2016,759]},{"type":"call","value":[1852,2724,2016,823]},{"type":"call","value":[1852,2724,2016,341]},{"type":"call","value":[1852,2724,2016,405]},{"type":"call","value":[1852,2724,2016,777]},{"type":"call","value":[1852,2724,2016,469]},{"type":"call","value":[1852,2724,2016,841]},{"type":"call","value":[1852,2724,2016,533]},{"type":"call","value":[1852,2724,2016,359]},{"type":"call","value":[1852,2724,2016,423]},{"type":"call","value":[1852,2724,2016,487]},{"type":"call","value":[1852,2724,2016,551]},{"type":"call","value":[1852,2724,2016,377]},{"type":"call","value":[1852,2724,2016,615]},{"type":"call","value":[1852,2724,2016,441]},{"type":"call","value":[1852,2724,2016,679]},{"type":"call","value":[1852,2724,2016,505]},{"type":"call","value":[1852,2724,2016,743]},{"type":"call","value":[1852,2724,2016,569]},{"type":"call","value":[1852,2724,2016,807]},{"type":"call","value":[1852,2724,2016,633]},{"type":"call","value":[1852,2724,2016,697]},{"type":"call","value":[1852,2724,2016,761]},{"type":"call","value":[1852,2724,2016,825]},{"type":"call","value":[1852,2724,2016,343]},{"type":"call","value":[1852,2724,2016,407]},{"type":"call","value":[1852,2724,2016,471]},{"type":"call","value":[1852,2724,2016,535]},{"type":"call","value":[1852,2724,2016,361]},{"type":"call","value":[1852,2724,2016,599]},{"type":"call","value":[1852,2724,2016,425]},{"type":"call","value":[1852,2724,2016,663]},{"type":"call","value":[1852,2724,2016,489]},{"type":"call","value":[1852,2724,2016,727]},{"type":"call","value":[1852,2724,2016,553]},{"type":"call","value":[1852,2724,2016,791]},{"type":"call","value":[1852,2724,2016,617]},{"type":"call","value":[1852,2724,2016,681]},{"type":"call","value":[1852,2724,2016,507]},{"type":"call","value":[1852,2724,2016,745]},{"type":"call","value":[1852,2724,2016,571]},{"type":"call","value":[1852,2724,2016,809]},{"type":"call","value":[1852,2724,2016,635]},{"type":"call","value":[1852,2724,2016,699]},{"type":"call","value":[1852,2724,2016,763]},{"type":"call","value":[1852,2724,2016,827]},{"type":"call","value":[1852,2724,2016,345]},{"type":"call","value":[1852,2724,2016,409]},{"type":"call","value":[1852,2724,2016,473]},{"type":"call","value":[1852,2724,2016,537]},{"type":"call","value":[1852,2724,2016,363]},{"type":"call","value":[1852,2724,2016,601]},{"type":"call","value":[1852,2724,2016,427]},{"type":"call","value":[1852,2724,2016,665]},{"type":"call","value":[1852,2724,2016,491]},{"type":"call","value":[1852,2724,2016,729]},{"type":"call","value":[1852,2724,2016,555]},{"type":"call","value":[1852,2724,2016,793]},{"type":"call","value":[1852,2724,2016,619]},{"type":"call","value":[1852,2724,2016,683]},{"type":"call","value":[1852,2724,2016,747]},{"type":"call","value":[1852,2724,2016,811]},{"type":"call","value":[1852,2724,2016,393]},{"type":"call","value":[1852,2724,2016,457]},{"type":"call","value":[1852,2724,2016,521]},{"type":"call","value":[1852,2724,2016,347]},{"type":"call","value":[1852,2724,2016,585]},{"type":"call","value":[1852,2724,2016,411]},{"type":"call","value":[1852,2724,2016,649]},{"type":"call","value":[1852,2724,2016,475]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1852,2724,2016,138]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1852,2724,2016,231]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2800,640]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,15]},{"type":"call","value":[1852,2800,640,56]},{"type":"call","value":[1852,2800,640,78]},{"type":"call","value":[1852,2800,640,68]},{"type":"call","value":[1852,2800,640,55]},{"type":"call","value":[1852,2800,640,77]},{"type":"call","value":[1852,2800,640,90]},{"type":"call","value":[1852,2800,640,48]},{"type":"call","value":[1852,2800,640,99]},{"type":"call","value":[1852,2800,640,57]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,33]},{"type":"call","value":[1852,2800,640,52]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2800,3044]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2800,3044,304]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1852,2800,3044,383]},{"type":"call","value":[1852,2800,3044,621]},{"type":"call","value":[1852,2800,3044,511]},{"type":"call","value":[1852,2800,3044,749]},{"type":"call","value":[1852,2800,3044,401]},{"type":"call","value":[1852,2800,3044,639]},{"type":"call","value":[1852,2800,3044,877]},{"type":"call","value":[1852,2800,3044,529]},{"type":"call","value":[1852,2800,3044,767]},{"type":"call","value":[1852,2800,3044,657]},{"type":"call","value":[1852,2800,3044,895]},{"type":"call","value":[1852,2800,3044,785]},{"type":"call","value":[1852,2800,3044,1023]},{"type":"call","value":[1852,2800,3044,367]},{"type":"call","value":[1852,2800,3044,913]},{"type":"call","value":[1852,2800,3044,495]},{"type":"call","value":[1852,2800,3044,1041]},{"type":"call","value":[1852,2800,3044,385]},{"type":"call","value":[1852,2800,3044,623]},{"type":"call","value":[1852,2800,3044,513]},{"type":"call","value":[1852,2800,3044,751]},{"type":"call","value":[1852,2800,3044,641]},{"type":"call","value":[1852,2800,3044,879]},{"type":"call","value":[1852,2800,3044,769]},{"type":"call","value":[1852,2800,3044,1007]},{"type":"call","value":[1852,2800,3044,351]},{"type":"call","value":[1852,2800,3044,897]},{"type":"call","value":[1852,2800,3044,479]},{"type":"call","value":[1852,2800,3044,1025]},{"type":"call","value":[1852,2800,3044,369]},{"type":"call","value":[1852,2800,3044,915]},{"type":"call","value":[1852,2800,3044,607]},{"type":"call","value":[1852,2800,3044,497]},{"type":"call","value":[1852,2800,3044,1043]},{"type":"call","value":[1852,2800,3044,387]},{"type":"call","value":[1852,2800,3044,625]},{"type":"call","value":[1852,2800,3044,515]},{"type":"call","value":[1852,2800,3044,753]},{"type":"call","value":[1852,2800,3044,643]},{"type":"call","value":[1852,2800,3044,881]},{"type":"call","value":[1852,2800,3044,771]},{"type":"call","value":[1852,2800,3044,1009]},{"type":"call","value":[1852,2800,3044,353]},{"type":"call","value":[1852,2800,3044,899]},{"type":"call","value":[1852,2800,3044,481]},{"type":"call","value":[1852,2800,3044,1027]},{"type":"call","value":[1852,2800,3044,371]},{"type":"call","value":[1852,2800,3044,609]},{"type":"call","value":[1852,2800,3044,499]},{"type":"call","value":[1852,2800,3044,737]},{"type":"call","value":[1852,2800,3044,627]},{"type":"call","value":[1852,2800,3044,865]},{"type":"call","value":[1852,2800,3044,755]},{"type":"call","value":[1852,2800,3044,993]},{"type":"call","value":[1852,2800,3044,645]},{"type":"call","value":[1852,2800,3044,883]},{"type":"call","value":[1852,2800,3044,773]},{"type":"call","value":[1852,2800,3044,1011]},{"type":"call","value":[1852,2800,3044,355]},{"type":"call","value":[1852,2800,3044,901]},{"type":"call","value":[1852,2800,3044,483]},{"type":"call","value":[1852,2800,3044,1029]},{"type":"call","value":[1852,2800,3044,373]},{"type":"call","value":[1852,2800,3044,611]},{"type":"call","value":[1852,2800,3044,501]},{"type":"call","value":[1852,2800,3044,739]},{"type":"call","value":[1852,2800,3044,629]},{"type":"call","value":[1852,2800,3044,867]},{"type":"call","value":[1852,2800,3044,757]},{"type":"call","value":[1852,2800,3044,995]},{"type":"call","value":[1852,2800,3044,339]},{"type":"call","value":[1852,2800,3044,885]},{"type":"call","value":[1852,2800,3044,1123]},{"type":"call","value":[1852,2800,3044,467]},{"type":"call","value":[1852,2800,3044,1013]},{"type":"call","value":[1852,2800,3044,357]},{"type":"call","value":[1852,2800,3044,595]},{"type":"call","value":[1852,2800,3044,485]},{"type":"call","value":[1852,2800,3044,1031]},{"type":"call","value":[1852,2800,3044,723]},{"type":"call","value":[1852,2800,3044,375]},{"type":"call","value":[1852,2800,3044,613]},{"type":"call","value":[1852,2800,3044,503]},{"type":"call","value":[1852,2800,3044,741]},{"type":"call","value":[1852,2800,3044,631]},{"type":"call","value":[1852,2800,3044,869]},{"type":"call","value":[1852,2800,3044,759]},{"type":"call","value":[1852,2800,3044,997]},{"type":"call","value":[1852,2800,3044,341]},{"type":"call","value":[1852,2800,3044,887]},{"type":"call","value":[1852,2800,3044,469]},{"type":"call","value":[1852,2800,3044,1015]},{"type":"call","value":[1852,2800,3044,359]},{"type":"call","value":[1852,2800,3044,597]},{"type":"call","value":[1852,2800,3044,487]},{"type":"call","value":[1852,2800,3044,725]},{"type":"call","value":[1852,2800,3044,615]},{"type":"call","value":[1852,2800,3044,853]},{"type":"call","value":[1852,2800,3044,743]},{"type":"call","value":[1852,2800,3044,981]},{"type":"call","value":[1852,2800,3044,871]},{"type":"call","value":[1852,2800,3044,1109]},{"type":"call","value":[1852,2800,3044,761]},{"type":"call","value":[1852,2800,3044,453]},{"type":"call","value":[1852,2800,3044,999]},{"type":"call","value":[1852,2800,3044,343]},{"type":"call","value":[1852,2800,3044,889]},{"type":"call","value":[1852,2800,3044,471]},{"type":"call","value":[1852,2800,3044,1017]},{"type":"call","value":[1852,2800,3044,361]},{"type":"call","value":[1852,2800,3044,599]},{"type":"call","value":[1852,2800,3044,489]},{"type":"call","value":[1852,2800,3044,727]},{"type":"call","value":[1852,2800,3044,617]},{"type":"call","value":[1852,2800,3044,855]},{"type":"call","value":[1852,2800,3044,745]},{"type":"call","value":[1852,2800,3044,983]},{"type":"call","value":[1852,2800,3044,327]},{"type":"call","value":[1852,2800,3044,873]},{"type":"call","value":[1852,2800,3044,1111]},{"type":"call","value":[1852,2800,3044,455]},{"type":"call","value":[1852,2800,3044,1001]},{"type":"call","value":[1852,2800,3044,345]},{"type":"call","value":[1852,2800,3044,583]},{"type":"call","value":[1852,2800,3044,473]},{"type":"call","value":[1852,2800,3044,711]},{"type":"call","value":[1852,2800,3044,601]},{"type":"call","value":[1852,2800,3044,839]},{"type":"call","value":[1852,2800,3044,491]},{"type":"call","value":[1852,2800,3044,729]},{"type":"call","value":[1852,2800,3044,967]},{"type":"call","value":[1852,2800,3044,619]},{"type":"call","value":[1852,2800,3044,857]},{"type":"call","value":[1852,2800,3044,747]},{"type":"call","value":[1852,2800,3044,985]},{"type":"call","value":[1852,2800,3044,875]},{"type":"call","value":[1852,2800,3044,1113]},{"type":"call","value":[1852,2800,3044,457]},{"type":"call","value":[1852,2800,3044,1003]},{"type":"call","value":[1852,2800,3044,347]},{"type":"call","value":[1852,2800,3044,585]},{"type":"call","value":[1852,2800,3044,475]},{"type":"call","value":[1852,2800,3044,713]},{"type":"call","value":[1852,2800,3044,603]},{"type":"call","value":[1852,2800,3044,841]},{"type":"call","value":[1852,2800,3044,731]},{"type":"call","value":[1852,2800,3044,969]},{"type":"call","value":[1852,2800,3044,859]},{"type":"call","value":[1852,2800,3044,1097]},{"type":"call","value":[1852,2800,3044,441]},{"type":"call","value":[1852,2800,3044,987]},{"type":"call","value":[1852,2800,3044,331]},{"type":"call","value":[1852,2800,3044,569]},{"type":"call","value":[1852,2800,3044,1115]},{"type":"call","value":[1852,2800,3044,459]},{"type":"call","value":[1852,2800,3044,1005]},{"type":"call","value":[1852,2800,3044,697]},{"type":"call","value":[1852,2800,3044,349]},{"type":"call","value":[1852,2800,3044,587]},{"type":"call","value":[1852,2800,3044,477]},{"type":"call","value":[1852,2800,3044,715]},{"type":"call","value":[1852,2800,3044,605]},{"type":"call","value":[1852,2800,3044,843]},{"type":"call","value":[1852,2800,3044,733]},{"type":"call","value":[1852,2800,3044,971]},{"type":"call","value":[1852,2800,3044,861]},{"type":"call","value":[1852,2800,3044,1099]},{"type":"call","value":[1852,2800,3044,443]},{"type":"call","value":[1852,2800,3044,989]},{"type":"call","value":[1852,2800,3044,333]},{"type":"call","value":[1852,2800,3044,571]},{"type":"call","value":[1852,2800,3044,1117]},{"type":"call","value":[1852,2800,3044,461]},{"type":"call","value":[1852,2800,3044,699]},{"type":"call","value":[1852,2800,3044,589]},{"type":"call","value":[1852,2800,3044,827]},{"type":"call","value":[1852,2800,3044,717]},{"type":"call","value":[1852,2800,3044,955]},{"type":"call","value":[1852,2800,3044,845]},{"type":"call","value":[1852,2800,3044,1083]},{"type":"call","value":[1852,2800,3044,735]},{"type":"call","value":[1852,2800,3044,427]},{"type":"call","value":[1852,2800,3044,973]},{"type":"call","value":[1852,2800,3044,863]},{"type":"call","value":[1852,2800,3044,1101]},{"type":"call","value":[1852,2800,3044,445]},{"type":"call","value":[1852,2800,3044,991]},{"type":"call","value":[1852,2800,3044,335]},{"type":"call","value":[1852,2800,3044,573]},{"type":"call","value":[1852,2800,3044,1119]},{"type":"call","value":[1852,2800,3044,463]},{"type":"call","value":[1852,2800,3044,701]},{"type":"call","value":[1852,2800,3044,591]},{"type":"call","value":[1852,2800,3044,829]},{"type":"call","value":[1852,2800,3044,719]},{"type":"call","value":[1852,2800,3044,957]},{"type":"call","value":[1852,2800,3044,847]},{"type":"call","value":[1852,2800,3044,1085]},{"type":"call","value":[1852,2800,3044,429]},{"type":"call","value":[1852,2800,3044,975]},{"type":"call","value":[1852,2800,3044,557]},{"type":"call","value":[1852,2800,3044,1103]},{"type":"call","value":[1852,2800,3044,447]},{"type":"call","value":[1852,2800,3044,685]},{"type":"call","value":[1852,2800,3044,337]},{"type":"call","value":[1852,2800,3044,575]},{"type":"call","value":[1852,2800,3044,1121]},{"type":"call","value":[1852,2800,3044,813]},{"type":"call","value":[1852,2800,3044,465]},{"type":"call","value":[1852,2800,3044,703]},{"type":"call","value":[1852,2800,3044,593]},{"type":"call","value":[1852,2800,3044,831]},{"type":"call","value":[1852,2800,3044,721]},{"type":"call","value":[1852,2800,3044,959]},{"type":"call","value":[1852,2800,3044,849]},{"type":"call","value":[1852,2800,3044,1087]},{"type":"call","value":[1852,2800,3044,431]},{"type":"call","value":[1852,2800,3044,977]},{"type":"call","value":[1852,2800,3044,559]},{"type":"call","value":[1852,2800,3044,1105]},{"type":"call","value":[1852,2800,3044,449]},{"type":"call","value":[1852,2800,3044,687]},{"type":"call","value":[1852,2800,3044,577]},{"type":"call","value":[1852,2800,3044,815]},{"type":"call","value":[1852,2800,3044,705]},{"type":"call","value":[1852,2800,3044,943]},{"type":"call","value":[1852,2800,3044,833]},{"type":"call","value":[1852,2800,3044,1071]},{"type":"call","value":[1852,2800,3044,415]},{"type":"call","value":[1852,2800,3044,961]},{"type":"call","value":[1852,2800,3044,851]},{"type":"call","value":[1852,2800,3044,543]},{"type":"call","value":[1852,2800,3044,1089]},{"type":"call","value":[1852,2800,3044,433]},{"type":"call","value":[1852,2800,3044,979]},{"type":"call","value":[1852,2800,3044,561]},{"type":"call","value":[1852,2800,3044,1107]},{"type":"call","value":[1852,2800,3044,451]},{"type":"call","value":[1852,2800,3044,689]},{"type":"call","value":[1852,2800,3044,579]},{"type":"call","value":[1852,2800,3044,817]},{"type":"call","value":[1852,2800,3044,707]},{"type":"call","value":[1852,2800,3044,945]},{"type":"call","value":[1852,2800,3044,835]},{"type":"call","value":[1852,2800,3044,1073]},{"type":"call","value":[1852,2800,3044,417]},{"type":"call","value":[1852,2800,3044,963]},{"type":"call","value":[1852,2800,3044,545]},{"type":"call","value":[1852,2800,3044,1091]},{"type":"call","value":[1852,2800,3044,435]},{"type":"call","value":[1852,2800,3044,673]},{"type":"call","value":[1852,2800,3044,563]},{"type":"call","value":[1852,2800,3044,801]},{"type":"call","value":[1852,2800,3044,691]},{"type":"call","value":[1852,2800,3044,929]},{"type":"call","value":[1852,2800,3044,581]},{"type":"call","value":[1852,2800,3044,819]},{"type":"call","value":[1852,2800,3044,1057]},{"type":"call","value":[1852,2800,3044,709]},{"type":"call","value":[1852,2800,3044,947]},{"type":"call","value":[1852,2800,3044,837]},{"type":"call","value":[1852,2800,3044,1075]},{"type":"call","value":[1852,2800,3044,419]},{"type":"call","value":[1852,2800,3044,965]},{"type":"call","value":[1852,2800,3044,547]},{"type":"call","value":[1852,2800,3044,1093]},{"type":"call","value":[1852,2800,3044,437]},{"type":"call","value":[1852,2800,3044,675]},{"type":"call","value":[1852,2800,3044,565]},{"type":"call","value":[1852,2800,3044,803]},{"type":"call","value":[1852,2800,3044,693]},{"type":"call","value":[1852,2800,3044,931]},{"type":"call","value":[1852,2800,3044,821]},{"type":"call","value":[1852,2800,3044,1059]},{"type":"call","value":[1852,2800,3044,403]},{"type":"call","value":[1852,2800,3044,949]},{"type":"call","value":[1852,2800,3044,531]},{"type":"call","value":[1852,2800,3044,1077]},{"type":"call","value":[1852,2800,3044,421]},{"type":"call","value":[1852,2800,3044,659]},{"type":"call","value":[1852,2800,3044,549]},{"type":"call","value":[1852,2800,3044,1095]},{"type":"call","value":[1852,2800,3044,787]},{"type":"call","value":[1852,2800,3044,439]},{"type":"call","value":[1852,2800,3044,677]},{"type":"call","value":[1852,2800,3044,567]},{"type":"call","value":[1852,2800,3044,805]},{"type":"call","value":[1852,2800,3044,695]},{"type":"call","value":[1852,2800,3044,933]},{"type":"call","value":[1852,2800,3044,823]},{"type":"call","value":[1852,2800,3044,1061]},{"type":"call","value":[1852,2800,3044,405]},{"type":"call","value":[1852,2800,3044,951]},{"type":"call","value":[1852,2800,3044,533]},{"type":"call","value":[1852,2800,3044,1079]},{"type":"call","value":[1852,2800,3044,423]},{"type":"call","value":[1852,2800,3044,661]},{"type":"call","value":[1852,2800,3044,551]},{"type":"call","value":[1852,2800,3044,789]},{"type":"call","value":[1852,2800,3044,679]},{"type":"call","value":[1852,2800,3044,917]},{"type":"call","value":[1852,2800,3044,807]},{"type":"call","value":[1852,2800,3044,1045]},{"type":"call","value":[1852,2800,3044,389]},{"type":"call","value":[1852,2800,3044,935]},{"type":"call","value":[1852,2800,3044,825]},{"type":"call","value":[1852,2800,3044,517]},{"type":"call","value":[1852,2800,3044,1063]},{"type":"call","value":[1852,2800,3044,407]},{"type":"call","value":[1852,2800,3044,953]},{"type":"call","value":[1852,2800,3044,535]},{"type":"call","value":[1852,2800,3044,1081]},{"type":"call","value":[1852,2800,3044,425]},{"type":"call","value":[1852,2800,3044,663]},{"type":"call","value":[1852,2800,3044,553]},{"type":"call","value":[1852,2800,3044,791]},{"type":"call","value":[1852,2800,3044,681]},{"type":"call","value":[1852,2800,3044,919]},{"type":"call","value":[1852,2800,3044,809]},{"type":"call","value":[1852,2800,3044,1047]},{"type":"call","value":[1852,2800,3044,391]},{"type":"call","value":[1852,2800,3044,937]},{"type":"call","value":[1852,2800,3044,519]},{"type":"call","value":[1852,2800,3044,1065]},{"type":"call","value":[1852,2800,3044,409]},{"type":"call","value":[1852,2800,3044,647]},{"type":"call","value":[1852,2800,3044,537]},{"type":"call","value":[1852,2800,3044,775]},{"type":"call","value":[1852,2800,3044,665]},{"type":"call","value":[1852,2800,3044,903]},{"type":"call","value":[1852,2800,3044,555]},{"type":"call","value":[1852,2800,3044,793]},{"type":"call","value":[1852,2800,3044,683]},{"type":"call","value":[1852,2800,3044,921]},{"type":"call","value":[1852,2800,3044,811]},{"type":"call","value":[1852,2800,3044,1049]},{"type":"call","value":[1852,2800,3044,393]},{"type":"call","value":[1852,2800,3044,939]},{"type":"call","value":[1852,2800,3044,521]},{"type":"call","value":[1852,2800,3044,1067]},{"type":"call","value":[1852,2800,3044,411]},{"type":"call","value":[1852,2800,3044,649]},{"type":"call","value":[1852,2800,3044,539]},{"type":"call","value":[1852,2800,3044,777]},{"type":"call","value":[1852,2800,3044,667]},{"type":"call","value":[1852,2800,3044,905]},{"type":"call","value":[1852,2800,3044,795]},{"type":"call","value":[1852,2800,3044,1033]},{"type":"call","value":[1852,2800,3044,377]},{"type":"call","value":[1852,2800,3044,923]},{"type":"call","value":[1852,2800,3044,505]},{"type":"call","value":[1852,2800,3044,1051]},{"type":"call","value":[1852,2800,3044,395]},{"type":"call","value":[1852,2800,3044,941]},{"type":"call","value":[1852,2800,3044,633]},{"type":"call","value":[1852,2800,3044,523]},{"type":"call","value":[1852,2800,3044,1069]},{"type":"call","value":[1852,2800,3044,413]},{"type":"call","value":[1852,2800,3044,651]},{"type":"call","value":[1852,2800,3044,541]},{"type":"call","value":[1852,2800,3044,779]},{"type":"call","value":[1852,2800,3044,669]},{"type":"call","value":[1852,2800,3044,907]},{"type":"call","value":[1852,2800,3044,797]},{"type":"call","value":[1852,2800,3044,1035]},{"type":"call","value":[1852,2800,3044,379]},{"type":"call","value":[1852,2800,3044,925]},{"type":"call","value":[1852,2800,3044,507]},{"type":"call","value":[1852,2800,3044,1053]},{"type":"call","value":[1852,2800,3044,397]},{"type":"call","value":[1852,2800,3044,635]},{"type":"call","value":[1852,2800,3044,525]},{"type":"call","value":[1852,2800,3044,763]},{"type":"call","value":[1852,2800,3044,653]},{"type":"call","value":[1852,2800,3044,891]},{"type":"call","value":[1852,2800,3044,781]},{"type":"call","value":[1852,2800,3044,1019]},{"type":"call","value":[1852,2800,3044,671]},{"type":"call","value":[1852,2800,3044,363]},{"type":"call","value":[1852,2800,3044,909]},{"type":"call","value":[1852,2800,3044,799]},{"type":"call","value":[1852,2800,3044,1037]},{"type":"call","value":[1852,2800,3044,381]},{"type":"call","value":[1852,2800,3044,927]},{"type":"call","value":[1852,2800,3044,509]},{"type":"call","value":[1852,2800,3044,1055]},{"type":"call","value":[1852,2800,3044,399]},{"type":"call","value":[1852,2800,3044,637]},{"type":"call","value":[1852,2800,3044,527]},{"type":"call","value":[1852,2800,3044,765]},{"type":"call","value":[1852,2800,3044,655]},{"type":"call","value":[1852,2800,3044,893]},{"type":"call","value":[1852,2800,3044,783]},{"type":"call","value":[1852,2800,3044,1021]},{"type":"call","value":[1852,2800,3044,365]},{"type":"call","value":[1852,2800,3044,911]},{"type":"call","value":[1852,2800,3044,493]},{"type":"call","value":[1852,2800,3044,1039]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1852,2800,3044,131]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1852,2800,3044,224]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2744,2916]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,138]},{"type":"call","value":[1852,2744,2916,16]},{"type":"call","value":[1852,2744,2916,480]},{"type":"call","value":[1852,2744,2916,150]},{"type":"call","value":[1852,2744,2916,481]},{"type":"call","value":[1852,2744,2916,15]},{"type":"call","value":[1852,2744,2916,711]},{"type":"call","value":[1852,2744,2916,140]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,364]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,217]},{"type":"call","value":[1852,2744,2916,139]},{"type":"call","value":[1852,2744,2916,146]},{"type":"call","value":[1852,2744,2916,137]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,291]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2744,2672]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2672,141]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,500,240]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,500,240,338]},{"type":"call","value":[1852,500,240,8]},{"type":"call","value":[1852,500,240,143]},{"type":"call","value":[1852,500,240,133]},{"type":"call","value":[1852,500,240,135]},{"type":"call","value":[1852,500,240,9]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[1852,500,240,210]},{"type":"call","value":[1852,500,240,132]},{"type":"call","value":[1852,500,240,139]},{"type":"call","value":[1852,500,240,134]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[1852,500,240,284]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,500,900]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[1852,500,900,130]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1572,2932]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2932,212]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2932,595]},{"type":"call","value":[2820,1572,2932,659]},{"type":"call","value":[2820,1572,2932,723]},{"type":"call","value":[2820,1572,2932,241]},{"type":"call","value":[2820,1572,2932,305]},{"type":"call","value":[2820,1572,2932,369]},{"type":"call","value":[2820,1572,2932,433]},{"type":"call","value":[2820,1572,2932,259]},{"type":"call","value":[2820,1572,2932,497]},{"type":"call","value":[2820,1572,2932,323]},{"type":"call","value":[2820,1572,2932,561]},{"type":"call","value":[2820,1572,2932,387]},{"type":"call","value":[2820,1572,2932,625]},{"type":"call","value":[2820,1572,2932,451]},{"type":"call","value":[2820,1572,2932,689]},{"type":"call","value":[2820,1572,2932,515]},{"type":"call","value":[2820,1572,2932,341]},{"type":"call","value":[2820,1572,2932,579]},{"type":"call","value":[2820,1572,2932,405]},{"type":"call","value":[2820,1572,2932,643]},{"type":"call","value":[2820,1572,2932,469]},{"type":"call","value":[2820,1572,2932,707]},{"type":"call","value":[2820,1572,2932,533]},{"type":"call","value":[2820,1572,2932,597]},{"type":"call","value":[2820,1572,2932,661]},{"type":"call","value":[2820,1572,2932,725]},{"type":"call","value":[2820,1572,2932,243]},{"type":"call","value":[2820,1572,2932,307]},{"type":"call","value":[2820,1572,2932,371]},{"type":"call","value":[2820,1572,2932,435]},{"type":"call","value":[2820,1572,2932,261]},{"type":"call","value":[2820,1572,2932,499]},{"type":"call","value":[2820,1572,2932,325]},{"type":"call","value":[2820,1572,2932,563]},{"type":"call","value":[2820,1572,2932,389]},{"type":"call","value":[2820,1572,2932,627]},{"type":"call","value":[2820,1572,2932,453]},{"type":"call","value":[2820,1572,2932,691]},{"type":"call","value":[2820,1572,2932,517]},{"type":"call","value":[2820,1572,2932,581]},{"type":"call","value":[2820,1572,2932,645]},{"type":"call","value":[2820,1572,2932,709]},{"type":"call","value":[2820,1572,2932,291]},{"type":"call","value":[2820,1572,2932,355]},{"type":"call","value":[2820,1572,2932,419]},{"type":"call","value":[2820,1572,2932,245]},{"type":"call","value":[2820,1572,2932,483]},{"type":"call","value":[2820,1572,2932,309]},{"type":"call","value":[2820,1572,2932,547]},{"type":"call","value":[2820,1572,2932,373]},{"type":"call","value":[2820,1572,2932,437]},{"type":"call","value":[2820,1572,2932,263]},{"type":"call","value":[2820,1572,2932,501]},{"type":"call","value":[2820,1572,2932,327]},{"type":"call","value":[2820,1572,2932,565]},{"type":"call","value":[2820,1572,2932,391]},{"type":"call","value":[2820,1572,2932,629]},{"type":"call","value":[2820,1572,2932,455]},{"type":"call","value":[2820,1572,2932,693]},{"type":"call","value":[2820,1572,2932,519]},{"type":"call","value":[2820,1572,2932,583]},{"type":"call","value":[2820,1572,2932,647]},{"type":"call","value":[2820,1572,2932,711]},{"type":"call","value":[2820,1572,2932,293]},{"type":"call","value":[2820,1572,2932,357]},{"type":"call","value":[2820,1572,2932,421]},{"type":"call","value":[2820,1572,2932,247]},{"type":"call","value":[2820,1572,2932,485]},{"type":"call","value":[2820,1572,2932,311]},{"type":"call","value":[2820,1572,2932,549]},{"type":"call","value":[2820,1572,2932,375]},{"type":"call","value":[2820,1572,2932,613]},{"type":"call","value":[2820,1572,2932,439]},{"type":"call","value":[2820,1572,2932,677]},{"type":"call","value":[2820,1572,2932,503]},{"type":"call","value":[2820,1572,2932,741]},{"type":"call","value":[2820,1572,2932,567]},{"type":"call","value":[2820,1572,2932,631]},{"type":"call","value":[2820,1572,2932,695]},{"type":"call","value":[2820,1572,2932,521]},{"type":"call","value":[2820,1572,2932,585]},{"type":"call","value":[2820,1572,2932,277]},{"type":"call","value":[2820,1572,2932,649]},{"type":"call","value":[2820,1572,2932,713]},{"type":"call","value":[2820,1572,2932,295]},{"type":"call","value":[2820,1572,2932,359]},{"type":"call","value":[2820,1572,2932,423]},{"type":"call","value":[2820,1572,2932,249]},{"type":"call","value":[2820,1572,2932,487]},{"type":"call","value":[2820,1572,2932,313]},{"type":"call","value":[2820,1572,2932,551]},{"type":"call","value":[2820,1572,2932,377]},{"type":"call","value":[2820,1572,2932,615]},{"type":"call","value":[2820,1572,2932,441]},{"type":"call","value":[2820,1572,2932,679]},{"type":"call","value":[2820,1572,2932,505]},{"type":"call","value":[2820,1572,2932,743]},{"type":"call","value":[2820,1572,2932,569]},{"type":"call","value":[2820,1572,2932,633]},{"type":"call","value":[2820,1572,2932,697]},{"type":"call","value":[2820,1572,2932,279]},{"type":"call","value":[2820,1572,2932,343]},{"type":"call","value":[2820,1572,2932,407]},{"type":"call","value":[2820,1572,2932,471]},{"type":"call","value":[2820,1572,2932,297]},{"type":"call","value":[2820,1572,2932,535]},{"type":"call","value":[2820,1572,2932,361]},{"type":"call","value":[2820,1572,2932,599]},{"type":"call","value":[2820,1572,2932,425]},{"type":"call","value":[2820,1572,2932,251]},{"type":"call","value":[2820,1572,2932,663]},{"type":"call","value":[2820,1572,2932,489]},{"type":"call","value":[2820,1572,2932,315]},{"type":"call","value":[2820,1572,2932,727]},{"type":"call","value":[2820,1572,2932,553]},{"type":"call","value":[2820,1572,2932,379]},{"type":"call","value":[2820,1572,2932,617]},{"type":"call","value":[2820,1572,2932,443]},{"type":"call","value":[2820,1572,2932,681]},{"type":"call","value":[2820,1572,2932,507]},{"type":"call","value":[2820,1572,2932,745]},{"type":"call","value":[2820,1572,2932,571]},{"type":"call","value":[2820,1572,2932,635]},{"type":"call","value":[2820,1572,2932,699]},{"type":"call","value":[2820,1572,2932,281]},{"type":"call","value":[2820,1572,2932,345]},{"type":"call","value":[2820,1572,2932,409]},{"type":"call","value":[2820,1572,2932,235]},{"type":"call","value":[2820,1572,2932,473]},{"type":"call","value":[2820,1572,2932,299]},{"type":"call","value":[2820,1572,2932,537]},{"type":"call","value":[2820,1572,2932,363]},{"type":"call","value":[2820,1572,2932,601]},{"type":"call","value":[2820,1572,2932,427]},{"type":"call","value":[2820,1572,2932,665]},{"type":"call","value":[2820,1572,2932,491]},{"type":"call","value":[2820,1572,2932,729]},{"type":"call","value":[2820,1572,2932,555]},{"type":"call","value":[2820,1572,2932,619]},{"type":"call","value":[2820,1572,2932,683]},{"type":"call","value":[2820,1572,2932,747]},{"type":"call","value":[2820,1572,2932,265]},{"type":"call","value":[2820,1572,2932,329]},{"type":"call","value":[2820,1572,2932,701]},{"type":"call","value":[2820,1572,2932,393]},{"type":"call","value":[2820,1572,2932,457]},{"type":"call","value":[2820,1572,2932,283]},{"type":"call","value":[2820,1572,2932,347]},{"type":"call","value":[2820,1572,2932,411]},{"type":"call","value":[2820,1572,2932,237]},{"type":"call","value":[2820,1572,2932,475]},{"type":"call","value":[2820,1572,2932,301]},{"type":"call","value":[2820,1572,2932,539]},{"type":"call","value":[2820,1572,2932,365]},{"type":"call","value":[2820,1572,2932,603]},{"type":"call","value":[2820,1572,2932,429]},{"type":"call","value":[2820,1572,2932,667]},{"type":"call","value":[2820,1572,2932,493]},{"type":"call","value":[2820,1572,2932,731]},{"type":"call","value":[2820,1572,2932,557]},{"type":"call","value":[2820,1572,2932,621]},{"type":"call","value":[2820,1572,2932,685]},{"type":"call","value":[2820,1572,2932,267]},{"type":"call","value":[2820,1572,2932,331]},{"type":"call","value":[2820,1572,2932,395]},{"type":"call","value":[2820,1572,2932,459]},{"type":"call","value":[2820,1572,2932,285]},{"type":"call","value":[2820,1572,2932,523]},{"type":"call","value":[2820,1572,2932,349]},{"type":"call","value":[2820,1572,2932,587]},{"type":"call","value":[2820,1572,2932,413]},{"type":"call","value":[2820,1572,2932,651]},{"type":"call","value":[2820,1572,2932,477]},{"type":"call","value":[2820,1572,2932,715]},{"type":"call","value":[2820,1572,2932,541]},{"type":"call","value":[2820,1572,2932,605]},{"type":"call","value":[2820,1572,2932,431]},{"type":"call","value":[2820,1572,2932,669]},{"type":"call","value":[2820,1572,2932,495]},{"type":"call","value":[2820,1572,2932,733]},{"type":"call","value":[2820,1572,2932,559]},{"type":"call","value":[2820,1572,2932,623]},{"type":"call","value":[2820,1572,2932,687]},{"type":"call","value":[2820,1572,2932,269]},{"type":"call","value":[2820,1572,2932,333]},{"type":"call","value":[2820,1572,2932,397]},{"type":"call","value":[2820,1572,2932,461]},{"type":"call","value":[2820,1572,2932,287]},{"type":"call","value":[2820,1572,2932,525]},{"type":"call","value":[2820,1572,2932,351]},{"type":"call","value":[2820,1572,2932,589]},{"type":"call","value":[2820,1572,2932,415]},{"type":"call","value":[2820,1572,2932,653]},{"type":"call","value":[2820,1572,2932,479]},{"type":"call","value":[2820,1572,2932,717]},{"type":"call","value":[2820,1572,2932,543]},{"type":"call","value":[2820,1572,2932,607]},{"type":"call","value":[2820,1572,2932,671]},{"type":"call","value":[2820,1572,2932,735]},{"type":"call","value":[2820,1572,2932,253]},{"type":"call","value":[2820,1572,2932,317]},{"type":"call","value":[2820,1572,2932,381]},{"type":"call","value":[2820,1572,2932,445]},{"type":"call","value":[2820,1572,2932,271]},{"type":"call","value":[2820,1572,2932,509]},{"type":"call","value":[2820,1572,2932,335]},{"type":"call","value":[2820,1572,2932,573]},{"type":"call","value":[2820,1572,2932,399]},{"type":"call","value":[2820,1572,2932,637]},{"type":"call","value":[2820,1572,2932,463]},{"type":"call","value":[2820,1572,2932,289]},{"type":"call","value":[2820,1572,2932,527]},{"type":"call","value":[2820,1572,2932,353]},{"type":"call","value":[2820,1572,2932,591]},{"type":"call","value":[2820,1572,2932,417]},{"type":"call","value":[2820,1572,2932,655]},{"type":"call","value":[2820,1572,2932,481]},{"type":"call","value":[2820,1572,2932,719]},{"type":"call","value":[2820,1572,2932,545]},{"type":"call","value":[2820,1572,2932,609]},{"type":"call","value":[2820,1572,2932,673]},{"type":"call","value":[2820,1572,2932,737]},{"type":"call","value":[2820,1572,2932,255]},{"type":"call","value":[2820,1572,2932,319]},{"type":"call","value":[2820,1572,2932,383]},{"type":"call","value":[2820,1572,2932,447]},{"type":"call","value":[2820,1572,2932,273]},{"type":"call","value":[2820,1572,2932,511]},{"type":"call","value":[2820,1572,2932,337]},{"type":"call","value":[2820,1572,2932,575]},{"type":"call","value":[2820,1572,2932,401]},{"type":"call","value":[2820,1572,2932,639]},{"type":"call","value":[2820,1572,2932,465]},{"type":"call","value":[2820,1572,2932,703]},{"type":"call","value":[2820,1572,2932,529]},{"type":"call","value":[2820,1572,2932,593]},{"type":"call","value":[2820,1572,2932,657]},{"type":"call","value":[2820,1572,2932,721]},{"type":"call","value":[2820,1572,2932,239]},{"type":"call","value":[2820,1572,2932,611]},{"type":"call","value":[2820,1572,2932,303]},{"type":"call","value":[2820,1572,2932,675]},{"type":"call","value":[2820,1572,2932,367]},{"type":"call","value":[2820,1572,2932,739]},{"type":"call","value":[2820,1572,2932,257]},{"type":"call","value":[2820,1572,2932,321]},{"type":"call","value":[2820,1572,2932,385]},{"type":"call","value":[2820,1572,2932,449]},{"type":"call","value":[2820,1572,2932,275]},{"type":"call","value":[2820,1572,2932,513]},{"type":"call","value":[2820,1572,2932,339]},{"type":"call","value":[2820,1572,2932,577]},{"type":"call","value":[2820,1572,2932,403]},{"type":"call","value":[2820,1572,2932,641]},{"type":"call","value":[2820,1572,2932,467]},{"type":"call","value":[2820,1572,2932,705]},{"type":"call","value":[2820,1572,2932,531]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2932,38]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2932,130]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1572,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2804,972]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1912,1216]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAlloc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtAllocateVirtualMemory"}},"children":[],"locations":[{"type":"call","value":[2820,1912,1216,211]},{"type":"call","value":[2820,1912,1216,218]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[2820,1912,1216,980]},{"type":"call","value":[2820,1912,1216,1526]},{"type":"call","value":[2820,1912,1216,1108]},{"type":"call","value":[2820,1912,1216,1654]},{"type":"call","value":[2820,1912,1216,452]},{"type":"call","value":[2820,1912,1216,998]},{"type":"call","value":[2820,1912,1216,1236]},{"type":"call","value":[2820,1912,1216,1364]},{"type":"call","value":[2820,1912,1216,1254]},{"type":"call","value":[2820,1912,1216,1492]},{"type":"call","value":[2820,1912,1216,1382]},{"type":"call","value":[2820,1912,1216,1620]},{"type":"call","value":[2820,1912,1216,726]},{"type":"call","value":[2820,1912,1216,1272]},{"type":"call","value":[2820,1912,1216,1510]},{"type":"call","value":[2820,1912,1216,1400]},{"type":"call","value":[2820,1912,1216,1638]},{"type":"call","value":[2820,1912,1216,1528]},{"type":"call","value":[2820,1912,1216,872]},{"type":"call","value":[2820,1912,1216,1656]},{"type":"call","value":[2820,1912,1216,1238]},{"type":"call","value":[2820,1912,1216,344]},{"type":"call","value":[2820,1912,1216,582]},{"type":"call","value":[2820,1912,1216,1128]},{"type":"call","value":[2820,1912,1216,1366]},{"type":"call","value":[2820,1912,1216,710]},{"type":"call","value":[2820,1912,1216,1256]},{"type":"call","value":[2820,1912,1216,1494]},{"type":"call","value":[2820,1912,1216,1384]},{"type":"call","value":[2820,1912,1216,1622]},{"type":"call","value":[2820,1912,1216,966]},{"type":"call","value":[2820,1912,1216,1512]},{"type":"call","value":[2820,1912,1216,1094]},{"type":"call","value":[2820,1912,1216,1640]},{"type":"call","value":[2820,1912,1216,1222]},{"type":"call","value":[2820,1912,1216,566]},{"type":"call","value":[2820,1912,1216,1112]},{"type":"call","value":[2820,1912,1216,1350]},{"type":"call","value":[2820,1912,1216,456]},{"type":"call","value":[2820,1912,1216,694]},{"type":"call","value":[2820,1912,1216,1240]},{"type":"call","value":[2820,1912,1216,1478]},{"type":"call","value":[2820,1912,1216,1368]},{"type":"call","value":[2820,1912,1216,474]},{"type":"call","value":[2820,1912,1216,1258]},{"type":"call","value":[2820,1912,1216,1496]},{"type":"call","value":[2820,1912,1216,602]},{"type":"call","value":[2820,1912,1216,840]},{"type":"call","value":[2820,1912,1216,1386]},{"type":"call","value":[2820,1912,1216,1624]},{"type":"call","value":[2820,1912,1216,1514]},{"type":"call","value":[2820,1912,1216,1642]},{"type":"call","value":[2820,1912,1216,1224]},{"type":"call","value":[2820,1912,1216,330]},{"type":"call","value":[2820,1912,1216,1352]},{"type":"call","value":[2820,1912,1216,1242]},{"type":"call","value":[2820,1912,1216,1480]},{"type":"call","value":[2820,1912,1216,586]},{"type":"call","value":[2820,1912,1216,824]},{"type":"call","value":[2820,1912,1216,1370]},{"type":"call","value":[2820,1912,1216,1608]},{"type":"call","value":[2820,1912,1216,714]},{"type":"call","value":[2820,1912,1216,1498]},{"type":"call","value":[2820,1912,1216,1626]},{"type":"call","value":[2820,1912,1216,1516]},{"type":"call","value":[2820,1912,1216,1208]},{"type":"call","value":[2820,1912,1216,1098]},{"type":"call","value":[2820,1912,1216,1644]},{"type":"call","value":[2820,1912,1216,988]},{"type":"call","value":[2820,1912,1216,1226]},{"type":"call","value":[2820,1912,1216,332]},{"type":"call","value":[2820,1912,1216,1354]},{"type":"call","value":[2820,1912,1216,460]},{"type":"call","value":[2820,1912,1216,1244]},{"type":"call","value":[2820,1912,1216,1482]},{"type":"call","value":[2820,1912,1216,1372]},{"type":"call","value":[2820,1912,1216,1610]},{"type":"call","value":[2820,1912,1216,1500]},{"type":"call","value":[2820,1912,1216,1082]},{"type":"call","value":[2820,1912,1216,1628]},{"type":"call","value":[2820,1912,1216,1210]},{"type":"call","value":[2820,1912,1216,1338]},{"type":"call","value":[2820,1912,1216,1228]},{"type":"call","value":[2820,1912,1216,1466]},{"type":"call","value":[2820,1912,1216,810]},{"type":"call","value":[2820,1912,1216,1356]},{"type":"call","value":[2820,1912,1216,1594]},{"type":"call","value":[2820,1912,1216,1246]},{"type":"call","value":[2820,1912,1216,1484]},{"type":"call","value":[2820,1912,1216,590]},{"type":"call","value":[2820,1912,1216,1722]},{"type":"call","value":[2820,1912,1216,1374]},{"type":"call","value":[2820,1912,1216,1612]},{"type":"call","value":[2820,1912,1216,718]},{"type":"call","value":[2820,1912,1216,956]},{"type":"call","value":[2820,1912,1216,1502]},{"type":"call","value":[2820,1912,1216,846]},{"type":"call","value":[2820,1912,1216,1630]},{"type":"call","value":[2820,1912,1216,428]},{"type":"call","value":[2820,1912,1216,974]},{"type":"call","value":[2820,1912,1216,1212]},{"type":"call","value":[2820,1912,1216,1340]},{"type":"call","value":[2820,1912,1216,446]},{"type":"call","value":[2820,1912,1216,684]},{"type":"call","value":[2820,1912,1216,1230]},{"type":"call","value":[2820,1912,1216,1468]},{"type":"call","value":[2820,1912,1216,574]},{"type":"call","value":[2820,1912,1216,1358]},{"type":"call","value":[2820,1912,1216,1596]},{"type":"call","value":[2820,1912,1216,1486]},{"type":"call","value":[2820,1912,1216,1724]},{"type":"call","value":[2820,1912,1216,830]},{"type":"call","value":[2820,1912,1216,1614]},{"type":"call","value":[2820,1912,1216,412]},{"type":"call","value":[2820,1912,1216,1196]},{"type":"call","value":[2820,1912,1216,1086]},{"type":"call","value":[2820,1912,1216,1324]},{"type":"call","value":[2820,1912,1216,1214]},{"type":"call","value":[2820,1912,1216,1452]},{"type":"call","value":[2820,1912,1216,558]},{"type":"call","value":[2820,1912,1216,1104]},{"type":"call","value":[2820,1912,1216,1342]},{"type":"call","value":[2820,1912,1216,1232]},{"type":"call","value":[2820,1912,1216,1470]},{"type":"call","value":[2820,1912,1216,814]},{"type":"call","value":[2820,1912,1216,1360]},{"type":"call","value":[2820,1912,1216,1598]},{"type":"call","value":[2820,1912,1216,704]},{"type":"call","value":[2820,1912,1216,942]},{"type":"call","value":[2820,1912,1216,1488]},{"type":"call","value":[2820,1912,1216,1726]},{"type":"call","value":[2820,1912,1216,1070]},{"type":"call","value":[2820,1912,1216,1616]},{"type":"call","value":[2820,1912,1216,1198]},{"type":"call","value":[2820,1912,1216,542]},{"type":"call","value":[2820,1912,1216,1326]},{"type":"call","value":[2820,1912,1216,1216]},{"type":"call","value":[2820,1912,1216,1454]},{"type":"call","value":[2820,1912,1216,798]},{"type":"call","value":[2820,1912,1216,1344]},{"type":"call","value":[2820,1912,1216,1582]},{"type":"call","value":[2820,1912,1216,926]},{"type":"call","value":[2820,1912,1216,1472]},{"type":"call","value":[2820,1912,1216,1710]},{"type":"call","value":[2820,1912,1216,1362]},{"type":"call","value":[2820,1912,1216,1054]},{"type":"call","value":[2820,1912,1216,1600]},{"type":"call","value":[2820,1912,1216,398]},{"type":"call","value":[2820,1912,1216,1490]},{"type":"call","value":[2820,1912,1216,834]},{"type":"call","value":[2820,1912,1216,953]},{"type":"call","value":[2820,1912,1216,1618]},{"type":"call","value":[2820,1912,1216,962]},{"type":"call","value":[2820,1912,1216,1200]},{"type":"call","value":[2820,1912,1216,1328]},{"type":"call","value":[2820,1912,1216,434]},{"type":"call","value":[2820,1912,1216,672]},{"type":"call","value":[2820,1912,1216,1218]},{"type":"call","value":[2820,1912,1216,1456]},{"type":"call","value":[2820,1912,1216,562]},{"type":"call","value":[2820,1912,1216,1346]},{"type":"call","value":[2820,1912,1216,1584]},{"type":"call","value":[2820,1912,1216,690]},{"type":"call","value":[2820,1912,1216,1474]},{"type":"call","value":[2820,1912,1216,1712]},{"type":"call","value":[2820,1912,1216,1602]},{"type":"call","value":[2820,1912,1216,1184]},{"type":"call","value":[2820,1912,1216,528]},{"type":"call","value":[2820,1912,1216,1312]},{"type":"call","value":[2820,1912,1216,418]},{"type":"call","value":[2820,1912,1216,656]},{"type":"call","value":[2820,1912,1216,1202]},{"type":"call","value":[2820,1912,1216,1440]},{"type":"call","value":[2820,1912,1216,546]},{"type":"call","value":[2820,1912,1216,1330]},{"type":"call","value":[2820,1912,1216,1568]},{"type":"call","value":[2820,1912,1216,1220]},{"type":"call","value":[2820,1912,1216,1458]},{"type":"call","value":[2820,1912,1216,1348]},{"type":"call","value":[2820,1912,1216,1586]},{"type":"call","value":[2820,1912,1216,930]},{"type":"call","value":[2820,1912,1216,1476]},{"type":"call","value":[2820,1912,1216,1714]},{"type":"call","value":[2820,1912,1216,820]},{"type":"call","value":[2820,1912,1216,1058]},{"type":"call","value":[2820,1912,1216,1604]},{"type":"call","value":[2820,1912,1216,402]},{"type":"call","value":[2820,1912,1216,948]},{"type":"call","value":[2820,1912,1216,1186]},{"type":"call","value":[2820,1912,1216,1076]},{"type":"call","value":[2820,1912,1216,1314]},{"type":"call","value":[2820,1912,1216,1204]},{"type":"call","value":[2820,1912,1216,1442]},{"type":"call","value":[2820,1912,1216,1332]},{"type":"call","value":[2820,1912,1216,1570]},{"type":"call","value":[2820,1912,1216,1460]},{"type":"call","value":[2820,1912,1216,1698]},{"type":"call","value":[2820,1912,1216,804]},{"type":"call","value":[2820,1912,1216,1042]},{"type":"call","value":[2820,1912,1216,1588]},{"type":"call","value":[2820,1912,1216,386]},{"type":"call","value":[2820,1912,1216,1170]},{"type":"call","value":[2820,1912,1216,1716]},{"type":"call","value":[2820,1912,1216,1606]},{"type":"call","value":[2820,1912,1216,1298]},{"type":"call","value":[2820,1912,1216,1188]},{"type":"call","value":[2820,1912,1216,532]},{"type":"call","value":[2820,1912,1216,1316]},{"type":"call","value":[2820,1912,1216,422]},{"type":"call","value":[2820,1912,1216,660]},{"type":"call","value":[2820,1912,1216,1206]},{"type":"call","value":[2820,1912,1216,1444]},{"type":"call","value":[2820,1912,1216,788]},{"type":"call","value":[2820,1912,1216,1334]},{"type":"call","value":[2820,1912,1216,1572]},{"type":"call","value":[2820,1912,1216,1462]},{"type":"call","value":[2820,1912,1216,1700]},{"type":"call","value":[2820,1912,1216,1590]},{"type":"call","value":[2820,1912,1216,1172]},{"type":"call","value":[2820,1912,1216,1718]},{"type":"call","value":[2820,1912,1216,1300]},{"type":"call","value":[2820,1912,1216,406]},{"type":"call","value":[2820,1912,1216,644]},{"type":"call","value":[2820,1912,1216,1190]},{"type":"call","value":[2820,1912,1216,1428]},{"type":"call","value":[2820,1912,1216,1318]},{"type":"call","value":[2820,1912,1216,1556]},{"type":"call","value":[2820,1912,1216,900]},{"type":"call","value":[2820,1912,1216,1446]},{"type":"call","value":[2820,1912,1216,552]},{"type":"call","value":[2820,1912,1216,1684]},{"type":"call","value":[2820,1912,1216,1336]},{"type":"call","value":[2820,1912,1216,1574]},{"type":"call","value":[2820,1912,1216,918]},{"type":"call","value":[2820,1912,1216,1464]},{"type":"call","value":[2820,1912,1216,1702]},{"type":"call","value":[2820,1912,1216,1592]},{"type":"call","value":[2820,1912,1216,390]},{"type":"call","value":[2820,1912,1216,936]},{"type":"call","value":[2820,1912,1216,1174]},{"type":"call","value":[2820,1912,1216,1720]},{"type":"call","value":[2820,1912,1216,518]},{"type":"call","value":[2820,1912,1216,1064]},{"type":"call","value":[2820,1912,1216,1302]},{"type":"call","value":[2820,1912,1216,1192]},{"type":"call","value":[2820,1912,1216,1430]},{"type":"call","value":[2820,1912,1216,1320]},{"type":"call","value":[2820,1912,1216,1558]},{"type":"call","value":[2820,1912,1216,1448]},{"type":"call","value":[2820,1912,1216,1686]},{"type":"call","value":[2820,1912,1216,792]},{"type":"call","value":[2820,1912,1216,1030]},{"type":"call","value":[2820,1912,1216,1576]},{"type":"call","value":[2820,1912,1216,1158]},{"type":"call","value":[2820,1912,1216,1704]},{"type":"call","value":[2820,1912,1216,1048]},{"type":"call","value":[2820,1912,1216,1286]},{"type":"call","value":[2820,1912,1216,630]},{"type":"call","value":[2820,1912,1216,1176]},{"type":"call","value":[2820,1912,1216,1414]},{"type":"call","value":[2820,1912,1216,758]},{"type":"call","value":[2820,1912,1216,1304]},{"type":"call","value":[2820,1912,1216,1542]},{"type":"call","value":[2820,1912,1216,1194]},{"type":"call","value":[2820,1912,1216,1432]},{"type":"call","value":[2820,1912,1216,538]},{"type":"call","value":[2820,1912,1216,776]},{"type":"call","value":[2820,1912,1216,1322]},{"type":"call","value":[2820,1912,1216,1560]},{"type":"call","value":[2820,1912,1216,666]},{"type":"call","value":[2820,1912,1216,1450]},{"type":"call","value":[2820,1912,1216,1688]},{"type":"call","value":[2820,1912,1216,1578]},{"type":"call","value":[2820,1912,1216,376]},{"type":"call","value":[2820,1912,1216,1160]},{"type":"call","value":[2820,1912,1216,1706]},{"type":"call","value":[2820,1912,1216,1288]},{"type":"call","value":[2820,1912,1216,394]},{"type":"call","value":[2820,1912,1216,1178]},{"type":"call","value":[2820,1912,1216,1416]},{"type":"call","value":[2820,1912,1216,522]},{"type":"call","value":[2820,1912,1216,1306]},{"type":"call","value":[2820,1912,1216,1544]},{"type":"call","value":[2820,1912,1216,650]},{"type":"call","value":[2820,1912,1216,1434]},{"type":"call","value":[2820,1912,1216,1672]},{"type":"call","value":[2820,1912,1216,1562]},{"type":"call","value":[2820,1912,1216,360]},{"type":"call","value":[2820,1912,1216,1144]},{"type":"call","value":[2820,1912,1216,1690]},{"type":"call","value":[2820,1912,1216,488]},{"type":"call","value":[2820,1912,1216,1034]},{"type":"call","value":[2820,1912,1216,1580]},{"type":"call","value":[2820,1912,1216,1162]},{"type":"call","value":[2820,1912,1216,1708]},{"type":"call","value":[2820,1912,1216,1290]},{"type":"call","value":[2820,1912,1216,1180]},{"type":"call","value":[2820,1912,1216,1418]},{"type":"call","value":[2820,1912,1216,1308]},{"type":"call","value":[2820,1912,1216,1546]},{"type":"call","value":[2820,1912,1216,890]},{"type":"call","value":[2820,1912,1216,1436]},{"type":"call","value":[2820,1912,1216,1674]},{"type":"call","value":[2820,1912,1216,1018]},{"type":"call","value":[2820,1912,1216,1564]},{"type":"call","value":[2820,1912,1216,908]},{"type":"call","value":[2820,1912,1216,1146]},{"type":"call","value":[2820,1912,1216,1692]},{"type":"call","value":[2820,1912,1216,1274]},{"type":"call","value":[2820,1912,1216,380]},{"type":"call","value":[2820,1912,1216,618]},{"type":"call","value":[2820,1912,1216,1164]},{"type":"call","value":[2820,1912,1216,1402]},{"type":"call","value":[2820,1912,1216,508]},{"type":"call","value":[2820,1912,1216,746]},{"type":"call","value":[2820,1912,1216,1292]},{"type":"call","value":[2820,1912,1216,1530]},{"type":"call","value":[2820,1912,1216,636]},{"type":"call","value":[2820,1912,1216,1182]},{"type":"call","value":[2820,1912,1216,1420]},{"type":"call","value":[2820,1912,1216,1658]},{"type":"call","value":[2820,1912,1216,764]},{"type":"call","value":[2820,1912,1216,1310]},{"type":"call","value":[2820,1912,1216,1548]},{"type":"call","value":[2820,1912,1216,1438]},{"type":"call","value":[2820,1912,1216,1676]},{"type":"call","value":[2820,1912,1216,782]},{"type":"call","value":[2820,1912,1216,1566]},{"type":"call","value":[2820,1912,1216,1148]},{"type":"call","value":[2820,1912,1216,1694]},{"type":"call","value":[2820,1912,1216,1276]},{"type":"call","value":[2820,1912,1216,1166]},{"type":"call","value":[2820,1912,1216,1404]},{"type":"call","value":[2820,1912,1216,1294]},{"type":"call","value":[2820,1912,1216,1532]},{"type":"call","value":[2820,1912,1216,1422]},{"type":"call","value":[2820,1912,1216,1660]},{"type":"call","value":[2820,1912,1216,1550]},{"type":"call","value":[2820,1912,1216,1132]},{"type":"call","value":[2820,1912,1216,1678]},{"type":"call","value":[2820,1912,1216,1022]},{"type":"call","value":[2820,1912,1216,1260]},{"type":"call","value":[2820,1912,1216,366]},{"type":"call","value":[2820,1912,1216,912]},{"type":"call","value":[2820,1912,1216,1150]},{"type":"call","value":[2820,1912,1216,1696]},{"type":"call","value":[2820,1912,1216,1388]},{"type":"call","value":[2820,1912,1216,494]},{"type":"call","value":[2820,1912,1216,1278]},{"type":"call","value":[2820,1912,1216,503]},{"type":"call","value":[2820,1912,1216,1168]},{"type":"call","value":[2820,1912,1216,1406]},{"type":"call","value":[2820,1912,1216,512]},{"type":"call","value":[2820,1912,1216,1296]},{"type":"call","value":[2820,1912,1216,1534]},{"type":"call","value":[2820,1912,1216,878]},{"type":"call","value":[2820,1912,1216,1424]},{"type":"call","value":[2820,1912,1216,1662]},{"type":"call","value":[2820,1912,1216,1006]},{"type":"call","value":[2820,1912,1216,1552]},{"type":"call","value":[2820,1912,1216,1134]},{"type":"call","value":[2820,1912,1216,240]},{"type":"call","value":[2820,1912,1216,1680]},{"type":"call","value":[2820,1912,1216,478]},{"type":"call","value":[2820,1912,1216,1262]},{"type":"call","value":[2820,1912,1216,606]},{"type":"call","value":[2820,1912,1216,1152]},{"type":"call","value":[2820,1912,1216,1390]},{"type":"call","value":[2820,1912,1216,734]},{"type":"call","value":[2820,1912,1216,1280]},{"type":"call","value":[2820,1912,1216,1518]},{"type":"call","value":[2820,1912,1216,624]},{"type":"call","value":[2820,1912,1216,862]},{"type":"call","value":[2820,1912,1216,1408]},{"type":"call","value":[2820,1912,1216,1646]},{"type":"call","value":[2820,1912,1216,1536]},{"type":"call","value":[2820,1912,1216,1426]},{"type":"call","value":[2820,1912,1216,1118]},{"type":"call","value":[2820,1912,1216,1664]},{"type":"call","value":[2820,1912,1216,770]},{"type":"call","value":[2820,1912,1216,1554]},{"type":"call","value":[2820,1912,1216,1136]},{"type":"call","value":[2820,1912,1216,1682]},{"type":"call","value":[2820,1912,1216,1026]},{"type":"call","value":[2820,1912,1216,1264]},{"type":"call","value":[2820,1912,1216,370]},{"type":"call","value":[2820,1912,1216,1154]},{"type":"call","value":[2820,1912,1216,1392]},{"type":"call","value":[2820,1912,1216,498]},{"type":"call","value":[2820,1912,1216,1282]},{"type":"call","value":[2820,1912,1216,1520]},{"type":"call","value":[2820,1912,1216,1410]},{"type":"call","value":[2820,1912,1216,1648]},{"type":"call","value":[2820,1912,1216,754]},{"type":"call","value":[2820,1912,1216,1538]},{"type":"call","value":[2820,1912,1216,336]},{"type":"call","value":[2820,1912,1216,1666]},{"type":"call","value":[2820,1912,1216,464]},{"type":"call","value":[2820,1912,1216,1248]},{"type":"call","value":[2820,1912,1216,354]},{"type":"call","value":[2820,1912,1216,1138]},{"type":"call","value":[2820,1912,1216,1376]},{"type":"call","value":[2820,1912,1216,482]},{"type":"call","value":[2820,1912,1216,1266]},{"type":"call","value":[2820,1912,1216,1504]},{"type":"call","value":[2820,1912,1216,1156]},{"type":"call","value":[2820,1912,1216,1394]},{"type":"call","value":[2820,1912,1216,1632]},{"type":"call","value":[2820,1912,1216,1284]},{"type":"call","value":[2820,1912,1216,1522]},{"type":"call","value":[2820,1912,1216,866]},{"type":"call","value":[2820,1912,1216,1412]},{"type":"call","value":[2820,1912,1216,1650]},{"type":"call","value":[2820,1912,1216,1540]},{"type":"call","value":[2820,1912,1216,884]},{"type":"call","value":[2820,1912,1216,1668]},{"type":"call","value":[2820,1912,1216,1012]},{"type":"call","value":[2820,1912,1216,1250]},{"type":"call","value":[2820,1912,1216,594]},{"type":"call","value":[2820,1912,1216,1140]},{"type":"call","value":[2820,1912,1216,1378]},{"type":"call","value":[2820,1912,1216,1268]},{"type":"call","value":[2820,1912,1216,1506]},{"type":"call","value":[2820,1912,1216,612]},{"type":"call","value":[2820,1912,1216,1396]},{"type":"call","value":[2820,1912,1216,1634]},{"type":"call","value":[2820,1912,1216,740]},{"type":"call","value":[2820,1912,1216,1524]},{"type":"call","value":[2820,1912,1216,1652]},{"type":"call","value":[2820,1912,1216,1234]},{"type":"call","value":[2820,1912,1216,340]},{"type":"call","value":[2820,1912,1216,578]},{"type":"call","value":[2820,1912,1216,1124]},{"type":"call","value":[2820,1912,1216,1670]},{"type":"call","value":[2820,1912,1216,468]},{"type":"call","value":[2820,1912,1216,1252]},{"type":"call","value":[2820,1912,1216,1142]},{"type":"call","value":[2820,1912,1216,1380]},{"type":"call","value":[2820,1912,1216,1270]},{"type":"call","value":[2820,1912,1216,1508]},{"type":"call","value":[2820,1912,1216,852]},{"type":"call","value":[2820,1912,1216,1398]},{"type":"call","value":[2820,1912,1216,1636]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"link function at runtime on Windows"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAlloc"}},"children":[],"locations":[{"type":"call","value":[2820,1912,1216,39]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocEx"}},"children":[],"locations":[{"type":"call","value":[2820,1912,1216,129]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"VirtualAllocExNuma"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwAllocateVirtualMemory"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"NtMapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"string","string":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"open process":{"meta":{"name":"open process","authors":["0x534a@mailbox.org"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Process","Open Process"],"objective":"Process","behavior":"Open Process","method":"","id":"C0065"}],"references":[],"examples":["Practical Malware Analysis Lab 17-02.dll_:0x1000D10D"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: open process\n authors:\n - 0x534a@mailbox.org\n lib: 'true'\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Process::Open Process [C0065]\n examples:\n - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D\n features:\n - or:\n - api: kernel32.OpenProcess\n - api: NtOpenProcess\n - api: ZwOpenProcess\n","matches":[[{"type":"thread","value":[2456,3052,3064]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,480]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2192,2204]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,475]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,1180,500]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,476]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2596]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2596,2414]},{"type":"call","value":[1180,1852,2596,2423]},{"type":"call","value":[1180,1852,2596,3436]},{"type":"call","value":[1180,1852,2596,3863]},{"type":"call","value":[1180,1852,2596,2780]},{"type":"call","value":[1180,1852,2596,3445]},{"type":"call","value":[1180,1852,2596,2789]},{"type":"call","value":[1180,1852,2596,3454]},{"type":"call","value":[1180,1852,2596,2133]},{"type":"call","value":[1180,1852,2596,3573]},{"type":"call","value":[1180,1852,2596,2798]},{"type":"call","value":[1180,1852,2596,3463]},{"type":"call","value":[1180,1852,2596,3582]},{"type":"call","value":[1180,1852,2596,2261]},{"type":"call","value":[1180,1852,2596,3591]},{"type":"call","value":[1180,1852,2596,2270]},{"type":"call","value":[1180,1852,2596,293]},{"type":"call","value":[1180,1852,2596,2279]},{"type":"call","value":[1180,1852,2596,3600]},{"type":"call","value":[1180,1852,2596,4613]},{"type":"call","value":[1180,1852,2596,4622]},{"type":"call","value":[1180,1852,2596,1632]},{"type":"call","value":[1180,1852,2596,4085]},{"type":"call","value":[1180,1852,2596,4631]},{"type":"call","value":[1180,1852,2596,4869]},{"type":"call","value":[1180,1852,2596,3975]},{"type":"call","value":[1180,1852,2596,4094]},{"type":"call","value":[1180,1852,2596,4640]},{"type":"call","value":[1180,1852,2596,2117]},{"type":"call","value":[1180,1852,2596,4103]},{"type":"call","value":[1180,1852,2596,2126]},{"type":"call","value":[1180,1852,2596,4112]},{"type":"call","value":[1180,1852,2596,4121]},{"type":"call","value":[1180,1852,2596,1726]},{"type":"call","value":[1180,1852,2596,3950]},{"type":"call","value":[1180,1852,2596,1735]},{"type":"call","value":[1180,1852,2596,1854]},{"type":"call","value":[1180,1852,2596,4734]},{"type":"call","value":[1180,1852,2596,3959]},{"type":"call","value":[1180,1852,2596,1744]},{"type":"call","value":[1180,1852,2596,4743]},{"type":"call","value":[1180,1852,2596,3968]},{"type":"call","value":[1180,1852,2596,1753]},{"type":"call","value":[1180,1852,2596,4752]},{"type":"call","value":[1180,1852,2596,1335]},{"type":"call","value":[1180,1852,2596,1762]},{"type":"call","value":[1180,1852,2596,4761]},{"type":"call","value":[1180,1852,2596,4770]},{"type":"call","value":[1180,1852,2596,2384]},{"type":"call","value":[1180,1852,2596,2393]},{"type":"call","value":[1180,1852,2596,2402]},{"type":"call","value":[1180,1852,2596,2411]},{"type":"call","value":[1180,1852,2596,3424]},{"type":"call","value":[1180,1852,2596,2768]},{"type":"call","value":[1180,1852,2596,3433]},{"type":"call","value":[1180,1852,2596,3552]},{"type":"call","value":[1180,1852,2596,2777]},{"type":"call","value":[1180,1852,2596,3561]},{"type":"call","value":[1180,1852,2596,2786]},{"type":"call","value":[1180,1852,2596,3451]},{"type":"call","value":[1180,1852,2596,3570]},{"type":"call","value":[1180,1852,2596,2795]},{"type":"call","value":[1180,1852,2596,3460]},{"type":"call","value":[1180,1852,2596,4592]},{"type":"call","value":[1180,1852,2596,2258]},{"type":"call","value":[1180,1852,2596,2804]},{"type":"call","value":[1180,1852,2596,281]},{"type":"call","value":[1180,1852,2596,2267]},{"type":"call","value":[1180,1852,2596,3588]},{"type":"call","value":[1180,1852,2596,4601]},{"type":"call","value":[1180,1852,2596,290]},{"type":"call","value":[1180,1852,2596,1849]},{"type":"call","value":[1180,1852,2596,2276]},{"type":"call","value":[1180,1852,2596,4610]},{"type":"call","value":[1180,1852,2596,4073]},{"type":"call","value":[1180,1852,2596,299]},{"type":"call","value":[1180,1852,2596,4619]},{"type":"call","value":[1180,1852,2596,4082]},{"type":"call","value":[1180,1852,2596,4628]},{"type":"call","value":[1180,1852,2596,2105]},{"type":"call","value":[1180,1852,2596,4091]},{"type":"call","value":[1180,1852,2596,2114]},{"type":"call","value":[1180,1852,2596,4100]},{"type":"call","value":[1180,1852,2596,2123]},{"type":"call","value":[1180,1852,2596,4109]},{"type":"call","value":[1180,1852,2596,1723]},{"type":"call","value":[1180,1852,2596,3947]},{"type":"call","value":[1180,1852,2596,1732]},{"type":"call","value":[1180,1852,2596,3956]},{"type":"call","value":[1180,1852,2596,1741]},{"type":"call","value":[1180,1852,2596,4740]},{"type":"call","value":[1180,1852,2596,3965]},{"type":"call","value":[1180,1852,2596,1750]},{"type":"call","value":[1180,1852,2596,4749]},{"type":"call","value":[1180,1852,2596,4758]},{"type":"call","value":[1180,1852,2596,2381]},{"type":"call","value":[1180,1852,2596,2390]},{"type":"call","value":[1180,1852,2596,3403]},{"type":"call","value":[1180,1852,2596,2399]},{"type":"call","value":[1180,1852,2596,3531]},{"type":"call","value":[1180,1852,2596,3412]},{"type":"call","value":[1180,1852,2596,1316]},{"type":"call","value":[1180,1852,2596,2756]},{"type":"call","value":[1180,1852,2596,3540]},{"type":"call","value":[1180,1852,2596,2765]},{"type":"call","value":[1180,1852,2596,3549]},{"type":"call","value":[1180,1852,2596,2228]},{"type":"call","value":[1180,1852,2596,2774]},{"type":"call","value":[1180,1852,2596,2783]},{"type":"call","value":[1180,1852,2596,260]},{"type":"call","value":[1180,1852,2596,2246]},{"type":"call","value":[1180,1852,2596,269]},{"type":"call","value":[1180,1852,2596,2255]},{"type":"call","value":[1180,1852,2596,2493]},{"type":"call","value":[1180,1852,2596,278]},{"type":"call","value":[1180,1852,2596,2264]},{"type":"call","value":[1180,1852,2596,4598]},{"type":"call","value":[1180,1852,2596,4836]},{"type":"call","value":[1180,1852,2596,287]},{"type":"call","value":[1180,1852,2596,4607]},{"type":"call","value":[1180,1852,2596,4070]},{"type":"call","value":[1180,1852,2596,4616]},{"type":"call","value":[1180,1852,2596,2093]},{"type":"call","value":[1180,1852,2596,4079]},{"type":"call","value":[1180,1852,2596,2102]},{"type":"call","value":[1180,1852,2596,4088]},{"type":"call","value":[1180,1852,2596,2111]},{"type":"call","value":[1180,1852,2596,2120]},{"type":"call","value":[1180,1852,2596,2477]},{"type":"call","value":[1180,1852,2596,3917]},{"type":"call","value":[1180,1852,2596,2486]},{"type":"call","value":[1180,1852,2596,3935]},{"type":"call","value":[1180,1852,2596,1720]},{"type":"call","value":[1180,1852,2596,3944]},{"type":"call","value":[1180,1852,2596,1729]},{"type":"call","value":[1180,1852,2596,3953]},{"type":"call","value":[1180,1852,2596,4737]},{"type":"call","value":[1180,1852,2596,1832]},{"type":"call","value":[1180,1852,2596,3391]},{"type":"call","value":[1180,1852,2596,1295]},{"type":"call","value":[1180,1852,2596,3400]},{"type":"call","value":[1180,1852,2596,3519]},{"type":"call","value":[1180,1852,2596,1304]},{"type":"call","value":[1180,1852,2596,3409]},{"type":"call","value":[1180,1852,2596,3528]},{"type":"call","value":[1180,1852,2596,2207]},{"type":"call","value":[1180,1852,2596,1313]},{"type":"call","value":[1180,1852,2596,2753]},{"type":"call","value":[1180,1852,2596,3418]},{"type":"call","value":[1180,1852,2596,3537]},{"type":"call","value":[1180,1852,2596,2216]},{"type":"call","value":[1180,1852,2596,2762]},{"type":"call","value":[1180,1852,2596,4849]},{"type":"call","value":[1180,1852,2596,3546]},{"type":"call","value":[1180,1852,2596,2225]},{"type":"call","value":[1180,1852,2596,2771]},{"type":"call","value":[1180,1852,2596,248]},{"type":"call","value":[1180,1852,2596,2234]},{"type":"call","value":[1180,1852,2596,3555]},{"type":"call","value":[1180,1852,2596,257]},{"type":"call","value":[1180,1852,2596,1816]},{"type":"call","value":[1180,1852,2596,2243]},{"type":"call","value":[1180,1852,2596,266]},{"type":"call","value":[1180,1852,2596,1825]},{"type":"call","value":[1180,1852,2596,4824]},{"type":"call","value":[1180,1852,2596,275]},{"type":"call","value":[1180,1852,2596,4595]},{"type":"call","value":[1180,1852,2596,4833]},{"type":"call","value":[1180,1852,2596,2072]},{"type":"call","value":[1180,1852,2596,284]},{"type":"call","value":[1180,1852,2596,4604]},{"type":"call","value":[1180,1852,2596,2081]},{"type":"call","value":[1180,1852,2596,4067]},{"type":"call","value":[1180,1852,2596,2865]},{"type":"call","value":[1180,1852,2596,2090]},{"type":"call","value":[1180,1852,2596,4076]},{"type":"call","value":[1180,1852,2596,2108]},{"type":"call","value":[1180,1852,2596,2465]},{"type":"call","value":[1180,1852,2596,3905]},{"type":"call","value":[1180,1852,2596,2474]},{"type":"call","value":[1180,1852,2596,3914]},{"type":"call","value":[1180,1852,2596,2483]},{"type":"call","value":[1180,1852,2596,3923]},{"type":"call","value":[1180,1852,2596,3932]},{"type":"call","value":[1180,1852,2596,1717]},{"type":"call","value":[1180,1852,2596,4179]},{"type":"call","value":[1180,1852,2596,643]},{"type":"call","value":[1180,1852,2596,4682]},{"type":"call","value":[1180,1852,2596,4691]},{"type":"call","value":[1180,1852,2596,3379]},{"type":"call","value":[1180,1852,2596,4163]},{"type":"call","value":[1180,1852,2596,3388]},{"type":"call","value":[1180,1852,2596,3507]},{"type":"call","value":[1180,1852,2596,1292]},{"type":"call","value":[1180,1852,2596,4172]},{"type":"call","value":[1180,1852,2596,3397]},{"type":"call","value":[1180,1852,2596,3516]},{"type":"call","value":[1180,1852,2596,2195]},{"type":"call","value":[1180,1852,2596,1301]},{"type":"call","value":[1180,1852,2596,3406]},{"type":"call","value":[1180,1852,2596,3525]},{"type":"call","value":[1180,1852,2596,2204]},{"type":"call","value":[1180,1852,2596,1310]},{"type":"call","value":[1180,1852,2596,2750]},{"type":"call","value":[1180,1852,2596,3415]},{"type":"call","value":[1180,1852,2596,3534]},{"type":"call","value":[1180,1852,2596,2213]},{"type":"call","value":[1180,1852,2596,2759]},{"type":"call","value":[1180,1852,2596,4846]},{"type":"call","value":[1180,1852,2596,1557]},{"type":"call","value":[1180,1852,2596,3543]},{"type":"call","value":[1180,1852,2596,3116]},{"type":"call","value":[1180,1852,2596,236]},{"type":"call","value":[1180,1852,2596,2222]},{"type":"call","value":[1180,1852,2596,245]},{"type":"call","value":[1180,1852,2596,1804]},{"type":"call","value":[1180,1852,2596,254]},{"type":"call","value":[1180,1852,2596,1813]},{"type":"call","value":[1180,1852,2596,263]},{"type":"call","value":[1180,1852,2596,1822]},{"type":"call","value":[1180,1852,2596,4821]},{"type":"call","value":[1180,1852,2596,2060]},{"type":"call","value":[1180,1852,2596,272]},{"type":"call","value":[1180,1852,2596,4830]},{"type":"call","value":[1180,1852,2596,2069]},{"type":"call","value":[1180,1852,2596,4839]},{"type":"call","value":[1180,1852,2596,2862]},{"type":"call","value":[1180,1852,2596,2453]},{"type":"call","value":[1180,1852,2596,3893]},{"type":"call","value":[1180,1852,2596,2462]},{"type":"call","value":[1180,1852,2596,3902]},{"type":"call","value":[1180,1852,2596,2471]},{"type":"call","value":[1180,1852,2596,3911]},{"type":"call","value":[1180,1852,2596,2480]},{"type":"call","value":[1180,1852,2596,2837]},{"type":"call","value":[1180,1852,2596,4704]},{"type":"call","value":[1180,1852,2596,2846]},{"type":"call","value":[1180,1852,2596,2855]},{"type":"call","value":[1180,1852,2596,640]},{"type":"call","value":[1180,1852,2596,4679]},{"type":"call","value":[1180,1852,2596,4688]},{"type":"call","value":[1180,1852,2596,3367]},{"type":"call","value":[1180,1852,2596,4151]},{"type":"call","value":[1180,1852,2596,4697]},{"type":"call","value":[1180,1852,2596,3376]},{"type":"call","value":[1180,1852,2596,4160]},{"type":"call","value":[1180,1852,2596,3385]},{"type":"call","value":[1180,1852,2596,3504]},{"type":"call","value":[1180,1852,2596,2183]},{"type":"call","value":[1180,1852,2596,1289]},{"type":"call","value":[1180,1852,2596,4169]},{"type":"call","value":[1180,1852,2596,3394]},{"type":"call","value":[1180,1852,2596,3513]},{"type":"call","value":[1180,1852,2596,2192]},{"type":"call","value":[1180,1852,2596,1298]},{"type":"call","value":[1180,1852,2596,3522]},{"type":"call","value":[1180,1852,2596,2201]},{"type":"call","value":[1180,1852,2596,1307]},{"type":"call","value":[1180,1852,2596,2210]},{"type":"call","value":[1180,1852,2596,1792]},{"type":"call","value":[1180,1852,2596,2219]},{"type":"call","value":[1180,1852,2596,242]},{"type":"call","value":[1180,1852,2596,1801]},{"type":"call","value":[1180,1852,2596,251]},{"type":"call","value":[1180,1852,2596,1810]},{"type":"call","value":[1180,1852,2596,2048]},{"type":"call","value":[1180,1852,2596,1819]},{"type":"call","value":[1180,1852,2596,4818]},{"type":"call","value":[1180,1852,2596,2057]},{"type":"call","value":[1180,1852,2596,4827]},{"type":"call","value":[1180,1852,2596,2066]},{"type":"call","value":[1180,1852,2596,2075]},{"type":"call","value":[1180,1852,2596,2432]},{"type":"call","value":[1180,1852,2596,3872]},{"type":"call","value":[1180,1852,2596,2441]},{"type":"call","value":[1180,1852,2596,3881]},{"type":"call","value":[1180,1852,2596,2450]},{"type":"call","value":[1180,1852,2596,3890]},{"type":"call","value":[1180,1852,2596,3899]},{"type":"call","value":[1180,1852,2596,2468]},{"type":"call","value":[1180,1852,2596,3908]},{"type":"call","value":[1180,1852,2596,2834]},{"type":"call","value":[1180,1852,2596,2843]},{"type":"call","value":[1180,1852,2596,2852]},{"type":"call","value":[1180,1852,2596,1250]},{"type":"call","value":[1180,1852,2596,4676]},{"type":"call","value":[1180,1852,2596,4139]},{"type":"call","value":[1180,1852,2596,4685]},{"type":"call","value":[1180,1852,2596,3364]},{"type":"call","value":[1180,1852,2596,4148]},{"type":"call","value":[1180,1852,2596,4694]},{"type":"call","value":[1180,1852,2596,3373]},{"type":"call","value":[1180,1852,2596,4157]},{"type":"call","value":[1180,1852,2596,3382]},{"type":"call","value":[1180,1852,2596,3501]},{"type":"call","value":[1180,1852,2596,2180]},{"type":"call","value":[1180,1852,2596,4166]},{"type":"call","value":[1180,1852,2596,3510]},{"type":"call","value":[1180,1852,2596,2189]},{"type":"call","value":[1180,1852,2596,1771]},{"type":"call","value":[1180,1852,2596,2198]},{"type":"call","value":[1180,1852,2596,1780]},{"type":"call","value":[1180,1852,2596,4779]},{"type":"call","value":[1180,1852,2596,1789]},{"type":"call","value":[1180,1852,2596,4788]},{"type":"call","value":[1180,1852,2596,2027]},{"type":"call","value":[1180,1852,2596,239]},{"type":"call","value":[1180,1852,2596,3119]},{"type":"call","value":[1180,1852,2596,2036]},{"type":"call","value":[1180,1852,2596,3476]},{"type":"call","value":[1180,1852,2596,1807]},{"type":"call","value":[1180,1852,2596,4806]},{"type":"call","value":[1180,1852,2596,2045]},{"type":"call","value":[1180,1852,2596,4925]},{"type":"call","value":[1180,1852,2596,4815]},{"type":"call","value":[1180,1852,2596,2054]},{"type":"call","value":[1180,1852,2596,3613]},{"type":"call","value":[1180,1852,2596,2063]},{"type":"call","value":[1180,1852,2596,2420]},{"type":"call","value":[1180,1852,2596,3204]},{"type":"call","value":[1180,1852,2596,2429]},{"type":"call","value":[1180,1852,2596,3869]},{"type":"call","value":[1180,1852,2596,3878]},{"type":"call","value":[1180,1852,2596,3887]},{"type":"call","value":[1180,1852,2596,3469]},{"type":"call","value":[1180,1852,2596,3896]},{"type":"call","value":[1180,1852,2596,3597]},{"type":"call","value":[1180,1852,2596,2822]},{"type":"call","value":[1180,1852,2596,3606]},{"type":"call","value":[1180,1852,2596,1272]},{"type":"call","value":[1180,1852,2596,2831]},{"type":"call","value":[1180,1852,2596,2840]},{"type":"call","value":[1180,1852,2596,4637]},{"type":"call","value":[1180,1852,2596,2849]},{"type":"call","value":[1180,1852,2596,4646]},{"type":"call","value":[1180,1852,2596,4118]},{"type":"call","value":[1180,1852,2596,4664]},{"type":"call","value":[1180,1852,2596,1247]},{"type":"call","value":[1180,1852,2596,4127]},{"type":"call","value":[1180,1852,2596,4673]},{"type":"call","value":[1180,1852,2596,4136]},{"type":"call","value":[1180,1852,2596,3370]},{"type":"call","value":[1180,1852,2596,4154]},{"type":"call","value":[1180,1852,2596,2177]},{"type":"call","value":[1180,1852,2596,1759]},{"type":"call","value":[1180,1852,2596,2186]},{"type":"call","value":[1180,1852,2596,1768]},{"type":"call","value":[1180,1852,2596,4767]},{"type":"call","value":[1180,1852,2596,4776]},{"type":"call","value":[1180,1852,2596,4785]},{"type":"call","value":[1180,1852,2596,2024]},{"type":"call","value":[1180,1852,2596,4794]},{"type":"call","value":[1180,1852,2596,2033]},{"type":"call","value":[1180,1852,2596,4803]},{"type":"call","value":[1180,1852,2596,2042]},{"type":"call","value":[1180,1852,2596,2051]},{"type":"call","value":[1180,1852,2596,2408]},{"type":"call","value":[1180,1852,2596,2417]},{"type":"call","value":[1180,1852,2596,1096]},{"type":"call","value":[1180,1852,2596,2426]},{"type":"call","value":[1180,1852,2596,3866]},{"type":"call","value":[1180,1852,2596,2435]},{"type":"call","value":[1180,1852,2596,3448]},{"type":"call","value":[1180,1852,2596,3875]},{"type":"call","value":[1180,1852,2596,2792]},{"type":"call","value":[1180,1852,2596,3884]},{"type":"call","value":[1180,1852,2596,3457]},{"type":"call","value":[1180,1852,2596,2801]},{"type":"call","value":[1180,1852,2596,3466]},{"type":"call","value":[1180,1852,2596,3585]},{"type":"call","value":[1180,1852,2596,2810]},{"type":"call","value":[1180,1852,2596,3594]},{"type":"call","value":[1180,1852,2596,2273]},{"type":"call","value":[1180,1852,2596,2819]},{"type":"call","value":[1180,1852,2596,3603]},{"type":"call","value":[1180,1852,2596,4625]},{"type":"call","value":[1180,1852,2596,4634]},{"type":"call","value":[1180,1852,2596,4097]},{"type":"call","value":[1180,1852,2596,4643]},{"type":"call","value":[1180,1852,2596,4106]},{"type":"call","value":[1180,1852,2596,4652]},{"type":"call","value":[1180,1852,2596,4115]},{"type":"call","value":[1180,1852,2596,4661]},{"type":"call","value":[1180,1852,2596,1253]},{"type":"call","value":[1180,1852,2596,1738]},{"type":"call","value":[1180,1852,2596,3962]},{"type":"call","value":[1180,1852,2596,1747]},{"type":"call","value":[1180,1852,2596,2174]},{"type":"call","value":[1180,1852,2596,4746]},{"type":"call","value":[1180,1852,2596,1756]},{"type":"call","value":[1180,1852,2596,4755]},{"type":"call","value":[1180,1852,2596,1765]},{"type":"call","value":[1180,1852,2596,4764]},{"type":"call","value":[1180,1852,2596,1774]},{"type":"call","value":[1180,1852,2596,4773]},{"type":"call","value":[1180,1852,2596,4782]},{"type":"call","value":[1180,1852,2596,2021]},{"type":"call","value":[1180,1852,2596,2030]},{"type":"call","value":[1180,1852,2596,2387]},{"type":"call","value":[1180,1852,2596,2039]},{"type":"call","value":[1180,1852,2596,2396]},{"type":"call","value":[1180,1852,2596,2286]},{"type":"call","value":[1180,1852,2596,2405]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,1656]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1656,5605]},{"type":"call","value":[1200,1248,1656,5615]},{"type":"call","value":[1200,1248,1656,6127]},{"type":"call","value":[1200,1248,1656,6136]},{"type":"call","value":[1200,1248,1656,5617]},{"type":"call","value":[1200,1248,1656,6125]},{"type":"call","value":[1200,1248,1656,6115]},{"type":"call","value":[1200,1248,1656,5626]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,1560]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6268]},{"type":"call","value":[1200,1248,1560,6243]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,2360,1788]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[2820,2360,1788,92]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2744,2916]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,478]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1572,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenProcess"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenProcess"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2804,937]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenProcess"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"create or open file":{"meta":{"name":"create or open file","authors":["michael.hunhoff@mandiant.com","joakim@intezer.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["File System","Create File"],"objective":"File System","behavior":"Create File","method":"","id":"C0016"}],"references":[],"examples":["B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: create or open file\n authors:\n - michael.hunhoff@mandiant.com\n - joakim@intezer.com\n lib: 'true'\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - File System::Create File [C0016]\n examples:\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E\n features:\n - or:\n - api: CreateFile\n - api: CreateFileEx\n - api: IoCreateFile\n - api: IoCreateFileEx\n - api: ZwOpenFile\n - api: ZwCreateFile\n - api: NtOpenFile\n - api: NtCreateFile\n - api: LZCreateFile\n - api: LZOpenFile\n - api: fopen\n - api: fopen64\n - api: fdopen\n - api: freopen\n - api: open\n - api: openat\n","matches":[[{"type":"thread","value":[2456,3052,3064]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,782]},{"type":"call","value":[2456,3052,3064,716]},{"type":"call","value":[2456,3052,3064,739]},{"type":"call","value":[2456,3052,3064,751]},{"type":"call","value":[2456,3052,3064,730]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,370]},{"type":"call","value":[2456,3052,3064,804]},{"type":"call","value":[2456,3052,3064,813]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2456,3052,2792]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,916]},{"type":"call","value":[2456,3052,2792,911]},{"type":"call","value":[2456,3052,2792,903]},{"type":"call","value":[2456,3052,2792,898]},{"type":"call","value":[2456,3052,2792,893]},{"type":"call","value":[2456,3052,2792,888]},{"type":"call","value":[2456,3052,2792,883]},{"type":"call","value":[2456,3052,2792,907]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2192,2204]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,363]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,1180,500]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,362]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2852,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,118]},{"type":"call","value":[3052,2852,2804,115]},{"type":"call","value":[3052,2852,2804,84]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2852,2900,2904]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,90]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,920]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,28]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2596]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2596,217]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,764]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,764,595]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1156]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,2639]},{"type":"call","value":[1180,1852,1156,2729]},{"type":"call","value":[1180,1852,1156,2876]},{"type":"call","value":[1180,1852,1156,2673]},{"type":"call","value":[1180,1852,1156,2612]},{"type":"call","value":[1180,1852,1156,802]},{"type":"call","value":[1180,1852,1156,2895]},{"type":"call","value":[1180,1852,1156,2724]},{"type":"call","value":[1180,1852,1156,2884]},{"type":"call","value":[1180,1852,1156,2900]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,4953]},{"type":"call","value":[1180,1852,1156,3728]},{"type":"call","value":[1180,1852,1156,742]},{"type":"call","value":[1180,1852,1156,1873]},{"type":"call","value":[1180,1852,1156,5026]},{"type":"call","value":[1180,1852,1156,847]},{"type":"call","value":[1180,1852,1156,2345]},{"type":"call","value":[1180,1852,1156,2949]},{"type":"call","value":[1180,1852,1156,930]},{"type":"call","value":[1180,1852,1156,779]},{"type":"call","value":[1180,1852,1156,1877]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,236]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1412]},{"type":"call","value":[1180,1852,236,1419]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1476]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1476,1606]},{"type":"call","value":[1180,1852,1476,1641]},{"type":"call","value":[1180,1852,1476,1602]},{"type":"call","value":[1180,1852,1476,1670]},{"type":"call","value":[1180,1852,1476,1618]},{"type":"call","value":[1180,1852,1476,1663]},{"type":"call","value":[1180,1852,1476,1685]},{"type":"call","value":[1180,1852,1476,1637]},{"type":"call","value":[1180,1852,1476,1614]},{"type":"call","value":[1180,1852,1476,1659]},{"type":"call","value":[1180,1852,1476,1652]},{"type":"call","value":[1180,1852,1476,1681]},{"type":"call","value":[1180,1852,1476,1674]},{"type":"call","value":[1180,1852,1476,1648]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1020]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1020,3040]},{"type":"call","value":[1180,1852,1020,3063]},{"type":"call","value":[1180,1852,1020,3082]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1020,3096]},{"type":"call","value":[1180,1852,1020,2665]},{"type":"call","value":[1180,1852,1020,2716]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,732]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1200,1248,732,5904]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,2304]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2304,6019]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2724,1816]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,54]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,39]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2800,640]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,46]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,31]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2744,2916]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,362]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"create or open registry key":{"meta":{"name":"create or open registry key","authors":["michael.hunhoff@mandiant.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Operating System","Registry","Create Registry Key"],"objective":"Operating System","behavior":"Registry","method":"Create Registry Key","id":"C0036.004"},{"parts":["Operating System","Registry","Open Registry Key"],"objective":"Operating System","behavior":"Registry","method":"Open Registry Key","id":"C0036.003"}],"references":[],"examples":["Practical Malware Analysis Lab 03-02.dll_:0x10004706","Practical Malware Analysis Lab 11-01.exe_:0x401000","493167E85E45363D09495D0841C30648:0x404D60","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E","692f7fd6d198e804d6af98eb9e390d61:0x6000003"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: create or open registry key\n authors:\n - michael.hunhoff@mandiant.com\n - anushka.virgaonkar@mandiant.com\n lib: 'true'\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Operating System::Registry::Create Registry Key [C0036.004]\n - Operating System::Registry::Open Registry Key [C0036.003]\n examples:\n - Practical Malware Analysis Lab 03-02.dll_:0x10004706\n - Practical Malware Analysis Lab 11-01.exe_:0x401000\n - 493167E85E45363D09495D0841C30648:0x404D60\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E\n - 692f7fd6d198e804d6af98eb9e390d61:0x6000003\n features:\n - or:\n - api: advapi32.RegOpenKey\n - api: advapi32.RegOpenKeyEx\n - api: advapi32.RegCreateKey\n - api: advapi32.RegCreateKeyEx\n - api: advapi32.RegOpenCurrentUser\n - api: advapi32.RegOpenKeyTransacted\n - api: advapi32.RegOpenUserClassesRoot\n - api: advapi32.RegCreateKeyTransacted\n - api: ZwOpenKey\n - api: ZwOpenKeyEx\n - api: ZwCreateKey\n - api: ZwOpenKeyTransacted\n - api: ZwOpenKeyTransactedEx\n - api: ZwCreateKeyTransacted\n - api: NtOpenKey\n - api: NtCreateKey\n - api: SHRegOpenUSKey\n - api: SHRegCreateUSKey\n - api: RtlCreateRegistryKey\n - api: Microsoft.Win32.RegistryKey::OpenSubKey\n - api: Microsoft.Win32.RegistryKey::OpenBaseKey\n - api: Microsoft.Win32.RegistryKey::OpenRemoteBaseKey\n - api: Microsoft.Win32.RegistryKey::CreateSubKey\n","matches":[[{"type":"thread","value":[2456,3052,3064]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,46]},{"type":"call","value":[2456,3052,3064,1022]},{"type":"call","value":[2456,3052,3064,32]},{"type":"call","value":[2456,3052,3064,47]},{"type":"call","value":[2456,3052,3064,48]},{"type":"call","value":[2456,3052,3064,43]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2192,2204]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,35]},{"type":"call","value":[3052,2192,2204,1206]},{"type":"call","value":[3052,2192,2204,39]},{"type":"call","value":[3052,2192,2204,40]},{"type":"call","value":[3052,2192,2204,32]},{"type":"call","value":[3052,2192,2204,38]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,1180,500]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,742]},{"type":"call","value":[3052,1180,500,31]},{"type":"call","value":[3052,1180,500,39]},{"type":"call","value":[3052,1180,500,34]},{"type":"call","value":[3052,1180,500,37]},{"type":"call","value":[3052,1180,500,38]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2852,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,63]},{"type":"call","value":[3052,2852,2804,58]},{"type":"call","value":[3052,2852,2804,55]},{"type":"call","value":[3052,2852,2804,61]},{"type":"call","value":[3052,2852,2804,1957]},{"type":"call","value":[3052,2852,2804,62]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2852,2900,2904]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,85]},{"type":"call","value":[2852,2900,2904,200]},{"type":"call","value":[2852,2900,2904,43]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,920]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,45]},{"type":"call","value":[1180,1852,920,42]},{"type":"call","value":[1180,1852,920,32]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1156]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,2351]},{"type":"call","value":[1180,1852,1156,3679]},{"type":"call","value":[1180,1852,1156,2573]},{"type":"call","value":[1180,1852,1156,4964]},{"type":"call","value":[1180,1852,1156,4956]},{"type":"call","value":[1180,1852,1156,2567]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,236]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1181]},{"type":"call","value":[1180,1852,236,1160]},{"type":"call","value":[1180,1852,236,1133]},{"type":"call","value":[1180,1852,236,1173]},{"type":"call","value":[1180,1852,236,1113]},{"type":"call","value":[1180,1852,236,1121]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,1560]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1560,6276]},{"type":"call","value":[1200,1248,1560,6255]},{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,1560,6280]},{"type":"call","value":[1200,1248,1560,6254]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2420,2524]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2420,2524,32]},{"type":"call","value":[1852,2420,2524,24]},{"type":"call","value":[1852,2420,2524,30]},{"type":"call","value":[1852,2420,2524,27]},{"type":"call","value":[1852,2420,2524,31]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,2360,1788]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2820,2360,1788,165]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2724,1816]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,26]},{"type":"call","value":[1852,2724,1816,44]},{"type":"call","value":[1852,2724,1816,95]},{"type":"call","value":[1852,2724,1816,969]},{"type":"call","value":[1852,2724,1816,77]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2800,640]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,36]},{"type":"call","value":[1852,2800,640,87]},{"type":"call","value":[1852,2800,640,1236]},{"type":"call","value":[1852,2800,640,69]},{"type":"call","value":[1852,2800,640,17]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2744,2916]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,37]},{"type":"call","value":[1852,2744,2916,38]},{"type":"call","value":[1852,2744,2916,732]},{"type":"call","value":[1852,2744,2916,31]},{"type":"call","value":[1852,2744,2916,39]},{"type":"call","value":[1852,2744,2916,34]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,500,240]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,500,240,31]},{"type":"call","value":[1852,500,240,32]},{"type":"call","value":[1852,500,240,27]},{"type":"call","value":[1852,500,240,24]},{"type":"call","value":[1852,500,240,30]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1572,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2804,1016]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"enumerate processes via NtQuerySystemInformation":{"meta":{"name":"enumerate processes via NtQuerySystemInformation","namespace":"host-interaction/process/list","authors":["@_re_fox"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[{"parts":["Discovery","Process Discovery"],"tactic":"Discovery","technique":"Process Discovery","subtechnique":"","id":"T1057"},{"parts":["Discovery","Software Discovery"],"tactic":"Discovery","technique":"Software Discovery","subtechnique":"","id":"T1518"}],"mbc":[],"references":[],"examples":["31bd8dd48ac0de3d4da340bf29f4d280:0x00401be3"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: enumerate processes via NtQuerySystemInformation\n namespace: host-interaction/process/list\n authors:\n - \"@_re_fox\"\n scopes:\n static: basic block\n dynamic: thread\n att&ck:\n - Discovery::Process Discovery [T1057]\n - Discovery::Software Discovery [T1518]\n examples:\n - 31bd8dd48ac0de3d4da340bf29f4d280:0x00401be3\n features:\n - and:\n - number: 0x5 = SYSTEM_PROCESS_INFORMATION\n - or:\n - api: NtQuerySystemInformation\n - api: NtQuerySystemInformationEx\n - api: ZwQuerySystemInformation\n - api: ZwQuerySystemInformationEx\n","matches":[[{"type":"thread","value":[2456,3052,3064]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"number","number":5,"description":"SYSTEM_PROCESS_INFORMATION"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,804]},{"type":"call","value":[2456,3052,3064,814]}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQuerySystemInformation"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,484]},{"type":"call","value":[2456,3052,3064,481]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQuerySystemInformationEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQuerySystemInformation"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQuerySystemInformationEx"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,1180,500]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"number","number":5,"description":"SYSTEM_PROCESS_INFORMATION"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,699]}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQuerySystemInformation"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,480]},{"type":"call","value":[3052,1180,500,477]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQuerySystemInformationEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQuerySystemInformation"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQuerySystemInformationEx"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"get file attributes":{"meta":{"name":"get file attributes","namespace":"host-interaction/file-system/meta","authors":["michael.hunhoff@mandiant.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["File System","Get File Attributes"],"objective":"File System","behavior":"Get File Attributes","method":"","id":"C0049"}],"references":[],"examples":["03B236B23B1EC37C663527C1F53AF3FE:0x180019824","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4029E0"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: get file attributes\n namespace: host-interaction/file-system/meta\n authors:\n - michael.hunhoff@mandiant.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - File System::Get File Attributes [C0049]\n examples:\n - 03B236B23B1EC37C663527C1F53AF3FE:0x180019824\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4029E0\n features:\n - or:\n - api: kernel32.GetFileAttributes\n - api: ZwQueryDirectoryFile\n - api: ZwQueryInformationFile\n - api: NtQueryDirectoryFile\n - api: NtQueryInformationFile\n - api: System.IO.File::GetAttributes\n - api: System.IO.File::GetCreationTime\n - api: System.IO.File::GetCreationTimeUtc\n - api: System.IO.File::GetLastAccessTime\n - api: System.IO.File::GetLastAccessTimeUtc\n - api: System.IO.File::GetLastWriteTime\n - api: System.IO.File::GetLastWriteTimeUtc\n - property/read: System.IO.FileSystemInfo::Attributes\n - api: stat\n - api: fstat\n - api: lstat\n - api: fstatat\n","matches":[[{"type":"thread","value":[2456,3052,3064]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryInformationFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,731]},{"type":"call","value":[2456,3052,3064,740]},{"type":"call","value":[2456,3052,3064,814]},{"type":"call","value":[2456,3052,3064,717]},{"type":"call","value":[2456,3052,3064,752]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"stat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"lstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstatat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2456,3052,2792]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryInformationFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,897]},{"type":"call","value":[2456,3052,2792,892]},{"type":"call","value":[2456,3052,2792,887]},{"type":"call","value":[2456,3052,2792,882]},{"type":"call","value":[2456,3052,2792,910]},{"type":"call","value":[2456,3052,2792,906]},{"type":"call","value":[2456,3052,2792,915]},{"type":"call","value":[2456,3052,2792,902]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"stat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"lstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstatat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[3052,2852,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryInformationFile"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,781]},{"type":"call","value":[3052,2852,2804,1684]},{"type":"call","value":[3052,2852,2804,1028]},{"type":"call","value":[3052,2852,2804,372]},{"type":"call","value":[3052,2852,2804,799]},{"type":"call","value":[3052,2852,2804,1931]},{"type":"call","value":[3052,2852,2804,1275]},{"type":"call","value":[3052,2852,2804,1702]},{"type":"call","value":[3052,2852,2804,1046]},{"type":"call","value":[3052,2852,2804,390]},{"type":"call","value":[3052,2852,2804,1293]},{"type":"call","value":[3052,2852,2804,637]},{"type":"call","value":[3052,2852,2804,884]},{"type":"call","value":[3052,2852,2804,1311]},{"type":"call","value":[3052,2852,2804,228]},{"type":"call","value":[3052,2852,2804,655]},{"type":"call","value":[3052,2852,2804,1558]},{"type":"call","value":[3052,2852,2804,902]},{"type":"call","value":[3052,2852,2804,246]},{"type":"call","value":[3052,2852,2804,1805]},{"type":"call","value":[3052,2852,2804,1149]},{"type":"call","value":[3052,2852,2804,1576]},{"type":"call","value":[3052,2852,2804,493]},{"type":"call","value":[3052,2852,2804,920]},{"type":"call","value":[3052,2852,2804,264]},{"type":"call","value":[3052,2852,2804,1823]},{"type":"call","value":[3052,2852,2804,1167]},{"type":"call","value":[3052,2852,2804,511]},{"type":"call","value":[3052,2852,2804,758]},{"type":"call","value":[3052,2852,2804,529]},{"type":"call","value":[3052,2852,2804,1661]},{"type":"call","value":[3052,2852,2804,776]},{"type":"call","value":[3052,2852,2804,1679]},{"type":"call","value":[3052,2852,2804,1023]},{"type":"call","value":[3052,2852,2804,367]},{"type":"call","value":[3052,2852,2804,1926]},{"type":"call","value":[3052,2852,2804,1270]},{"type":"call","value":[3052,2852,2804,1697]},{"type":"call","value":[3052,2852,2804,614]},{"type":"call","value":[3052,2852,2804,1041]},{"type":"call","value":[3052,2852,2804,385]},{"type":"call","value":[3052,2852,2804,1288]},{"type":"call","value":[3052,2852,2804,632]},{"type":"call","value":[3052,2852,2804,879]},{"type":"call","value":[3052,2852,2804,1306]},{"type":"call","value":[3052,2852,2804,650]},{"type":"call","value":[3052,2852,2804,1553]},{"type":"call","value":[3052,2852,2804,897]},{"type":"call","value":[3052,2852,2804,1800]},{"type":"call","value":[3052,2852,2804,1144]},{"type":"call","value":[3052,2852,2804,488]},{"type":"call","value":[3052,2852,2804,915]},{"type":"call","value":[3052,2852,2804,1818]},{"type":"call","value":[3052,2852,2804,1162]},{"type":"call","value":[3052,2852,2804,506]},{"type":"call","value":[3052,2852,2804,753]},{"type":"call","value":[3052,2852,2804,1656]},{"type":"call","value":[3052,2852,2804,1000]},{"type":"call","value":[3052,2852,2804,344]},{"type":"call","value":[3052,2852,2804,771]},{"type":"call","value":[3052,2852,2804,1674]},{"type":"call","value":[3052,2852,2804,1018]},{"type":"call","value":[3052,2852,2804,362]},{"type":"call","value":[3052,2852,2804,1921]},{"type":"call","value":[3052,2852,2804,1265]},{"type":"call","value":[3052,2852,2804,1692]},{"type":"call","value":[3052,2852,2804,609]},{"type":"call","value":[3052,2852,2804,1036]},{"type":"call","value":[3052,2852,2804,380]},{"type":"call","value":[3052,2852,2804,1283]},{"type":"call","value":[3052,2852,2804,627]},{"type":"call","value":[3052,2852,2804,874]},{"type":"call","value":[3052,2852,2804,218]},{"type":"call","value":[3052,2852,2804,645]},{"type":"call","value":[3052,2852,2804,1777]},{"type":"call","value":[3052,2852,2804,1121]},{"type":"call","value":[3052,2852,2804,892]},{"type":"call","value":[3052,2852,2804,236]},{"type":"call","value":[3052,2852,2804,1795]},{"type":"call","value":[3052,2852,2804,1139]},{"type":"call","value":[3052,2852,2804,483]},{"type":"call","value":[3052,2852,2804,1813]},{"type":"call","value":[3052,2852,2804,730]},{"type":"call","value":[3052,2852,2804,1157]},{"type":"call","value":[3052,2852,2804,501]},{"type":"call","value":[3052,2852,2804,763]},{"type":"call","value":[3052,2852,2804,748]},{"type":"call","value":[3052,2852,2804,1651]},{"type":"call","value":[3052,2852,2804,995]},{"type":"call","value":[3052,2852,2804,339]},{"type":"call","value":[3052,2852,2804,766]},{"type":"call","value":[3052,2852,2804,1669]},{"type":"call","value":[3052,2852,2804,1013]},{"type":"call","value":[3052,2852,2804,357]},{"type":"call","value":[3052,2852,2804,1916]},{"type":"call","value":[3052,2852,2804,1260]},{"type":"call","value":[3052,2852,2804,604]},{"type":"call","value":[3052,2852,2804,375]},{"type":"call","value":[3052,2852,2804,851]},{"type":"call","value":[3052,2852,2804,1278]},{"type":"call","value":[3052,2852,2804,622]},{"type":"call","value":[3052,2852,2804,869]},{"type":"call","value":[3052,2852,2804,1772]},{"type":"call","value":[3052,2852,2804,1116]},{"type":"call","value":[3052,2852,2804,460]},{"type":"call","value":[3052,2852,2804,887]},{"type":"call","value":[3052,2852,2804,1790]},{"type":"call","value":[3052,2852,2804,1134]},{"type":"call","value":[3052,2852,2804,478]},{"type":"call","value":[3052,2852,2804,1808]},{"type":"call","value":[3052,2852,2804,725]},{"type":"call","value":[3052,2852,2804,1152]},{"type":"call","value":[3052,2852,2804,496]},{"type":"call","value":[3052,2852,2804,743]},{"type":"call","value":[3052,2852,2804,1646]},{"type":"call","value":[3052,2852,2804,990]},{"type":"call","value":[3052,2852,2804,334]},{"type":"call","value":[3052,2852,2804,1893]},{"type":"call","value":[3052,2852,2804,1237]},{"type":"call","value":[3052,2852,2804,1664]},{"type":"call","value":[3052,2852,2804,581]},{"type":"call","value":[3052,2852,2804,1008]},{"type":"call","value":[3052,2852,2804,352]},{"type":"call","value":[3052,2852,2804,1911]},{"type":"call","value":[3052,2852,2804,1255]},{"type":"call","value":[3052,2852,2804,599]},{"type":"call","value":[3052,2852,2804,1929]},{"type":"call","value":[3052,2852,2804,846]},{"type":"call","value":[3052,2852,2804,1273]},{"type":"call","value":[3052,2852,2804,190]},{"type":"call","value":[3052,2852,2804,617]},{"type":"call","value":[3052,2852,2804,864]},{"type":"call","value":[3052,2852,2804,208]},{"type":"call","value":[3052,2852,2804,1767]},{"type":"call","value":[3052,2852,2804,1111]},{"type":"call","value":[3052,2852,2804,455]},{"type":"call","value":[3052,2852,2804,882]},{"type":"call","value":[3052,2852,2804,226]},{"type":"call","value":[3052,2852,2804,1785]},{"type":"call","value":[3052,2852,2804,1129]},{"type":"call","value":[3052,2852,2804,473]},{"type":"call","value":[3052,2852,2804,720]},{"type":"call","value":[3052,2852,2804,1623]},{"type":"call","value":[3052,2852,2804,967]},{"type":"call","value":[3052,2852,2804,311]},{"type":"call","value":[3052,2852,2804,738]},{"type":"call","value":[3052,2852,2804,1641]},{"type":"call","value":[3052,2852,2804,985]},{"type":"call","value":[3052,2852,2804,329]},{"type":"call","value":[3052,2852,2804,1888]},{"type":"call","value":[3052,2852,2804,1232]},{"type":"call","value":[3052,2852,2804,1659]},{"type":"call","value":[3052,2852,2804,1003]},{"type":"call","value":[3052,2852,2804,347]},{"type":"call","value":[3052,2852,2804,1906]},{"type":"call","value":[3052,2852,2804,1250]},{"type":"call","value":[3052,2852,2804,594]},{"type":"call","value":[3052,2852,2804,1924]},{"type":"call","value":[3052,2852,2804,841]},{"type":"call","value":[3052,2852,2804,1268]},{"type":"call","value":[3052,2852,2804,612]},{"type":"call","value":[3052,2852,2804,859]},{"type":"call","value":[3052,2852,2804,1762]},{"type":"call","value":[3052,2852,2804,1106]},{"type":"call","value":[3052,2852,2804,450]},{"type":"call","value":[3052,2852,2804,1780]},{"type":"call","value":[3052,2852,2804,697]},{"type":"call","value":[3052,2852,2804,1124]},{"type":"call","value":[3052,2852,2804,468]},{"type":"call","value":[3052,2852,2804,715]},{"type":"call","value":[3052,2852,2804,1618]},{"type":"call","value":[3052,2852,2804,962]},{"type":"call","value":[3052,2852,2804,306]},{"type":"call","value":[3052,2852,2804,733]},{"type":"call","value":[3052,2852,2804,1636]},{"type":"call","value":[3052,2852,2804,980]},{"type":"call","value":[3052,2852,2804,324]},{"type":"call","value":[3052,2852,2804,1883]},{"type":"call","value":[3052,2852,2804,1227]},{"type":"call","value":[3052,2852,2804,1654]},{"type":"call","value":[3052,2852,2804,998]},{"type":"call","value":[3052,2852,2804,342]},{"type":"call","value":[3052,2852,2804,1901]},{"type":"call","value":[3052,2852,2804,1245]},{"type":"call","value":[3052,2852,2804,589]},{"type":"call","value":[3052,2852,2804,836]},{"type":"call","value":[3052,2852,2804,1739]},{"type":"call","value":[3052,2852,2804,1083]},{"type":"call","value":[3052,2852,2804,427]},{"type":"call","value":[3052,2852,2804,854]},{"type":"call","value":[3052,2852,2804,198]},{"type":"call","value":[3052,2852,2804,1757]},{"type":"call","value":[3052,2852,2804,1101]},{"type":"call","value":[3052,2852,2804,445]},{"type":"call","value":[3052,2852,2804,1348]},{"type":"call","value":[3052,2852,2804,1775]},{"type":"call","value":[3052,2852,2804,692]},{"type":"call","value":[3052,2852,2804,1119]},{"type":"call","value":[3052,2852,2804,463]},{"type":"call","value":[3052,2852,2804,710]},{"type":"call","value":[3052,2852,2804,1613]},{"type":"call","value":[3052,2852,2804,957]},{"type":"call","value":[3052,2852,2804,301]},{"type":"call","value":[3052,2852,2804,728]},{"type":"call","value":[3052,2852,2804,1860]},{"type":"call","value":[3052,2852,2804,1631]},{"type":"call","value":[3052,2852,2804,975]},{"type":"call","value":[3052,2852,2804,319]},{"type":"call","value":[3052,2852,2804,1878]},{"type":"call","value":[3052,2852,2804,1222]},{"type":"call","value":[3052,2852,2804,566]},{"type":"call","value":[3052,2852,2804,1896]},{"type":"call","value":[3052,2852,2804,813]},{"type":"call","value":[3052,2852,2804,1240]},{"type":"call","value":[3052,2852,2804,584]},{"type":"call","value":[3052,2852,2804,831]},{"type":"call","value":[3052,2852,2804,1734]},{"type":"call","value":[3052,2852,2804,1078]},{"type":"call","value":[3052,2852,2804,422]},{"type":"call","value":[3052,2852,2804,849]},{"type":"call","value":[3052,2852,2804,1752]},{"type":"call","value":[3052,2852,2804,1096]},{"type":"call","value":[3052,2852,2804,440]},{"type":"call","value":[3052,2852,2804,1343]},{"type":"call","value":[3052,2852,2804,687]},{"type":"call","value":[3052,2852,2804,1114]},{"type":"call","value":[3052,2852,2804,458]},{"type":"call","value":[3052,2852,2804,1590]},{"type":"call","value":[3052,2852,2804,705]},{"type":"call","value":[3052,2852,2804,1608]},{"type":"call","value":[3052,2852,2804,952]},{"type":"call","value":[3052,2852,2804,296]},{"type":"call","value":[3052,2852,2804,1855]},{"type":"call","value":[3052,2852,2804,1199]},{"type":"call","value":[3052,2852,2804,1626]},{"type":"call","value":[3052,2852,2804,543]},{"type":"call","value":[3052,2852,2804,970]},{"type":"call","value":[3052,2852,2804,314]},{"type":"call","value":[3052,2852,2804,1873]},{"type":"call","value":[3052,2852,2804,1217]},{"type":"call","value":[3052,2852,2804,561]},{"type":"call","value":[3052,2852,2804,1891]},{"type":"call","value":[3052,2852,2804,808]},{"type":"call","value":[3052,2852,2804,1235]},{"type":"call","value":[3052,2852,2804,579]},{"type":"call","value":[3052,2852,2804,1482]},{"type":"call","value":[3052,2852,2804,826]},{"type":"call","value":[3052,2852,2804,1729]},{"type":"call","value":[3052,2852,2804,1073]},{"type":"call","value":[3052,2852,2804,417]},{"type":"call","value":[3052,2852,2804,844]},{"type":"call","value":[3052,2852,2804,188]},{"type":"call","value":[3052,2852,2804,1320]},{"type":"call","value":[3052,2852,2804,1747]},{"type":"call","value":[3052,2852,2804,1091]},{"type":"call","value":[3052,2852,2804,435]},{"type":"call","value":[3052,2852,2804,1338]},{"type":"call","value":[3052,2852,2804,682]},{"type":"call","value":[3052,2852,2804,1585]},{"type":"call","value":[3052,2852,2804,929]},{"type":"call","value":[3052,2852,2804,273]},{"type":"call","value":[3052,2852,2804,700]},{"type":"call","value":[3052,2852,2804,1603]},{"type":"call","value":[3052,2852,2804,947]},{"type":"call","value":[3052,2852,2804,1850]},{"type":"call","value":[3052,2852,2804,1194]},{"type":"call","value":[3052,2852,2804,1621]},{"type":"call","value":[3052,2852,2804,538]},{"type":"call","value":[3052,2852,2804,965]},{"type":"call","value":[3052,2852,2804,309]},{"type":"call","value":[3052,2852,2804,1868]},{"type":"call","value":[3052,2852,2804,1212]},{"type":"call","value":[3052,2852,2804,556]},{"type":"call","value":[3052,2852,2804,1459]},{"type":"call","value":[3052,2852,2804,803]},{"type":"call","value":[3052,2852,2804,147]},{"type":"call","value":[3052,2852,2804,1706]},{"type":"call","value":[3052,2852,2804,1477]},{"type":"call","value":[3052,2852,2804,821]},{"type":"call","value":[3052,2852,2804,165]},{"type":"call","value":[3052,2852,2804,1724]},{"type":"call","value":[3052,2852,2804,1068]},{"type":"call","value":[3052,2852,2804,412]},{"type":"call","value":[3052,2852,2804,1315]},{"type":"call","value":[3052,2852,2804,1742]},{"type":"call","value":[3052,2852,2804,659]},{"type":"call","value":[3052,2852,2804,1086]},{"type":"call","value":[3052,2852,2804,430]},{"type":"call","value":[3052,2852,2804,1333]},{"type":"call","value":[3052,2852,2804,677]},{"type":"call","value":[3052,2852,2804,1580]},{"type":"call","value":[3052,2852,2804,924]},{"type":"call","value":[3052,2852,2804,268]},{"type":"call","value":[3052,2852,2804,695]},{"type":"call","value":[3052,2852,2804,1598]},{"type":"call","value":[3052,2852,2804,942]},{"type":"call","value":[3052,2852,2804,286]},{"type":"call","value":[3052,2852,2804,1845]},{"type":"call","value":[3052,2852,2804,1189]},{"type":"call","value":[3052,2852,2804,533]},{"type":"call","value":[3052,2852,2804,960]},{"type":"call","value":[3052,2852,2804,304]},{"type":"call","value":[3052,2852,2804,1863]},{"type":"call","value":[3052,2852,2804,1207]},{"type":"call","value":[3052,2852,2804,551]},{"type":"call","value":[3052,2852,2804,798]},{"type":"call","value":[3052,2852,2804,1701]},{"type":"call","value":[3052,2852,2804,1045]},{"type":"call","value":[3052,2852,2804,1472]},{"type":"call","value":[3052,2852,2804,389]},{"type":"call","value":[3052,2852,2804,816]},{"type":"call","value":[3052,2852,2804,1719]},{"type":"call","value":[3052,2852,2804,1063]},{"type":"call","value":[3052,2852,2804,407]},{"type":"call","value":[3052,2852,2804,1310]},{"type":"call","value":[3052,2852,2804,1737]},{"type":"call","value":[3052,2852,2804,654]},{"type":"call","value":[3052,2852,2804,1081]},{"type":"call","value":[3052,2852,2804,425]},{"type":"call","value":[3052,2852,2804,1328]},{"type":"call","value":[3052,2852,2804,672]},{"type":"call","value":[3052,2852,2804,1575]},{"type":"call","value":[3052,2852,2804,919]},{"type":"call","value":[3052,2852,2804,690]},{"type":"call","value":[3052,2852,2804,1822]},{"type":"call","value":[3052,2852,2804,1166]},{"type":"call","value":[3052,2852,2804,1593]},{"type":"call","value":[3052,2852,2804,937]},{"type":"call","value":[3052,2852,2804,281]},{"type":"call","value":[3052,2852,2804,1840]},{"type":"call","value":[3052,2852,2804,1184]},{"type":"call","value":[3052,2852,2804,528]},{"type":"call","value":[3052,2852,2804,1858]},{"type":"call","value":[3052,2852,2804,775]},{"type":"call","value":[3052,2852,2804,1202]},{"type":"call","value":[3052,2852,2804,119]},{"type":"call","value":[3052,2852,2804,546]},{"type":"call","value":[3052,2852,2804,793]},{"type":"call","value":[3052,2852,2804,1696]},{"type":"call","value":[3052,2852,2804,1040]},{"type":"call","value":[3052,2852,2804,384]},{"type":"call","value":[3052,2852,2804,811]},{"type":"call","value":[3052,2852,2804,1714]},{"type":"call","value":[3052,2852,2804,1058]},{"type":"call","value":[3052,2852,2804,402]},{"type":"call","value":[3052,2852,2804,1305]},{"type":"call","value":[3052,2852,2804,649]},{"type":"call","value":[3052,2852,2804,420]},{"type":"call","value":[3052,2852,2804,896]},{"type":"call","value":[3052,2852,2804,1323]},{"type":"call","value":[3052,2852,2804,667]},{"type":"call","value":[3052,2852,2804,1570]},{"type":"call","value":[3052,2852,2804,914]},{"type":"call","value":[3052,2852,2804,258]},{"type":"call","value":[3052,2852,2804,1817]},{"type":"call","value":[3052,2852,2804,1161]},{"type":"call","value":[3052,2852,2804,1588]},{"type":"call","value":[3052,2852,2804,505]},{"type":"call","value":[3052,2852,2804,932]},{"type":"call","value":[3052,2852,2804,276]},{"type":"call","value":[3052,2852,2804,1835]},{"type":"call","value":[3052,2852,2804,1179]},{"type":"call","value":[3052,2852,2804,523]},{"type":"call","value":[3052,2852,2804,1853]},{"type":"call","value":[3052,2852,2804,770]},{"type":"call","value":[3052,2852,2804,1197]},{"type":"call","value":[3052,2852,2804,541]},{"type":"call","value":[3052,2852,2804,788]},{"type":"call","value":[3052,2852,2804,1691]},{"type":"call","value":[3052,2852,2804,1035]},{"type":"call","value":[3052,2852,2804,379]},{"type":"call","value":[3052,2852,2804,1282]},{"type":"call","value":[3052,2852,2804,1709]},{"type":"call","value":[3052,2852,2804,626]},{"type":"call","value":[3052,2852,2804,1053]},{"type":"call","value":[3052,2852,2804,397]},{"type":"call","value":[3052,2852,2804,1300]},{"type":"call","value":[3052,2852,2804,644]},{"type":"call","value":[3052,2852,2804,891]},{"type":"call","value":[3052,2852,2804,1318]},{"type":"call","value":[3052,2852,2804,662]},{"type":"call","value":[3052,2852,2804,1565]},{"type":"call","value":[3052,2852,2804,909]},{"type":"call","value":[3052,2852,2804,1812]},{"type":"call","value":[3052,2852,2804,1156]},{"type":"call","value":[3052,2852,2804,1583]},{"type":"call","value":[3052,2852,2804,500]},{"type":"call","value":[3052,2852,2804,927]},{"type":"call","value":[3052,2852,2804,271]},{"type":"call","value":[3052,2852,2804,1830]},{"type":"call","value":[3052,2852,2804,1174]},{"type":"call","value":[3052,2852,2804,518]},{"type":"call","value":[3052,2852,2804,765]},{"type":"call","value":[3052,2852,2804,1668]},{"type":"call","value":[3052,2852,2804,1012]},{"type":"call","value":[3052,2852,2804,356]},{"type":"call","value":[3052,2852,2804,783]},{"type":"call","value":[3052,2852,2804,1686]},{"type":"call","value":[3052,2852,2804,1030]},{"type":"call","value":[3052,2852,2804,374]},{"type":"call","value":[3052,2852,2804,1933]},{"type":"call","value":[3052,2852,2804,1277]},{"type":"call","value":[3052,2852,2804,1704]},{"type":"call","value":[3052,2852,2804,621]},{"type":"call","value":[3052,2852,2804,1048]},{"type":"call","value":[3052,2852,2804,392]},{"type":"call","value":[3052,2852,2804,1295]},{"type":"call","value":[3052,2852,2804,639]},{"type":"call","value":[3052,2852,2804,886]},{"type":"call","value":[3052,2852,2804,1313]},{"type":"call","value":[3052,2852,2804,230]},{"type":"call","value":[3052,2852,2804,657]},{"type":"call","value":[3052,2852,2804,1560]},{"type":"call","value":[3052,2852,2804,904]},{"type":"call","value":[3052,2852,2804,248]},{"type":"call","value":[3052,2852,2804,1807]},{"type":"call","value":[3052,2852,2804,1151]},{"type":"call","value":[3052,2852,2804,495]},{"type":"call","value":[3052,2852,2804,1825]},{"type":"call","value":[3052,2852,2804,742]},{"type":"call","value":[3052,2852,2804,1169]},{"type":"call","value":[3052,2852,2804,513]},{"type":"call","value":[3052,2852,2804,760]},{"type":"call","value":[3052,2852,2804,1663]},{"type":"call","value":[3052,2852,2804,1007]},{"type":"call","value":[3052,2852,2804,351]},{"type":"call","value":[3052,2852,2804,778]},{"type":"call","value":[3052,2852,2804,1681]},{"type":"call","value":[3052,2852,2804,1025]},{"type":"call","value":[3052,2852,2804,369]},{"type":"call","value":[3052,2852,2804,1928]},{"type":"call","value":[3052,2852,2804,1272]},{"type":"call","value":[3052,2852,2804,1699]},{"type":"call","value":[3052,2852,2804,616]},{"type":"call","value":[3052,2852,2804,1043]},{"type":"call","value":[3052,2852,2804,387]},{"type":"call","value":[3052,2852,2804,1290]},{"type":"call","value":[3052,2852,2804,634]},{"type":"call","value":[3052,2852,2804,881]},{"type":"call","value":[3052,2852,2804,1784]},{"type":"call","value":[3052,2852,2804,1128]},{"type":"call","value":[3052,2852,2804,1555]},{"type":"call","value":[3052,2852,2804,472]},{"type":"call","value":[3052,2852,2804,899]},{"type":"call","value":[3052,2852,2804,1802]},{"type":"call","value":[3052,2852,2804,1146]},{"type":"call","value":[3052,2852,2804,490]},{"type":"call","value":[3052,2852,2804,1820]},{"type":"call","value":[3052,2852,2804,737]},{"type":"call","value":[3052,2852,2804,1164]},{"type":"call","value":[3052,2852,2804,508]},{"type":"call","value":[3052,2852,2804,755]},{"type":"call","value":[3052,2852,2804,1658]},{"type":"call","value":[3052,2852,2804,1002]},{"type":"call","value":[3052,2852,2804,346]},{"type":"call","value":[3052,2852,2804,773]},{"type":"call","value":[3052,2852,2804,1905]},{"type":"call","value":[3052,2852,2804,1676]},{"type":"call","value":[3052,2852,2804,1020]},{"type":"call","value":[3052,2852,2804,364]},{"type":"call","value":[3052,2852,2804,1923]},{"type":"call","value":[3052,2852,2804,1267]},{"type":"call","value":[3052,2852,2804,611]},{"type":"call","value":[3052,2852,2804,858]},{"type":"call","value":[3052,2852,2804,1285]},{"type":"call","value":[3052,2852,2804,202]},{"type":"call","value":[3052,2852,2804,629]},{"type":"call","value":[3052,2852,2804,876]},{"type":"call","value":[3052,2852,2804,220]},{"type":"call","value":[3052,2852,2804,1779]},{"type":"call","value":[3052,2852,2804,1123]},{"type":"call","value":[3052,2852,2804,467]},{"type":"call","value":[3052,2852,2804,894]},{"type":"call","value":[3052,2852,2804,238]},{"type":"call","value":[3052,2852,2804,1797]},{"type":"call","value":[3052,2852,2804,1141]},{"type":"call","value":[3052,2852,2804,485]},{"type":"call","value":[3052,2852,2804,732]},{"type":"call","value":[3052,2852,2804,1159]},{"type":"call","value":[3052,2852,2804,503]},{"type":"call","value":[3052,2852,2804,1635]},{"type":"call","value":[3052,2852,2804,750]},{"type":"call","value":[3052,2852,2804,1653]},{"type":"call","value":[3052,2852,2804,997]},{"type":"call","value":[3052,2852,2804,341]},{"type":"call","value":[3052,2852,2804,1900]},{"type":"call","value":[3052,2852,2804,1244]},{"type":"call","value":[3052,2852,2804,1671]},{"type":"call","value":[3052,2852,2804,588]},{"type":"call","value":[3052,2852,2804,1015]},{"type":"call","value":[3052,2852,2804,359]},{"type":"call","value":[3052,2852,2804,1918]},{"type":"call","value":[3052,2852,2804,1262]},{"type":"call","value":[3052,2852,2804,606]},{"type":"call","value":[3052,2852,2804,853]},{"type":"call","value":[3052,2852,2804,1280]},{"type":"call","value":[3052,2852,2804,624]},{"type":"call","value":[3052,2852,2804,871]},{"type":"call","value":[3052,2852,2804,1774]},{"type":"call","value":[3052,2852,2804,1118]},{"type":"call","value":[3052,2852,2804,462]},{"type":"call","value":[3052,2852,2804,889]},{"type":"call","value":[3052,2852,2804,1792]},{"type":"call","value":[3052,2852,2804,1136]},{"type":"call","value":[3052,2852,2804,480]},{"type":"call","value":[3052,2852,2804,727]},{"type":"call","value":[3052,2852,2804,1630]},{"type":"call","value":[3052,2852,2804,974]},{"type":"call","value":[3052,2852,2804,318]},{"type":"call","value":[3052,2852,2804,745]},{"type":"call","value":[3052,2852,2804,1648]},{"type":"call","value":[3052,2852,2804,992]},{"type":"call","value":[3052,2852,2804,336]},{"type":"call","value":[3052,2852,2804,1895]},{"type":"call","value":[3052,2852,2804,1239]},{"type":"call","value":[3052,2852,2804,1666]},{"type":"call","value":[3052,2852,2804,583]},{"type":"call","value":[3052,2852,2804,1010]},{"type":"call","value":[3052,2852,2804,354]},{"type":"call","value":[3052,2852,2804,1913]},{"type":"call","value":[3052,2852,2804,1257]},{"type":"call","value":[3052,2852,2804,601]},{"type":"call","value":[3052,2852,2804,848]},{"type":"call","value":[3052,2852,2804,192]},{"type":"call","value":[3052,2852,2804,619]},{"type":"call","value":[3052,2852,2804,1751]},{"type":"call","value":[3052,2852,2804,1095]},{"type":"call","value":[3052,2852,2804,866]},{"type":"call","value":[3052,2852,2804,210]},{"type":"call","value":[3052,2852,2804,1769]},{"type":"call","value":[3052,2852,2804,1113]},{"type":"call","value":[3052,2852,2804,457]},{"type":"call","value":[3052,2852,2804,1787]},{"type":"call","value":[3052,2852,2804,704]},{"type":"call","value":[3052,2852,2804,1131]},{"type":"call","value":[3052,2852,2804,475]},{"type":"call","value":[3052,2852,2804,722]},{"type":"call","value":[3052,2852,2804,1625]},{"type":"call","value":[3052,2852,2804,969]},{"type":"call","value":[3052,2852,2804,313]},{"type":"call","value":[3052,2852,2804,740]},{"type":"call","value":[3052,2852,2804,1643]},{"type":"call","value":[3052,2852,2804,987]},{"type":"call","value":[3052,2852,2804,331]},{"type":"call","value":[3052,2852,2804,1890]},{"type":"call","value":[3052,2852,2804,1234]},{"type":"call","value":[3052,2852,2804,578]},{"type":"call","value":[3052,2852,2804,1005]},{"type":"call","value":[3052,2852,2804,349]},{"type":"call","value":[3052,2852,2804,1481]},{"type":"call","value":[3052,2852,2804,1908]},{"type":"call","value":[3052,2852,2804,1252]},{"type":"call","value":[3052,2852,2804,596]},{"type":"call","value":[3052,2852,2804,843]},{"type":"call","value":[3052,2852,2804,1746]},{"type":"call","value":[3052,2852,2804,1090]},{"type":"call","value":[3052,2852,2804,434]},{"type":"call","value":[3052,2852,2804,861]},{"type":"call","value":[3052,2852,2804,1764]},{"type":"call","value":[3052,2852,2804,1108]},{"type":"call","value":[3052,2852,2804,452]},{"type":"call","value":[3052,2852,2804,1782]},{"type":"call","value":[3052,2852,2804,699]},{"type":"call","value":[3052,2852,2804,1126]},{"type":"call","value":[3052,2852,2804,470]},{"type":"call","value":[3052,2852,2804,717]},{"type":"call","value":[3052,2852,2804,1620]},{"type":"call","value":[3052,2852,2804,964]},{"type":"call","value":[3052,2852,2804,308]},{"type":"call","value":[3052,2852,2804,735]},{"type":"call","value":[3052,2852,2804,1867]},{"type":"call","value":[3052,2852,2804,1211]},{"type":"call","value":[3052,2852,2804,1638]},{"type":"call","value":[3052,2852,2804,982]},{"type":"call","value":[3052,2852,2804,326]},{"type":"call","value":[3052,2852,2804,1885]},{"type":"call","value":[3052,2852,2804,1229]},{"type":"call","value":[3052,2852,2804,1476]},{"type":"call","value":[3052,2852,2804,1903]},{"type":"call","value":[3052,2852,2804,820]},{"type":"call","value":[3052,2852,2804,1247]},{"type":"call","value":[3052,2852,2804,591]},{"type":"call","value":[3052,2852,2804,838]},{"type":"call","value":[3052,2852,2804,1741]},{"type":"call","value":[3052,2852,2804,1085]},{"type":"call","value":[3052,2852,2804,429]},{"type":"call","value":[3052,2852,2804,856]},{"type":"call","value":[3052,2852,2804,200]},{"type":"call","value":[3052,2852,2804,1759]},{"type":"call","value":[3052,2852,2804,1103]},{"type":"call","value":[3052,2852,2804,447]},{"type":"call","value":[3052,2852,2804,694]},{"type":"call","value":[3052,2852,2804,465]},{"type":"call","value":[3052,2852,2804,1597]},{"type":"call","value":[3052,2852,2804,941]},{"type":"call","value":[3052,2852,2804,712]},{"type":"call","value":[3052,2852,2804,1615]},{"type":"call","value":[3052,2852,2804,959]},{"type":"call","value":[3052,2852,2804,303]},{"type":"call","value":[3052,2852,2804,1862]},{"type":"call","value":[3052,2852,2804,1206]},{"type":"call","value":[3052,2852,2804,1633]},{"type":"call","value":[3052,2852,2804,550]},{"type":"call","value":[3052,2852,2804,977]},{"type":"call","value":[3052,2852,2804,321]},{"type":"call","value":[3052,2852,2804,1880]},{"type":"call","value":[3052,2852,2804,1224]},{"type":"call","value":[3052,2852,2804,568]},{"type":"call","value":[3052,2852,2804,1898]},{"type":"call","value":[3052,2852,2804,815]},{"type":"call","value":[3052,2852,2804,1242]},{"type":"call","value":[3052,2852,2804,586]},{"type":"call","value":[3052,2852,2804,833]},{"type":"call","value":[3052,2852,2804,1736]},{"type":"call","value":[3052,2852,2804,1080]},{"type":"call","value":[3052,2852,2804,424]},{"type":"call","value":[3052,2852,2804,1327]},{"type":"call","value":[3052,2852,2804,1754]},{"type":"call","value":[3052,2852,2804,671]},{"type":"call","value":[3052,2852,2804,1098]},{"type":"call","value":[3052,2852,2804,442]},{"type":"call","value":[3052,2852,2804,1345]},{"type":"call","value":[3052,2852,2804,689]},{"type":"call","value":[3052,2852,2804,1592]},{"type":"call","value":[3052,2852,2804,936]},{"type":"call","value":[3052,2852,2804,280]},{"type":"call","value":[3052,2852,2804,707]},{"type":"call","value":[3052,2852,2804,1610]},{"type":"call","value":[3052,2852,2804,954]},{"type":"call","value":[3052,2852,2804,298]},{"type":"call","value":[3052,2852,2804,1857]},{"type":"call","value":[3052,2852,2804,1201]},{"type":"call","value":[3052,2852,2804,1628]},{"type":"call","value":[3052,2852,2804,545]},{"type":"call","value":[3052,2852,2804,972]},{"type":"call","value":[3052,2852,2804,316]},{"type":"call","value":[3052,2852,2804,1875]},{"type":"call","value":[3052,2852,2804,1219]},{"type":"call","value":[3052,2852,2804,563]},{"type":"call","value":[3052,2852,2804,1466]},{"type":"call","value":[3052,2852,2804,810]},{"type":"call","value":[3052,2852,2804,1713]},{"type":"call","value":[3052,2852,2804,1057]},{"type":"call","value":[3052,2852,2804,401]},{"type":"call","value":[3052,2852,2804,828]},{"type":"call","value":[3052,2852,2804,1731]},{"type":"call","value":[3052,2852,2804,1075]},{"type":"call","value":[3052,2852,2804,419]},{"type":"call","value":[3052,2852,2804,1322]},{"type":"call","value":[3052,2852,2804,1749]},{"type":"call","value":[3052,2852,2804,666]},{"type":"call","value":[3052,2852,2804,1093]},{"type":"call","value":[3052,2852,2804,437]},{"type":"call","value":[3052,2852,2804,1340]},{"type":"call","value":[3052,2852,2804,684]},{"type":"call","value":[3052,2852,2804,1587]},{"type":"call","value":[3052,2852,2804,931]},{"type":"call","value":[3052,2852,2804,275]},{"type":"call","value":[3052,2852,2804,702]},{"type":"call","value":[3052,2852,2804,1605]},{"type":"call","value":[3052,2852,2804,949]},{"type":"call","value":[3052,2852,2804,293]},{"type":"call","value":[3052,2852,2804,1852]},{"type":"call","value":[3052,2852,2804,1196]},{"type":"call","value":[3052,2852,2804,540]},{"type":"call","value":[3052,2852,2804,1870]},{"type":"call","value":[3052,2852,2804,787]},{"type":"call","value":[3052,2852,2804,1214]},{"type":"call","value":[3052,2852,2804,558]},{"type":"call","value":[3052,2852,2804,1461]},{"type":"call","value":[3052,2852,2804,805]},{"type":"call","value":[3052,2852,2804,1708]},{"type":"call","value":[3052,2852,2804,1052]},{"type":"call","value":[3052,2852,2804,1479]},{"type":"call","value":[3052,2852,2804,396]},{"type":"call","value":[3052,2852,2804,823]},{"type":"call","value":[3052,2852,2804,1726]},{"type":"call","value":[3052,2852,2804,1070]},{"type":"call","value":[3052,2852,2804,414]},{"type":"call","value":[3052,2852,2804,1317]},{"type":"call","value":[3052,2852,2804,1744]},{"type":"call","value":[3052,2852,2804,661]},{"type":"call","value":[3052,2852,2804,1088]},{"type":"call","value":[3052,2852,2804,432]},{"type":"call","value":[3052,2852,2804,1335]},{"type":"call","value":[3052,2852,2804,679]},{"type":"call","value":[3052,2852,2804,1582]},{"type":"call","value":[3052,2852,2804,926]},{"type":"call","value":[3052,2852,2804,270]},{"type":"call","value":[3052,2852,2804,1829]},{"type":"call","value":[3052,2852,2804,1173]},{"type":"call","value":[3052,2852,2804,1600]},{"type":"call","value":[3052,2852,2804,517]},{"type":"call","value":[3052,2852,2804,944]},{"type":"call","value":[3052,2852,2804,288]},{"type":"call","value":[3052,2852,2804,1847]},{"type":"call","value":[3052,2852,2804,1191]},{"type":"call","value":[3052,2852,2804,535]},{"type":"call","value":[3052,2852,2804,1865]},{"type":"call","value":[3052,2852,2804,782]},{"type":"call","value":[3052,2852,2804,1209]},{"type":"call","value":[3052,2852,2804,553]},{"type":"call","value":[3052,2852,2804,800]},{"type":"call","value":[3052,2852,2804,1703]},{"type":"call","value":[3052,2852,2804,1047]},{"type":"call","value":[3052,2852,2804,1474]},{"type":"call","value":[3052,2852,2804,391]},{"type":"call","value":[3052,2852,2804,818]},{"type":"call","value":[3052,2852,2804,1721]},{"type":"call","value":[3052,2852,2804,1065]},{"type":"call","value":[3052,2852,2804,409]},{"type":"call","value":[3052,2852,2804,1312]},{"type":"call","value":[3052,2852,2804,656]},{"type":"call","value":[3052,2852,2804,1559]},{"type":"call","value":[3052,2852,2804,903]},{"type":"call","value":[3052,2852,2804,1330]},{"type":"call","value":[3052,2852,2804,674]},{"type":"call","value":[3052,2852,2804,1577]},{"type":"call","value":[3052,2852,2804,921]},{"type":"call","value":[3052,2852,2804,1824]},{"type":"call","value":[3052,2852,2804,1168]},{"type":"call","value":[3052,2852,2804,1595]},{"type":"call","value":[3052,2852,2804,512]},{"type":"call","value":[3052,2852,2804,939]},{"type":"call","value":[3052,2852,2804,283]},{"type":"call","value":[3052,2852,2804,1842]},{"type":"call","value":[3052,2852,2804,1186]},{"type":"call","value":[3052,2852,2804,530]},{"type":"call","value":[3052,2852,2804,777]},{"type":"call","value":[3052,2852,2804,1204]},{"type":"call","value":[3052,2852,2804,548]},{"type":"call","value":[3052,2852,2804,1680]},{"type":"call","value":[3052,2852,2804,795]},{"type":"call","value":[3052,2852,2804,1698]},{"type":"call","value":[3052,2852,2804,1042]},{"type":"call","value":[3052,2852,2804,386]},{"type":"call","value":[3052,2852,2804,1289]},{"type":"call","value":[3052,2852,2804,1716]},{"type":"call","value":[3052,2852,2804,633]},{"type":"call","value":[3052,2852,2804,1060]},{"type":"call","value":[3052,2852,2804,404]},{"type":"call","value":[3052,2852,2804,1307]},{"type":"call","value":[3052,2852,2804,651]},{"type":"call","value":[3052,2852,2804,1554]},{"type":"call","value":[3052,2852,2804,898]},{"type":"call","value":[3052,2852,2804,1325]},{"type":"call","value":[3052,2852,2804,242]},{"type":"call","value":[3052,2852,2804,669]},{"type":"call","value":[3052,2852,2804,1572]},{"type":"call","value":[3052,2852,2804,916]},{"type":"call","value":[3052,2852,2804,260]},{"type":"call","value":[3052,2852,2804,1819]},{"type":"call","value":[3052,2852,2804,1163]},{"type":"call","value":[3052,2852,2804,507]},{"type":"call","value":[3052,2852,2804,934]},{"type":"call","value":[3052,2852,2804,278]},{"type":"call","value":[3052,2852,2804,1837]},{"type":"call","value":[3052,2852,2804,1181]},{"type":"call","value":[3052,2852,2804,525]},{"type":"call","value":[3052,2852,2804,772]},{"type":"call","value":[3052,2852,2804,1675]},{"type":"call","value":[3052,2852,2804,1019]},{"type":"call","value":[3052,2852,2804,363]},{"type":"call","value":[3052,2852,2804,790]},{"type":"call","value":[3052,2852,2804,1693]},{"type":"call","value":[3052,2852,2804,1037]},{"type":"call","value":[3052,2852,2804,381]},{"type":"call","value":[3052,2852,2804,1284]},{"type":"call","value":[3052,2852,2804,1711]},{"type":"call","value":[3052,2852,2804,628]},{"type":"call","value":[3052,2852,2804,1055]},{"type":"call","value":[3052,2852,2804,399]},{"type":"call","value":[3052,2852,2804,1302]},{"type":"call","value":[3052,2852,2804,646]},{"type":"call","value":[3052,2852,2804,893]},{"type":"call","value":[3052,2852,2804,664]},{"type":"call","value":[3052,2852,2804,1796]},{"type":"call","value":[3052,2852,2804,1140]},{"type":"call","value":[3052,2852,2804,911]},{"type":"call","value":[3052,2852,2804,1814]},{"type":"call","value":[3052,2852,2804,1158]},{"type":"call","value":[3052,2852,2804,502]},{"type":"call","value":[3052,2852,2804,1832]},{"type":"call","value":[3052,2852,2804,749]},{"type":"call","value":[3052,2852,2804,1176]},{"type":"call","value":[3052,2852,2804,520]},{"type":"call","value":[3052,2852,2804,767]},{"type":"call","value":[3052,2852,2804,1670]},{"type":"call","value":[3052,2852,2804,1014]},{"type":"call","value":[3052,2852,2804,358]},{"type":"call","value":[3052,2852,2804,785]},{"type":"call","value":[3052,2852,2804,129]},{"type":"call","value":[3052,2852,2804,1688]},{"type":"call","value":[3052,2852,2804,1032]},{"type":"call","value":[3052,2852,2804,376]},{"type":"call","value":[3052,2852,2804,1279]},{"type":"call","value":[3052,2852,2804,623]},{"type":"call","value":[3052,2852,2804,1050]},{"type":"call","value":[3052,2852,2804,394]},{"type":"call","value":[3052,2852,2804,1297]},{"type":"call","value":[3052,2852,2804,641]},{"type":"call","value":[3052,2852,2804,888]},{"type":"call","value":[3052,2852,2804,232]},{"type":"call","value":[3052,2852,2804,1791]},{"type":"call","value":[3052,2852,2804,1135]},{"type":"call","value":[3052,2852,2804,1562]},{"type":"call","value":[3052,2852,2804,479]},{"type":"call","value":[3052,2852,2804,906]},{"type":"call","value":[3052,2852,2804,250]},{"type":"call","value":[3052,2852,2804,1809]},{"type":"call","value":[3052,2852,2804,1153]},{"type":"call","value":[3052,2852,2804,497]},{"type":"call","value":[3052,2852,2804,1827]},{"type":"call","value":[3052,2852,2804,744]},{"type":"call","value":[3052,2852,2804,1171]},{"type":"call","value":[3052,2852,2804,515]},{"type":"call","value":[3052,2852,2804,762]},{"type":"call","value":[3052,2852,2804,1665]},{"type":"call","value":[3052,2852,2804,1009]},{"type":"call","value":[3052,2852,2804,353]},{"type":"call","value":[3052,2852,2804,780]},{"type":"call","value":[3052,2852,2804,1912]},{"type":"call","value":[3052,2852,2804,1256]},{"type":"call","value":[3052,2852,2804,1683]},{"type":"call","value":[3052,2852,2804,1027]},{"type":"call","value":[3052,2852,2804,371]},{"type":"call","value":[3052,2852,2804,1930]},{"type":"call","value":[3052,2852,2804,1274]},{"type":"call","value":[3052,2852,2804,618]},{"type":"call","value":[3052,2852,2804,865]},{"type":"call","value":[3052,2852,2804,1292]},{"type":"call","value":[3052,2852,2804,636]},{"type":"call","value":[3052,2852,2804,883]},{"type":"call","value":[3052,2852,2804,1786]},{"type":"call","value":[3052,2852,2804,1130]},{"type":"call","value":[3052,2852,2804,1557]},{"type":"call","value":[3052,2852,2804,474]},{"type":"call","value":[3052,2852,2804,901]},{"type":"call","value":[3052,2852,2804,1804]},{"type":"call","value":[3052,2852,2804,1148]},{"type":"call","value":[3052,2852,2804,492]},{"type":"call","value":[3052,2852,2804,739]},{"type":"call","value":[3052,2852,2804,510]},{"type":"call","value":[3052,2852,2804,1642]},{"type":"call","value":[3052,2852,2804,986]},{"type":"call","value":[3052,2852,2804,757]},{"type":"call","value":[3052,2852,2804,1660]},{"type":"call","value":[3052,2852,2804,1004]},{"type":"call","value":[3052,2852,2804,348]},{"type":"call","value":[3052,2852,2804,1907]},{"type":"call","value":[3052,2852,2804,1251]},{"type":"call","value":[3052,2852,2804,1678]},{"type":"call","value":[3052,2852,2804,595]},{"type":"call","value":[3052,2852,2804,1022]},{"type":"call","value":[3052,2852,2804,366]},{"type":"call","value":[3052,2852,2804,1925]},{"type":"call","value":[3052,2852,2804,1269]},{"type":"call","value":[3052,2852,2804,613]},{"type":"call","value":[3052,2852,2804,860]},{"type":"call","value":[3052,2852,2804,1287]},{"type":"call","value":[3052,2852,2804,204]},{"type":"call","value":[3052,2852,2804,631]},{"type":"call","value":[3052,2852,2804,878]},{"type":"call","value":[3052,2852,2804,222]},{"type":"call","value":[3052,2852,2804,1781]},{"type":"call","value":[3052,2852,2804,1125]},{"type":"call","value":[3052,2852,2804,469]},{"type":"call","value":[3052,2852,2804,240]},{"type":"call","value":[3052,2852,2804,1799]},{"type":"call","value":[3052,2852,2804,716]},{"type":"call","value":[3052,2852,2804,1143]},{"type":"call","value":[3052,2852,2804,487]},{"type":"call","value":[3052,2852,2804,734]},{"type":"call","value":[3052,2852,2804,1637]},{"type":"call","value":[3052,2852,2804,981]},{"type":"call","value":[3052,2852,2804,325]},{"type":"call","value":[3052,2852,2804,752]},{"type":"call","value":[3052,2852,2804,1655]},{"type":"call","value":[3052,2852,2804,999]},{"type":"call","value":[3052,2852,2804,343]},{"type":"call","value":[3052,2852,2804,1902]},{"type":"call","value":[3052,2852,2804,1246]},{"type":"call","value":[3052,2852,2804,1673]},{"type":"call","value":[3052,2852,2804,590]},{"type":"call","value":[3052,2852,2804,1017]},{"type":"call","value":[3052,2852,2804,361]},{"type":"call","value":[3052,2852,2804,1920]},{"type":"call","value":[3052,2852,2804,1264]},{"type":"call","value":[3052,2852,2804,608]},{"type":"call","value":[3052,2852,2804,855]},{"type":"call","value":[3052,2852,2804,1758]},{"type":"call","value":[3052,2852,2804,1102]},{"type":"call","value":[3052,2852,2804,446]},{"type":"call","value":[3052,2852,2804,873]},{"type":"call","value":[3052,2852,2804,1776]},{"type":"call","value":[3052,2852,2804,1120]},{"type":"call","value":[3052,2852,2804,464]},{"type":"call","value":[3052,2852,2804,1794]},{"type":"call","value":[3052,2852,2804,711]},{"type":"call","value":[3052,2852,2804,1138]},{"type":"call","value":[3052,2852,2804,482]},{"type":"call","value":[3052,2852,2804,729]},{"type":"call","value":[3052,2852,2804,1632]},{"type":"call","value":[3052,2852,2804,976]},{"type":"call","value":[3052,2852,2804,320]},{"type":"call","value":[3052,2852,2804,747]},{"type":"call","value":[3052,2852,2804,1650]},{"type":"call","value":[3052,2852,2804,994]},{"type":"call","value":[3052,2852,2804,338]},{"type":"call","value":[3052,2852,2804,1897]},{"type":"call","value":[3052,2852,2804,1241]},{"type":"call","value":[3052,2852,2804,585]},{"type":"call","value":[3052,2852,2804,1915]},{"type":"call","value":[3052,2852,2804,832]},{"type":"call","value":[3052,2852,2804,1259]},{"type":"call","value":[3052,2852,2804,603]},{"type":"call","value":[3052,2852,2804,850]},{"type":"call","value":[3052,2852,2804,194]},{"type":"call","value":[3052,2852,2804,1753]},{"type":"call","value":[3052,2852,2804,1097]},{"type":"call","value":[3052,2852,2804,441]},{"type":"call","value":[3052,2852,2804,868]},{"type":"call","value":[3052,2852,2804,212]},{"type":"call","value":[3052,2852,2804,1771]},{"type":"call","value":[3052,2852,2804,1115]},{"type":"call","value":[3052,2852,2804,459]},{"type":"call","value":[3052,2852,2804,1789]},{"type":"call","value":[3052,2852,2804,706]},{"type":"call","value":[3052,2852,2804,1133]},{"type":"call","value":[3052,2852,2804,477]},{"type":"call","value":[3052,2852,2804,724]},{"type":"call","value":[3052,2852,2804,1627]},{"type":"call","value":[3052,2852,2804,971]},{"type":"call","value":[3052,2852,2804,315]},{"type":"call","value":[3052,2852,2804,1874]},{"type":"call","value":[3052,2852,2804,1218]},{"type":"call","value":[3052,2852,2804,1645]},{"type":"call","value":[3052,2852,2804,562]},{"type":"call","value":[3052,2852,2804,989]},{"type":"call","value":[3052,2852,2804,333]},{"type":"call","value":[3052,2852,2804,1892]},{"type":"call","value":[3052,2852,2804,1236]},{"type":"call","value":[3052,2852,2804,580]},{"type":"call","value":[3052,2852,2804,1483]},{"type":"call","value":[3052,2852,2804,1910]},{"type":"call","value":[3052,2852,2804,827]},{"type":"call","value":[3052,2852,2804,1254]},{"type":"call","value":[3052,2852,2804,598]},{"type":"call","value":[3052,2852,2804,845]},{"type":"call","value":[3052,2852,2804,1748]},{"type":"call","value":[3052,2852,2804,1092]},{"type":"call","value":[3052,2852,2804,436]},{"type":"call","value":[3052,2852,2804,863]},{"type":"call","value":[3052,2852,2804,1766]},{"type":"call","value":[3052,2852,2804,1110]},{"type":"call","value":[3052,2852,2804,454]},{"type":"call","value":[3052,2852,2804,1357]},{"type":"call","value":[3052,2852,2804,701]},{"type":"call","value":[3052,2852,2804,1604]},{"type":"call","value":[3052,2852,2804,948]},{"type":"call","value":[3052,2852,2804,292]},{"type":"call","value":[3052,2852,2804,719]},{"type":"call","value":[3052,2852,2804,1622]},{"type":"call","value":[3052,2852,2804,966]},{"type":"call","value":[3052,2852,2804,310]},{"type":"call","value":[3052,2852,2804,1869]},{"type":"call","value":[3052,2852,2804,1213]},{"type":"call","value":[3052,2852,2804,1640]},{"type":"call","value":[3052,2852,2804,984]},{"type":"call","value":[3052,2852,2804,328]},{"type":"call","value":[3052,2852,2804,1887]},{"type":"call","value":[3052,2852,2804,1231]},{"type":"call","value":[3052,2852,2804,1478]},{"type":"call","value":[3052,2852,2804,822]},{"type":"call","value":[3052,2852,2804,1249]},{"type":"call","value":[3052,2852,2804,593]},{"type":"call","value":[3052,2852,2804,1725]},{"type":"call","value":[3052,2852,2804,840]},{"type":"call","value":[3052,2852,2804,1743]},{"type":"call","value":[3052,2852,2804,1087]},{"type":"call","value":[3052,2852,2804,431]},{"type":"call","value":[3052,2852,2804,1334]},{"type":"call","value":[3052,2852,2804,1761]},{"type":"call","value":[3052,2852,2804,678]},{"type":"call","value":[3052,2852,2804,1105]},{"type":"call","value":[3052,2852,2804,449]},{"type":"call","value":[3052,2852,2804,696]},{"type":"call","value":[3052,2852,2804,1599]},{"type":"call","value":[3052,2852,2804,943]},{"type":"call","value":[3052,2852,2804,287]},{"type":"call","value":[3052,2852,2804,714]},{"type":"call","value":[3052,2852,2804,1617]},{"type":"call","value":[3052,2852,2804,961]},{"type":"call","value":[3052,2852,2804,305]},{"type":"call","value":[3052,2852,2804,1864]},{"type":"call","value":[3052,2852,2804,1208]},{"type":"call","value":[3052,2852,2804,552]},{"type":"call","value":[3052,2852,2804,979]},{"type":"call","value":[3052,2852,2804,323]},{"type":"call","value":[3052,2852,2804,1882]},{"type":"call","value":[3052,2852,2804,1226]},{"type":"call","value":[3052,2852,2804,570]},{"type":"call","value":[3052,2852,2804,1473]},{"type":"call","value":[3052,2852,2804,817]},{"type":"call","value":[3052,2852,2804,1720]},{"type":"call","value":[3052,2852,2804,1064]},{"type":"call","value":[3052,2852,2804,408]},{"type":"call","value":[3052,2852,2804,835]},{"type":"call","value":[3052,2852,2804,1738]},{"type":"call","value":[3052,2852,2804,1082]},{"type":"call","value":[3052,2852,2804,426]},{"type":"call","value":[3052,2852,2804,1329]},{"type":"call","value":[3052,2852,2804,1756]},{"type":"call","value":[3052,2852,2804,673]},{"type":"call","value":[3052,2852,2804,1100]},{"type":"call","value":[3052,2852,2804,444]},{"type":"call","value":[3052,2852,2804,1347]},{"type":"call","value":[3052,2852,2804,691]},{"type":"call","value":[3052,2852,2804,1594]},{"type":"call","value":[3052,2852,2804,938]},{"type":"call","value":[3052,2852,2804,282]},{"type":"call","value":[3052,2852,2804,709]},{"type":"call","value":[3052,2852,2804,1841]},{"type":"call","value":[3052,2852,2804,1185]},{"type":"call","value":[3052,2852,2804,1612]},{"type":"call","value":[3052,2852,2804,956]},{"type":"call","value":[3052,2852,2804,300]},{"type":"call","value":[3052,2852,2804,1859]},{"type":"call","value":[3052,2852,2804,1203]},{"type":"call","value":[3052,2852,2804,547]},{"type":"call","value":[3052,2852,2804,1877]},{"type":"call","value":[3052,2852,2804,794]},{"type":"call","value":[3052,2852,2804,1221]},{"type":"call","value":[3052,2852,2804,138]},{"type":"call","value":[3052,2852,2804,565]},{"type":"call","value":[3052,2852,2804,812]},{"type":"call","value":[3052,2852,2804,156]},{"type":"call","value":[3052,2852,2804,1715]},{"type":"call","value":[3052,2852,2804,1059]},{"type":"call","value":[3052,2852,2804,403]},{"type":"call","value":[3052,2852,2804,830]},{"type":"call","value":[3052,2852,2804,174]},{"type":"call","value":[3052,2852,2804,1733]},{"type":"call","value":[3052,2852,2804,1077]},{"type":"call","value":[3052,2852,2804,421]},{"type":"call","value":[3052,2852,2804,1324]},{"type":"call","value":[3052,2852,2804,668]},{"type":"call","value":[3052,2852,2804,439]},{"type":"call","value":[3052,2852,2804,1571]},{"type":"call","value":[3052,2852,2804,1342]},{"type":"call","value":[3052,2852,2804,686]},{"type":"call","value":[3052,2852,2804,1589]},{"type":"call","value":[3052,2852,2804,933]},{"type":"call","value":[3052,2852,2804,277]},{"type":"call","value":[3052,2852,2804,1836]},{"type":"call","value":[3052,2852,2804,1180]},{"type":"call","value":[3052,2852,2804,1607]},{"type":"call","value":[3052,2852,2804,524]},{"type":"call","value":[3052,2852,2804,951]},{"type":"call","value":[3052,2852,2804,295]},{"type":"call","value":[3052,2852,2804,1854]},{"type":"call","value":[3052,2852,2804,1198]},{"type":"call","value":[3052,2852,2804,542]},{"type":"call","value":[3052,2852,2804,1872]},{"type":"call","value":[3052,2852,2804,789]},{"type":"call","value":[3052,2852,2804,1216]},{"type":"call","value":[3052,2852,2804,560]},{"type":"call","value":[3052,2852,2804,1463]},{"type":"call","value":[3052,2852,2804,807]},{"type":"call","value":[3052,2852,2804,1710]},{"type":"call","value":[3052,2852,2804,1054]},{"type":"call","value":[3052,2852,2804,398]},{"type":"call","value":[3052,2852,2804,825]},{"type":"call","value":[3052,2852,2804,1301]},{"type":"call","value":[3052,2852,2804,1728]},{"type":"call","value":[3052,2852,2804,1072]},{"type":"call","value":[3052,2852,2804,416]},{"type":"call","value":[3052,2852,2804,1319]},{"type":"call","value":[3052,2852,2804,663]},{"type":"call","value":[3052,2852,2804,910]},{"type":"call","value":[3052,2852,2804,1337]},{"type":"call","value":[3052,2852,2804,254]},{"type":"call","value":[3052,2852,2804,681]},{"type":"call","value":[3052,2852,2804,1584]},{"type":"call","value":[3052,2852,2804,928]},{"type":"call","value":[3052,2852,2804,272]},{"type":"call","value":[3052,2852,2804,1831]},{"type":"call","value":[3052,2852,2804,1175]},{"type":"call","value":[3052,2852,2804,1602]},{"type":"call","value":[3052,2852,2804,519]},{"type":"call","value":[3052,2852,2804,946]},{"type":"call","value":[3052,2852,2804,290]},{"type":"call","value":[3052,2852,2804,1849]},{"type":"call","value":[3052,2852,2804,1193]},{"type":"call","value":[3052,2852,2804,537]},{"type":"call","value":[3052,2852,2804,784]},{"type":"call","value":[3052,2852,2804,555]},{"type":"call","value":[3052,2852,2804,1687]},{"type":"call","value":[3052,2852,2804,1031]},{"type":"call","value":[3052,2852,2804,802]},{"type":"call","value":[3052,2852,2804,1705]},{"type":"call","value":[3052,2852,2804,1049]},{"type":"call","value":[3052,2852,2804,393]},{"type":"call","value":[3052,2852,2804,1296]},{"type":"call","value":[3052,2852,2804,1723]},{"type":"call","value":[3052,2852,2804,640]},{"type":"call","value":[3052,2852,2804,1067]},{"type":"call","value":[3052,2852,2804,411]},{"type":"call","value":[3052,2852,2804,1314]},{"type":"call","value":[3052,2852,2804,658]},{"type":"call","value":[3052,2852,2804,1561]},{"type":"call","value":[3052,2852,2804,905]},{"type":"call","value":[3052,2852,2804,1332]},{"type":"call","value":[3052,2852,2804,676]},{"type":"call","value":[3052,2852,2804,1579]},{"type":"call","value":[3052,2852,2804,923]},{"type":"call","value":[3052,2852,2804,1826]},{"type":"call","value":[3052,2852,2804,1170]},{"type":"call","value":[3052,2852,2804,514]},{"type":"call","value":[3052,2852,2804,285]},{"type":"call","value":[3052,2852,2804,1844]},{"type":"call","value":[3052,2852,2804,761]},{"type":"call","value":[3052,2852,2804,1188]},{"type":"call","value":[3052,2852,2804,532]},{"type":"call","value":[3052,2852,2804,779]},{"type":"call","value":[3052,2852,2804,1682]},{"type":"call","value":[3052,2852,2804,1026]},{"type":"call","value":[3052,2852,2804,370]},{"type":"call","value":[3052,2852,2804,797]},{"type":"call","value":[3052,2852,2804,1700]},{"type":"call","value":[3052,2852,2804,1044]},{"type":"call","value":[3052,2852,2804,388]},{"type":"call","value":[3052,2852,2804,1291]},{"type":"call","value":[3052,2852,2804,1718]},{"type":"call","value":[3052,2852,2804,635]},{"type":"call","value":[3052,2852,2804,1062]},{"type":"call","value":[3052,2852,2804,406]},{"type":"call","value":[3052,2852,2804,1309]},{"type":"call","value":[3052,2852,2804,653]},{"type":"call","value":[3052,2852,2804,1556]},{"type":"call","value":[3052,2852,2804,900]},{"type":"call","value":[3052,2852,2804,244]},{"type":"call","value":[3052,2852,2804,1803]},{"type":"call","value":[3052,2852,2804,1147]},{"type":"call","value":[3052,2852,2804,1574]},{"type":"call","value":[3052,2852,2804,491]},{"type":"call","value":[3052,2852,2804,918]},{"type":"call","value":[3052,2852,2804,262]},{"type":"call","value":[3052,2852,2804,1821]},{"type":"call","value":[3052,2852,2804,1165]},{"type":"call","value":[3052,2852,2804,509]},{"type":"call","value":[3052,2852,2804,1839]},{"type":"call","value":[3052,2852,2804,756]},{"type":"call","value":[3052,2852,2804,1183]},{"type":"call","value":[3052,2852,2804,527]},{"type":"call","value":[3052,2852,2804,774]},{"type":"call","value":[3052,2852,2804,1677]},{"type":"call","value":[3052,2852,2804,1021]},{"type":"call","value":[3052,2852,2804,365]},{"type":"call","value":[3052,2852,2804,792]},{"type":"call","value":[3052,2852,2804,1695]},{"type":"call","value":[3052,2852,2804,1039]},{"type":"call","value":[3052,2852,2804,383]},{"type":"call","value":[3052,2852,2804,1286]},{"type":"call","value":[3052,2852,2804,630]},{"type":"call","value":[3052,2852,2804,877]},{"type":"call","value":[3052,2852,2804,648]},{"type":"call","value":[3052,2852,2804,895]},{"type":"call","value":[3052,2852,2804,1798]},{"type":"call","value":[3052,2852,2804,1142]},{"type":"call","value":[3052,2852,2804,1569]},{"type":"call","value":[3052,2852,2804,486]},{"type":"call","value":[3052,2852,2804,913]},{"type":"call","value":[3052,2852,2804,1816]},{"type":"call","value":[3052,2852,2804,1160]},{"type":"call","value":[3052,2852,2804,504]},{"type":"call","value":[3052,2852,2804,1834]},{"type":"call","value":[3052,2852,2804,751]},{"type":"call","value":[3052,2852,2804,1178]},{"type":"call","value":[3052,2852,2804,522]},{"type":"call","value":[3052,2852,2804,769]},{"type":"call","value":[3052,2852,2804,1672]},{"type":"call","value":[3052,2852,2804,1016]},{"type":"call","value":[3052,2852,2804,360]},{"type":"call","value":[3052,2852,2804,1919]},{"type":"call","value":[3052,2852,2804,1263]},{"type":"call","value":[3052,2852,2804,1690]},{"type":"call","value":[3052,2852,2804,607]},{"type":"call","value":[3052,2852,2804,1034]},{"type":"call","value":[3052,2852,2804,378]},{"type":"call","value":[3052,2852,2804,1281]},{"type":"call","value":[3052,2852,2804,625]},{"type":"call","value":[3052,2852,2804,872]},{"type":"call","value":[3052,2852,2804,1299]},{"type":"call","value":[3052,2852,2804,216]},{"type":"call","value":[3052,2852,2804,643]},{"type":"call","value":[3052,2852,2804,890]},{"type":"call","value":[3052,2852,2804,234]},{"type":"call","value":[3052,2852,2804,1793]},{"type":"call","value":[3052,2852,2804,1137]},{"type":"call","value":[3052,2852,2804,1564]},{"type":"call","value":[3052,2852,2804,481]},{"type":"call","value":[3052,2852,2804,908]},{"type":"call","value":[3052,2852,2804,252]},{"type":"call","value":[3052,2852,2804,1811]},{"type":"call","value":[3052,2852,2804,1155]},{"type":"call","value":[3052,2852,2804,499]},{"type":"call","value":[3052,2852,2804,746]},{"type":"call","value":[3052,2852,2804,1649]},{"type":"call","value":[3052,2852,2804,993]},{"type":"call","value":[3052,2852,2804,337]},{"type":"call","value":[3052,2852,2804,764]},{"type":"call","value":[3052,2852,2804,1667]},{"type":"call","value":[3052,2852,2804,1011]},{"type":"call","value":[3052,2852,2804,355]},{"type":"call","value":[3052,2852,2804,1914]},{"type":"call","value":[3052,2852,2804,1258]},{"type":"call","value":[3052,2852,2804,1685]},{"type":"call","value":[3052,2852,2804,602]},{"type":"call","value":[3052,2852,2804,1029]},{"type":"call","value":[3052,2852,2804,373]},{"type":"call","value":[3052,2852,2804,1932]},{"type":"call","value":[3052,2852,2804,1276]},{"type":"call","value":[3052,2852,2804,620]},{"type":"call","value":[3052,2852,2804,867]},{"type":"call","value":[3052,2852,2804,1294]},{"type":"call","value":[3052,2852,2804,638]},{"type":"call","value":[3052,2852,2804,1770]},{"type":"call","value":[3052,2852,2804,885]},{"type":"call","value":[3052,2852,2804,1788]},{"type":"call","value":[3052,2852,2804,1132]},{"type":"call","value":[3052,2852,2804,476]},{"type":"call","value":[3052,2852,2804,1806]},{"type":"call","value":[3052,2852,2804,723]},{"type":"call","value":[3052,2852,2804,1150]},{"type":"call","value":[3052,2852,2804,494]},{"type":"call","value":[3052,2852,2804,741]},{"type":"call","value":[3052,2852,2804,1644]},{"type":"call","value":[3052,2852,2804,988]},{"type":"call","value":[3052,2852,2804,332]},{"type":"call","value":[3052,2852,2804,759]},{"type":"call","value":[3052,2852,2804,1662]},{"type":"call","value":[3052,2852,2804,1006]},{"type":"call","value":[3052,2852,2804,350]},{"type":"call","value":[3052,2852,2804,1909]},{"type":"call","value":[3052,2852,2804,1253]},{"type":"call","value":[3052,2852,2804,597]},{"type":"call","value":[3052,2852,2804,1024]},{"type":"call","value":[3052,2852,2804,368]},{"type":"call","value":[3052,2852,2804,1927]},{"type":"call","value":[3052,2852,2804,1271]},{"type":"call","value":[3052,2852,2804,615]},{"type":"call","value":[3052,2852,2804,862]},{"type":"call","value":[3052,2852,2804,206]},{"type":"call","value":[3052,2852,2804,1765]},{"type":"call","value":[3052,2852,2804,1109]},{"type":"call","value":[3052,2852,2804,453]},{"type":"call","value":[3052,2852,2804,880]},{"type":"call","value":[3052,2852,2804,224]},{"type":"call","value":[3052,2852,2804,1783]},{"type":"call","value":[3052,2852,2804,1127]},{"type":"call","value":[3052,2852,2804,471]},{"type":"call","value":[3052,2852,2804,1801]},{"type":"call","value":[3052,2852,2804,718]},{"type":"call","value":[3052,2852,2804,1145]},{"type":"call","value":[3052,2852,2804,489]},{"type":"call","value":[3052,2852,2804,736]},{"type":"call","value":[3052,2852,2804,1639]},{"type":"call","value":[3052,2852,2804,983]},{"type":"call","value":[3052,2852,2804,327]},{"type":"call","value":[3052,2852,2804,754]},{"type":"call","value":[3052,2852,2804,1886]},{"type":"call","value":[3052,2852,2804,1657]},{"type":"call","value":[3052,2852,2804,1001]},{"type":"call","value":[3052,2852,2804,345]},{"type":"call","value":[3052,2852,2804,1904]},{"type":"call","value":[3052,2852,2804,1248]},{"type":"call","value":[3052,2852,2804,592]},{"type":"call","value":[3052,2852,2804,1922]},{"type":"call","value":[3052,2852,2804,839]},{"type":"call","value":[3052,2852,2804,1266]},{"type":"call","value":[3052,2852,2804,183]},{"type":"call","value":[3052,2852,2804,610]},{"type":"call","value":[3052,2852,2804,857]},{"type":"call","value":[3052,2852,2804,1760]},{"type":"call","value":[3052,2852,2804,1104]},{"type":"call","value":[3052,2852,2804,448]},{"type":"call","value":[3052,2852,2804,875]},{"type":"call","value":[3052,2852,2804,1778]},{"type":"call","value":[3052,2852,2804,1122]},{"type":"call","value":[3052,2852,2804,466]},{"type":"call","value":[3052,2852,2804,713]},{"type":"call","value":[3052,2852,2804,484]},{"type":"call","value":[3052,2852,2804,1616]},{"type":"call","value":[3052,2852,2804,731]},{"type":"call","value":[3052,2852,2804,1634]},{"type":"call","value":[3052,2852,2804,978]},{"type":"call","value":[3052,2852,2804,322]},{"type":"call","value":[3052,2852,2804,1881]},{"type":"call","value":[3052,2852,2804,1225]},{"type":"call","value":[3052,2852,2804,1652]},{"type":"call","value":[3052,2852,2804,569]},{"type":"call","value":[3052,2852,2804,996]},{"type":"call","value":[3052,2852,2804,340]},{"type":"call","value":[3052,2852,2804,1899]},{"type":"call","value":[3052,2852,2804,1243]},{"type":"call","value":[3052,2852,2804,587]},{"type":"call","value":[3052,2852,2804,1917]},{"type":"call","value":[3052,2852,2804,834]},{"type":"call","value":[3052,2852,2804,1261]},{"type":"call","value":[3052,2852,2804,605]},{"type":"call","value":[3052,2852,2804,852]},{"type":"call","value":[3052,2852,2804,196]},{"type":"call","value":[3052,2852,2804,1755]},{"type":"call","value":[3052,2852,2804,1099]},{"type":"call","value":[3052,2852,2804,443]},{"type":"call","value":[3052,2852,2804,870]},{"type":"call","value":[3052,2852,2804,214]},{"type":"call","value":[3052,2852,2804,1346]},{"type":"call","value":[3052,2852,2804,1773]},{"type":"call","value":[3052,2852,2804,1117]},{"type":"call","value":[3052,2852,2804,461]},{"type":"call","value":[3052,2852,2804,708]},{"type":"call","value":[3052,2852,2804,1611]},{"type":"call","value":[3052,2852,2804,955]},{"type":"call","value":[3052,2852,2804,299]},{"type":"call","value":[3052,2852,2804,726]},{"type":"call","value":[3052,2852,2804,1629]},{"type":"call","value":[3052,2852,2804,973]},{"type":"call","value":[3052,2852,2804,317]},{"type":"call","value":[3052,2852,2804,1876]},{"type":"call","value":[3052,2852,2804,1220]},{"type":"call","value":[3052,2852,2804,1647]},{"type":"call","value":[3052,2852,2804,564]},{"type":"call","value":[3052,2852,2804,991]},{"type":"call","value":[3052,2852,2804,335]},{"type":"call","value":[3052,2852,2804,1894]},{"type":"call","value":[3052,2852,2804,1238]},{"type":"call","value":[3052,2852,2804,582]},{"type":"call","value":[3052,2852,2804,829]},{"type":"call","value":[3052,2852,2804,600]},{"type":"call","value":[3052,2852,2804,1732]},{"type":"call","value":[3052,2852,2804,1076]},{"type":"call","value":[3052,2852,2804,847]},{"type":"call","value":[3052,2852,2804,1750]},{"type":"call","value":[3052,2852,2804,1094]},{"type":"call","value":[3052,2852,2804,438]},{"type":"call","value":[3052,2852,2804,1341]},{"type":"call","value":[3052,2852,2804,1768]},{"type":"call","value":[3052,2852,2804,685]},{"type":"call","value":[3052,2852,2804,1112]},{"type":"call","value":[3052,2852,2804,456]},{"type":"call","value":[3052,2852,2804,703]},{"type":"call","value":[3052,2852,2804,1606]},{"type":"call","value":[3052,2852,2804,950]},{"type":"call","value":[3052,2852,2804,294]},{"type":"call","value":[3052,2852,2804,721]},{"type":"call","value":[3052,2852,2804,1624]},{"type":"call","value":[3052,2852,2804,968]},{"type":"call","value":[3052,2852,2804,312]},{"type":"call","value":[3052,2852,2804,1871]},{"type":"call","value":[3052,2852,2804,1215]},{"type":"call","value":[3052,2852,2804,559]},{"type":"call","value":[3052,2852,2804,330]},{"type":"call","value":[3052,2852,2804,1889]},{"type":"call","value":[3052,2852,2804,806]},{"type":"call","value":[3052,2852,2804,1233]},{"type":"call","value":[3052,2852,2804,577]},{"type":"call","value":[3052,2852,2804,1480]},{"type":"call","value":[3052,2852,2804,824]},{"type":"call","value":[3052,2852,2804,1727]},{"type":"call","value":[3052,2852,2804,1071]},{"type":"call","value":[3052,2852,2804,415]},{"type":"call","value":[3052,2852,2804,842]},{"type":"call","value":[3052,2852,2804,186]},{"type":"call","value":[3052,2852,2804,1745]},{"type":"call","value":[3052,2852,2804,1089]},{"type":"call","value":[3052,2852,2804,433]},{"type":"call","value":[3052,2852,2804,1336]},{"type":"call","value":[3052,2852,2804,1763]},{"type":"call","value":[3052,2852,2804,680]},{"type":"call","value":[3052,2852,2804,1107]},{"type":"call","value":[3052,2852,2804,451]},{"type":"call","value":[3052,2852,2804,698]},{"type":"call","value":[3052,2852,2804,1601]},{"type":"call","value":[3052,2852,2804,945]},{"type":"call","value":[3052,2852,2804,289]},{"type":"call","value":[3052,2852,2804,1848]},{"type":"call","value":[3052,2852,2804,1192]},{"type":"call","value":[3052,2852,2804,1619]},{"type":"call","value":[3052,2852,2804,536]},{"type":"call","value":[3052,2852,2804,963]},{"type":"call","value":[3052,2852,2804,307]},{"type":"call","value":[3052,2852,2804,1866]},{"type":"call","value":[3052,2852,2804,1210]},{"type":"call","value":[3052,2852,2804,554]},{"type":"call","value":[3052,2852,2804,1457]},{"type":"call","value":[3052,2852,2804,1884]},{"type":"call","value":[3052,2852,2804,801]},{"type":"call","value":[3052,2852,2804,1228]},{"type":"call","value":[3052,2852,2804,1475]},{"type":"call","value":[3052,2852,2804,819]},{"type":"call","value":[3052,2852,2804,1722]},{"type":"call","value":[3052,2852,2804,1066]},{"type":"call","value":[3052,2852,2804,410]},{"type":"call","value":[3052,2852,2804,837]},{"type":"call","value":[3052,2852,2804,1740]},{"type":"call","value":[3052,2852,2804,1084]},{"type":"call","value":[3052,2852,2804,428]},{"type":"call","value":[3052,2852,2804,1331]},{"type":"call","value":[3052,2852,2804,675]},{"type":"call","value":[3052,2852,2804,1578]},{"type":"call","value":[3052,2852,2804,922]},{"type":"call","value":[3052,2852,2804,1349]},{"type":"call","value":[3052,2852,2804,266]},{"type":"call","value":[3052,2852,2804,693]},{"type":"call","value":[3052,2852,2804,1596]},{"type":"call","value":[3052,2852,2804,940]},{"type":"call","value":[3052,2852,2804,284]},{"type":"call","value":[3052,2852,2804,1843]},{"type":"call","value":[3052,2852,2804,1187]},{"type":"call","value":[3052,2852,2804,1614]},{"type":"call","value":[3052,2852,2804,531]},{"type":"call","value":[3052,2852,2804,958]},{"type":"call","value":[3052,2852,2804,302]},{"type":"call","value":[3052,2852,2804,1861]},{"type":"call","value":[3052,2852,2804,1205]},{"type":"call","value":[3052,2852,2804,549]},{"type":"call","value":[3052,2852,2804,1879]},{"type":"call","value":[3052,2852,2804,796]},{"type":"call","value":[3052,2852,2804,1223]},{"type":"call","value":[3052,2852,2804,567]},{"type":"call","value":[3052,2852,2804,814]},{"type":"call","value":[3052,2852,2804,1717]},{"type":"call","value":[3052,2852,2804,1061]},{"type":"call","value":[3052,2852,2804,405]},{"type":"call","value":[3052,2852,2804,1308]},{"type":"call","value":[3052,2852,2804,1735]},{"type":"call","value":[3052,2852,2804,652]},{"type":"call","value":[3052,2852,2804,1079]},{"type":"call","value":[3052,2852,2804,423]},{"type":"call","value":[3052,2852,2804,1326]},{"type":"call","value":[3052,2852,2804,670]},{"type":"call","value":[3052,2852,2804,1573]},{"type":"call","value":[3052,2852,2804,917]},{"type":"call","value":[3052,2852,2804,1344]},{"type":"call","value":[3052,2852,2804,688]},{"type":"call","value":[3052,2852,2804,1591]},{"type":"call","value":[3052,2852,2804,935]},{"type":"call","value":[3052,2852,2804,279]},{"type":"call","value":[3052,2852,2804,1838]},{"type":"call","value":[3052,2852,2804,1182]},{"type":"call","value":[3052,2852,2804,1609]},{"type":"call","value":[3052,2852,2804,526]},{"type":"call","value":[3052,2852,2804,953]},{"type":"call","value":[3052,2852,2804,297]},{"type":"call","value":[3052,2852,2804,1856]},{"type":"call","value":[3052,2852,2804,1200]},{"type":"call","value":[3052,2852,2804,544]},{"type":"call","value":[3052,2852,2804,791]},{"type":"call","value":[3052,2852,2804,1694]},{"type":"call","value":[3052,2852,2804,1038]},{"type":"call","value":[3052,2852,2804,1465]},{"type":"call","value":[3052,2852,2804,382]},{"type":"call","value":[3052,2852,2804,809]},{"type":"call","value":[3052,2852,2804,1712]},{"type":"call","value":[3052,2852,2804,1056]},{"type":"call","value":[3052,2852,2804,400]},{"type":"call","value":[3052,2852,2804,1303]},{"type":"call","value":[3052,2852,2804,1730]},{"type":"call","value":[3052,2852,2804,647]},{"type":"call","value":[3052,2852,2804,1074]},{"type":"call","value":[3052,2852,2804,418]},{"type":"call","value":[3052,2852,2804,1321]},{"type":"call","value":[3052,2852,2804,665]},{"type":"call","value":[3052,2852,2804,1568]},{"type":"call","value":[3052,2852,2804,912]},{"type":"call","value":[3052,2852,2804,1339]},{"type":"call","value":[3052,2852,2804,256]},{"type":"call","value":[3052,2852,2804,683]},{"type":"call","value":[3052,2852,2804,1815]},{"type":"call","value":[3052,2852,2804,1586]},{"type":"call","value":[3052,2852,2804,930]},{"type":"call","value":[3052,2852,2804,274]},{"type":"call","value":[3052,2852,2804,1833]},{"type":"call","value":[3052,2852,2804,1177]},{"type":"call","value":[3052,2852,2804,521]},{"type":"call","value":[3052,2852,2804,1851]},{"type":"call","value":[3052,2852,2804,768]},{"type":"call","value":[3052,2852,2804,1195]},{"type":"call","value":[3052,2852,2804,539]},{"type":"call","value":[3052,2852,2804,786]},{"type":"call","value":[3052,2852,2804,1689]},{"type":"call","value":[3052,2852,2804,1033]},{"type":"call","value":[3052,2852,2804,377]},{"type":"call","value":[3052,2852,2804,804]},{"type":"call","value":[3052,2852,2804,1707]},{"type":"call","value":[3052,2852,2804,1051]},{"type":"call","value":[3052,2852,2804,1298]},{"type":"call","value":[3052,2852,2804,642]},{"type":"call","value":[3052,2852,2804,1069]},{"type":"call","value":[3052,2852,2804,413]},{"type":"call","value":[3052,2852,2804,1316]},{"type":"call","value":[3052,2852,2804,660]},{"type":"call","value":[3052,2852,2804,1563]},{"type":"call","value":[3052,2852,2804,907]},{"type":"call","value":[3052,2852,2804,1810]},{"type":"call","value":[3052,2852,2804,1154]},{"type":"call","value":[3052,2852,2804,1581]},{"type":"call","value":[3052,2852,2804,498]},{"type":"call","value":[3052,2852,2804,925]},{"type":"call","value":[3052,2852,2804,1828]},{"type":"call","value":[3052,2852,2804,1172]},{"type":"call","value":[3052,2852,2804,516]},{"type":"call","value":[3052,2852,2804,1846]},{"type":"call","value":[3052,2852,2804,1190]},{"type":"call","value":[3052,2852,2804,534]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"stat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"lstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstatat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2596]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryInformationFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2596,218]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"stat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"lstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstatat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1156]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryInformationFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,780]},{"type":"call","value":[1180,1852,1156,803]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"stat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"lstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstatat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1476]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryDirectoryFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryInformationFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1476,1664]},{"type":"call","value":[1180,1852,1476,1675]},{"type":"call","value":[1180,1852,1476,1607]},{"type":"call","value":[1180,1852,1476,1686]},{"type":"call","value":[1180,1852,1476,1642]},{"type":"call","value":[1180,1852,1476,1619]},{"type":"call","value":[1180,1852,1476,1653]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::GetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"stat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"lstat"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fstatat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"open thread":{"meta":{"name":"open thread","authors":["0x534a@mailbox.org"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Process","Open Thread"],"objective":"Process","behavior":"Open Thread","method":"","id":"C0066"}],"references":[],"examples":["787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: open thread\n authors:\n - 0x534a@mailbox.org\n lib: 'true'\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Process::Open Thread [C0066]\n examples:\n - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C\n features:\n - or:\n - api: kernel32.OpenThread\n - api: NtOpenThread\n - api: ZwOpenThread\n","matches":[[{"type":"thread","value":[3052,2852,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,4]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,2836]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2836,1071]},{"type":"call","value":[1180,1852,2836,1077]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[792,1224,2540]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[792,1224,2540,1540]},{"type":"call","value":[792,1224,2540,1585]},{"type":"call","value":[792,1224,2540,1559]},{"type":"call","value":[792,1224,2540,1565]},{"type":"call","value":[792,1224,2540,1562]},{"type":"call","value":[792,1224,2540,1613]},{"type":"call","value":[792,1224,2540,1552]},{"type":"call","value":[792,1224,2540,1597]},{"type":"call","value":[792,1224,2540,1601]},{"type":"call","value":[792,1224,2540,1609]},{"type":"call","value":[792,1224,2540,1548]},{"type":"call","value":[792,1224,2540,1593]},{"type":"call","value":[792,1224,2540,1544]},{"type":"call","value":[792,1224,2540,1589]},{"type":"call","value":[792,1224,2540,1605]},{"type":"call","value":[792,1224,2540,1556]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1200,1248,2544]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2544,1611]},{"type":"call","value":[1200,1248,2544,1736]},{"type":"call","value":[1200,1248,2544,1559]},{"type":"call","value":[1200,1248,2544,1571]},{"type":"call","value":[1200,1248,2544,1623]},{"type":"call","value":[1200,1248,2544,1684]},{"type":"call","value":[1200,1248,2544,1748]},{"type":"call","value":[1200,1248,2544,1583]},{"type":"call","value":[1200,1248,2544,1696]},{"type":"call","value":[1200,1248,2544,1760]},{"type":"call","value":[1200,1248,2544,1595]},{"type":"call","value":[1200,1248,2544,1708]},{"type":"call","value":[1200,1248,2544,1772]},{"type":"call","value":[1200,1248,2544,1543]},{"type":"call","value":[1200,1248,2544,1607]},{"type":"call","value":[1200,1248,2544,1720]},{"type":"call","value":[1200,1248,2544,1732]},{"type":"call","value":[1200,1248,2544,1555]},{"type":"call","value":[1200,1248,2544,1680]},{"type":"call","value":[1200,1248,2544,1619]},{"type":"call","value":[1200,1248,2544,1744]},{"type":"call","value":[1200,1248,2544,1567]},{"type":"call","value":[1200,1248,2544,1692]},{"type":"call","value":[1200,1248,2544,1756]},{"type":"call","value":[1200,1248,2544,1579]},{"type":"call","value":[1200,1248,2544,1704]},{"type":"call","value":[1200,1248,2544,1768]},{"type":"call","value":[1200,1248,2544,1591]},{"type":"call","value":[1200,1248,2544,1716]},{"type":"call","value":[1200,1248,2544,1603]},{"type":"call","value":[1200,1248,2544,1728]},{"type":"call","value":[1200,1248,2544,1551]},{"type":"call","value":[1200,1248,2544,1676]},{"type":"call","value":[1200,1248,2544,1615]},{"type":"call","value":[1200,1248,2544,1740]},{"type":"call","value":[1200,1248,2544,1563]},{"type":"call","value":[1200,1248,2544,1688]},{"type":"call","value":[1200,1248,2544,1627]},{"type":"call","value":[1200,1248,2544,1633]},{"type":"call","value":[1200,1248,2544,1752]},{"type":"call","value":[1200,1248,2544,1630]},{"type":"call","value":[1200,1248,2544,1636]},{"type":"call","value":[1200,1248,2544,1575]},{"type":"call","value":[1200,1248,2544,1700]},{"type":"call","value":[1200,1248,2544,1764]},{"type":"call","value":[1200,1248,2544,1587]},{"type":"call","value":[1200,1248,2544,1712]},{"type":"call","value":[1200,1248,2544,1599]},{"type":"call","value":[1200,1248,2544,1724]},{"type":"call","value":[1200,1248,2544,1547]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1248,1680,3044]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[1248,1680,3044,1058]},{"type":"call","value":[1248,1680,3044,1042]},{"type":"call","value":[1248,1680,3044,1106]},{"type":"call","value":[1248,1680,3044,1102]},{"type":"call","value":[1248,1680,3044,1086]},{"type":"call","value":[1248,1680,3044,1054]},{"type":"call","value":[1248,1680,3044,1050]},{"type":"call","value":[1248,1680,3044,1098]},{"type":"call","value":[1248,1680,3044,1066]},{"type":"call","value":[1248,1680,3044,1062]},{"type":"call","value":[1248,1680,3044,1046]},{"type":"call","value":[1248,1680,3044,1110]},{"type":"call","value":[1248,1680,3044,1094]},{"type":"call","value":[1248,1680,3044,1090]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2724,2016]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[1852,2724,2016,905]},{"type":"call","value":[1852,2724,2016,873]},{"type":"call","value":[1852,2724,2016,857]},{"type":"call","value":[1852,2724,2016,853]},{"type":"call","value":[1852,2724,2016,921]},{"type":"call","value":[1852,2724,2016,917]},{"type":"call","value":[1852,2724,2016,901]},{"type":"call","value":[1852,2724,2016,869]},{"type":"call","value":[1852,2724,2016,865]},{"type":"call","value":[1852,2724,2016,913]},{"type":"call","value":[1852,2724,2016,897]},{"type":"call","value":[1852,2724,2016,877]},{"type":"call","value":[1852,2724,2016,861]},{"type":"call","value":[1852,2724,2016,909]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1852,2800,3044]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[1852,2800,3044,1138]},{"type":"call","value":[1852,2800,3044,1186]},{"type":"call","value":[1852,2800,3044,1170]},{"type":"call","value":[1852,2800,3044,1150]},{"type":"call","value":[1852,2800,3044,1134]},{"type":"call","value":[1852,2800,3044,1182]},{"type":"call","value":[1852,2800,3044,1194]},{"type":"call","value":[1852,2800,3044,1178]},{"type":"call","value":[1852,2800,3044,1146]},{"type":"call","value":[1852,2800,3044,1130]},{"type":"call","value":[1852,2800,3044,1126]},{"type":"call","value":[1852,2800,3044,1190]},{"type":"call","value":[1852,2800,3044,1174]},{"type":"call","value":[1852,2800,3044,1142]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1572,2932]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2932,836]},{"type":"call","value":[2820,1572,2932,820]},{"type":"call","value":[2820,1572,2932,804]},{"type":"call","value":[2820,1572,2932,772]},{"type":"call","value":[2820,1572,2932,784]},{"type":"call","value":[2820,1572,2932,768]},{"type":"call","value":[2820,1572,2932,752]},{"type":"call","value":[2820,1572,2932,832]},{"type":"call","value":[2820,1572,2932,816]},{"type":"call","value":[2820,1572,2932,780]},{"type":"call","value":[2820,1572,2932,764]},{"type":"call","value":[2820,1572,2932,828]},{"type":"call","value":[2820,1572,2932,812]},{"type":"call","value":[2820,1572,2932,824]},{"type":"call","value":[2820,1572,2932,808]},{"type":"call","value":[2820,1572,2932,776]},{"type":"call","value":[2820,1572,2932,760]},{"type":"call","value":[2820,1572,2932,756]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[2820,1912,1216]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.OpenThread"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenThread"}},"children":[],"locations":[{"type":"call","value":[2820,1912,1216,1751]},{"type":"call","value":[2820,1912,1216,1781]},{"type":"call","value":[2820,1912,1216,1809]},{"type":"call","value":[2820,1912,1216,1748]},{"type":"call","value":[2820,1912,1216,1754]},{"type":"call","value":[2820,1912,1216,1793]},{"type":"call","value":[2820,1912,1216,1744]},{"type":"call","value":[2820,1912,1216,1728]},{"type":"call","value":[2820,1912,1216,1757]},{"type":"call","value":[2820,1912,1216,1789]},{"type":"call","value":[2820,1912,1216,1805]},{"type":"call","value":[2820,1912,1216,1801]},{"type":"call","value":[2820,1912,1216,1740]},{"type":"call","value":[2820,1912,1216,1785]},{"type":"call","value":[2820,1912,1216,1777]},{"type":"call","value":[2820,1912,1216,1797]},{"type":"call","value":[2820,1912,1216,1736]},{"type":"call","value":[2820,1912,1216,1732]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenThread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"set file attributes":{"meta":{"name":"set file attributes","namespace":"host-interaction/file-system/meta","authors":["moritz.raabe@mandiant.com","michael.hunhoff@mandiant.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[{"parts":["Defense Evasion","File and Directory Permissions Modification"],"tactic":"Defense Evasion","technique":"File and Directory Permissions Modification","subtechnique":"","id":"T1222"}],"mbc":[{"parts":["File System","Set File Attributes"],"objective":"File System","behavior":"Set File Attributes","method":"","id":"C0050"}],"references":[],"examples":["946A99F36A46D335DEC080D9A4371940:0x100015f0","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: set file attributes\n namespace: host-interaction/file-system/meta\n authors:\n - moritz.raabe@mandiant.com\n - michael.hunhoff@mandiant.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: basic block\n dynamic: thread\n att&ck:\n - Defense Evasion::File and Directory Permissions Modification [T1222]\n mbc:\n - File System::Set File Attributes [C0050]\n examples:\n - 946A99F36A46D335DEC080D9A4371940:0x100015f0\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6\n features:\n - or:\n - api: kernel32.SetFileAttributes\n - api: ZwSetInformationFile\n - api: NtSetInformationFile\n - api: System.IO.File::SetAttributes\n - api: System.IO.File::SetCreationTime\n - api: System.IO.File::SetCreationTimeUtc\n - api: System.IO.File::SetLastAccessTime\n - api: System.IO.File::SetLastAccessTimeUtc\n - api: System.IO.File::SetLastWriteTime\n - api: System.IO.File::SetLastWriteTimeUtc\n - property/write: System.IO.FileSystemInfo::Attributes\n - api: utime\n - api: utimes\n","matches":[[{"type":"thread","value":[3052,2852,2804]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.SetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtSetInformationFile"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,576]},{"type":"call","value":[3052,2852,2804,395]},{"type":"call","value":[3052,2852,2804,1304]},{"type":"call","value":[3052,2852,2804,1462]},{"type":"call","value":[3052,2852,2804,1458]},{"type":"call","value":[3052,2852,2804,1471]},{"type":"call","value":[3052,2852,2804,1230]},{"type":"call","value":[3052,2852,2804,291]},{"type":"call","value":[3052,2852,2804,1455]},{"type":"call","value":[3052,2852,2804,1351]},{"type":"call","value":[3052,2852,2804,120]},{"type":"call","value":[3052,2852,2804,1460]},{"type":"call","value":[3052,2852,2804,557]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"write","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utimes"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1156]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.SetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtSetInformationFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,2896]},{"type":"call","value":[1180,1852,1156,2674]},{"type":"call","value":[1180,1852,1156,2725]},{"type":"call","value":[1180,1852,1156,2613]},{"type":"call","value":[1180,1852,1156,2901]},{"type":"call","value":[1180,1852,1156,2885]},{"type":"call","value":[1180,1852,1156,2640]},{"type":"call","value":[1180,1852,1156,2730]},{"type":"call","value":[1180,1852,1156,2877]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"write","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utimes"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1476]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.SetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtSetInformationFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1476,1643]},{"type":"call","value":[1180,1852,1476,1654]},{"type":"call","value":[1180,1852,1476,1620]},{"type":"call","value":[1180,1852,1476,1665]},{"type":"call","value":[1180,1852,1476,1676]},{"type":"call","value":[1180,1852,1476,1687]},{"type":"call","value":[1180,1852,1476,1608]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"write","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utimes"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"thread","value":[1180,1852,1020]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.SetFileAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetInformationFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtSetInformationFile"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1020,2666]},{"type":"call","value":[1180,1852,1020,2667]},{"type":"call","value":[1180,1852,1020,2668]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetAttributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetCreationTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastAccessTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::SetLastWriteTimeUtc"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"write","property":"System.IO.FileSystemInfo::Attributes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utime"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"utimes"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"create raw socket":{"meta":{"name":"create raw socket","namespace":"communication/socket","authors":["blas.kojusner@mandiant.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Communication","Socket Communication","Create Socket"],"objective":"Communication","behavior":"Socket Communication","method":"Create Socket","id":"C0001.003"}],"references":["https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2","https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket","https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketa"],"examples":["10EBCF8C20403457A08762200015B151:0x140001000"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"# generated using capa explorer for IDA Pro\nrule:\n meta:\n name: create raw socket\n namespace: communication/socket\n authors:\n - blas.kojusner@mandiant.com\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Communication::Socket Communication::Create Socket [C0001.003]\n references:\n - https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2\n - https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket\n - https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketa\n examples:\n - 10EBCF8C20403457A08762200015B151:0x140001000\n features:\n - and:\n - or:\n - api: socket\n - api: ws2_32.WSASocketA\n - or:\n - number: 2 = AF_INET\n - number: 23 = AF_INET6\n - number: 3 = SOCK_RAW\n","matches":[[{"type":"thread","value":[1180,1852,2828]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"number","number":3,"description":"SOCK_RAW"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,1049]},{"type":"call","value":[1180,1852,2828,2365]},{"type":"call","value":[1180,1852,2828,1053]},{"type":"call","value":[1180,1852,2828,2369]}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"socket"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.WSASocketA"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2,"description":"AF_INET"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,1050]},{"type":"call","value":[1180,1852,2828,2366]},{"type":"call","value":[1180,1852,2828,4241]},{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"number","number":23,"description":"AF_INET6"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"create UDP socket":{"meta":{"name":"create UDP socket","namespace":"communication/socket/udp/send","authors":["moritz.raabe@mandiant.com","joakim@intezer.com","michael.hunhoff@mandiant.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Communication","Socket Communication","Create UDP Socket"],"objective":"Communication","behavior":"Socket Communication","method":"Create UDP Socket","id":"C0001.010"}],"references":[],"examples":["203BD48BCC18434314AD60F4C8BC21E3D3422EB0624B22B827410F9BC63B4082:0x401240"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: create UDP socket\n namespace: communication/socket/udp/send\n authors:\n - moritz.raabe@mandiant.com\n - joakim@intezer.com\n - michael.hunhoff@mandiant.com\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Communication::Socket Communication::Create UDP Socket [C0001.010]\n examples:\n - 203BD48BCC18434314AD60F4C8BC21E3D3422EB0624B22B827410F9BC63B4082:0x401240\n features:\n - or:\n - and:\n - count(number(2 = AF_INET/SOCK_DGRAM)): 2 or more\n - or:\n - api: ws2_32.socket\n - api: ws2_32.WSASocket\n - api: socket\n - api: System.Net.Sockets.Socket::ctor\n - api: System.Net.Sockets.UdpClient::ctor\n","matches":[[{"type":"thread","value":[1180,1852,2828]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.Net.Sockets.UdpClient::ctor"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"range","description":"AF_INET/SOCK_DGRAM","min":2,"max":9223372036854775808,"child":{"type":"number","number":2,"description":"AF_INET/SOCK_DGRAM"}}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,1050]},{"type":"call","value":[1180,1852,2828,2366]},{"type":"call","value":[1180,1852,2828,4241]},{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.socket"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.WSASocket"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"socket"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.Net.Sockets.Socket::ctor"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"create TCP socket":{"meta":{"name":"create TCP socket","namespace":"communication/socket/tcp","authors":["william.ballenthin@mandiant.com","joakim@intezer.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"basic block","dynamic":"thread"},"attack":[],"mbc":[{"parts":["Communication","Socket Communication","Create TCP Socket"],"objective":"Communication","behavior":"Socket Communication","method":"Create TCP Socket","id":"C0001.011"}],"references":[],"examples":["Practical Malware Analysis Lab 01-01.dll_:0x10001010"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: create TCP socket\n namespace: communication/socket/tcp\n authors:\n - william.ballenthin@mandiant.com\n - joakim@intezer.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: basic block\n dynamic: thread\n mbc:\n - Communication::Socket Communication::Create TCP Socket [C0001.011]\n examples:\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\n features:\n - or:\n - and:\n - number: 6 = IPPROTO_TCP\n - number: 1 = SOCK_STREAM\n - number: 2 = AF_INET\n - or:\n - api: ws2_32.socket\n - api: ws2_32.WSASocket\n - api: socket\n - property/read: System.Net.Sockets.TcpClient::Client\n","matches":[[{"type":"thread","value":[1180,1852,2828]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.Net.Sockets.TcpClient::Client"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"number","number":6,"description":"IPPROTO_TCP"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,2367]},{"type":"call","value":[1180,1852,2828,1051]},{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":1,"description":"SOCK_STREAM"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,4508]},{"type":"call","value":[1180,1852,2828,4334]},{"type":"call","value":[1180,1852,2828,4453]},{"type":"call","value":[1180,1852,2828,4572]},{"type":"call","value":[1180,1852,2828,4517]},{"type":"call","value":[1180,1852,2828,4343]},{"type":"call","value":[1180,1852,2828,4462]},{"type":"call","value":[1180,1852,2828,4526]},{"type":"call","value":[1180,1852,2828,4352]},{"type":"call","value":[1180,1852,2828,4471]},{"type":"call","value":[1180,1852,2828,4416]},{"type":"call","value":[1180,1852,2828,4535]},{"type":"call","value":[1180,1852,2828,4480]},{"type":"call","value":[1180,1852,2828,4544]},{"type":"call","value":[1180,1852,2828,4309]},{"type":"call","value":[1180,1852,2828,4373]},{"type":"call","value":[1180,1852,2828,4318]},{"type":"call","value":[1180,1852,2828,4437]},{"type":"call","value":[1180,1852,2828,4382]},{"type":"call","value":[1180,1852,2828,4501]},{"type":"call","value":[1180,1852,2828,4327]},{"type":"call","value":[1180,1852,2828,4446]},{"type":"call","value":[1180,1852,2828,4565]},{"type":"call","value":[1180,1852,2828,4510]},{"type":"call","value":[1180,1852,2828,4336]},{"type":"call","value":[1180,1852,2828,4455]},{"type":"call","value":[1180,1852,2828,4574]},{"type":"call","value":[1180,1852,2828,4519]},{"type":"call","value":[1180,1852,2828,4345]},{"type":"call","value":[1180,1852,2828,4464]},{"type":"call","value":[1180,1852,2828,4528]},{"type":"call","value":[1180,1852,2828,4473]},{"type":"call","value":[1180,1852,2828,4537]},{"type":"call","value":[1180,1852,2828,4302]},{"type":"call","value":[1180,1852,2828,4366]},{"type":"call","value":[1180,1852,2828,4311]},{"type":"call","value":[1180,1852,2828,4430]},{"type":"call","value":[1180,1852,2828,4375]},{"type":"call","value":[1180,1852,2828,4320]},{"type":"call","value":[1180,1852,2828,4439]},{"type":"call","value":[1180,1852,2828,4384]},{"type":"call","value":[1180,1852,2828,4503]},{"type":"call","value":[1180,1852,2828,4329]},{"type":"call","value":[1180,1852,2828,4448]},{"type":"call","value":[1180,1852,2828,4567]},{"type":"call","value":[1180,1852,2828,4512]},{"type":"call","value":[1180,1852,2828,4338]},{"type":"call","value":[1180,1852,2828,4457]},{"type":"call","value":[1180,1852,2828,4576]},{"type":"call","value":[1180,1852,2828,4521]},{"type":"call","value":[1180,1852,2828,4466]},{"type":"call","value":[1180,1852,2828,4585]},{"type":"call","value":[1180,1852,2828,4530]},{"type":"call","value":[1180,1852,2828,4539]},{"type":"call","value":[1180,1852,2828,4295]},{"type":"call","value":[1180,1852,2828,4304]},{"type":"call","value":[1180,1852,2828,4368]},{"type":"call","value":[1180,1852,2828,4313]},{"type":"call","value":[1180,1852,2828,4432]},{"type":"call","value":[1180,1852,2828,4377]},{"type":"call","value":[1180,1852,2828,4496]},{"type":"call","value":[1180,1852,2828,4322]},{"type":"call","value":[1180,1852,2828,4441]},{"type":"call","value":[1180,1852,2828,4560]},{"type":"call","value":[1180,1852,2828,4386]},{"type":"call","value":[1180,1852,2828,4505]},{"type":"call","value":[1180,1852,2828,4331]},{"type":"call","value":[1180,1852,2828,4450]},{"type":"call","value":[1180,1852,2828,4569]},{"type":"call","value":[1180,1852,2828,4514]},{"type":"call","value":[1180,1852,2828,4459]},{"type":"call","value":[1180,1852,2828,4578]},{"type":"call","value":[1180,1852,2828,4523]},{"type":"call","value":[1180,1852,2828,4468]},{"type":"call","value":[1180,1852,2828,4532]},{"type":"call","value":[1180,1852,2828,4297]},{"type":"call","value":[1180,1852,2828,4361]},{"type":"call","value":[1180,1852,2828,4306]},{"type":"call","value":[1180,1852,2828,4425]},{"type":"call","value":[1180,1852,2828,4370]},{"type":"call","value":[1180,1852,2828,4489]},{"type":"call","value":[1180,1852,2828,4315]},{"type":"call","value":[1180,1852,2828,4434]},{"type":"call","value":[1180,1852,2828,4553]},{"type":"call","value":[1180,1852,2828,4379]},{"type":"call","value":[1180,1852,2828,4498]},{"type":"call","value":[1180,1852,2828,4443]},{"type":"call","value":[1180,1852,2828,4562]},{"type":"call","value":[1180,1852,2828,4388]},{"type":"call","value":[1180,1852,2828,4507]},{"type":"call","value":[1180,1852,2828,4333]},{"type":"call","value":[1180,1852,2828,4452]},{"type":"call","value":[1180,1852,2828,4571]},{"type":"call","value":[1180,1852,2828,4516]},{"type":"call","value":[1180,1852,2828,4461]},{"type":"call","value":[1180,1852,2828,4525]},{"type":"call","value":[1180,1852,2828,4354]},{"type":"call","value":[1180,1852,2828,4299]},{"type":"call","value":[1180,1852,2828,4418]},{"type":"call","value":[1180,1852,2828,4363]},{"type":"call","value":[1180,1852,2828,4482]},{"type":"call","value":[1180,1852,2828,4308]},{"type":"call","value":[1180,1852,2828,4427]},{"type":"call","value":[1180,1852,2828,4546]},{"type":"call","value":[1180,1852,2828,4372]},{"type":"call","value":[1180,1852,2828,4491]},{"type":"call","value":[1180,1852,2828,4317]},{"type":"call","value":[1180,1852,2828,4436]},{"type":"call","value":[1180,1852,2828,4555]},{"type":"call","value":[1180,1852,2828,4381]},{"type":"call","value":[1180,1852,2828,4500]},{"type":"call","value":[1180,1852,2828,4445]},{"type":"call","value":[1180,1852,2828,4564]},{"type":"call","value":[1180,1852,2828,4509]},{"type":"call","value":[1180,1852,2828,4454]},{"type":"call","value":[1180,1852,2828,4573]},{"type":"call","value":[1180,1852,2828,4518]},{"type":"call","value":[1180,1852,2828,4347]},{"type":"call","value":[1180,1852,2828,4356]},{"type":"call","value":[1180,1852,2828,4475]},{"type":"call","value":[1180,1852,2828,4301]},{"type":"call","value":[1180,1852,2828,4420]},{"type":"call","value":[1180,1852,2828,4365]},{"type":"call","value":[1180,1852,2828,4484]},{"type":"call","value":[1180,1852,2828,4310]},{"type":"call","value":[1180,1852,2828,4429]},{"type":"call","value":[1180,1852,2828,4548]},{"type":"call","value":[1180,1852,2828,4374]},{"type":"call","value":[1180,1852,2828,4493]},{"type":"call","value":[1180,1852,2828,4319]},{"type":"call","value":[1180,1852,2828,4438]},{"type":"call","value":[1180,1852,2828,4557]},{"type":"call","value":[1180,1852,2828,4383]},{"type":"call","value":[1180,1852,2828,4502]},{"type":"call","value":[1180,1852,2828,4447]},{"type":"call","value":[1180,1852,2828,4566]},{"type":"call","value":[1180,1852,2828,4511]},{"type":"call","value":[1180,1852,2828,4575]},{"type":"call","value":[1180,1852,2828,4340]},{"type":"call","value":[1180,1852,2828,4349]},{"type":"call","value":[1180,1852,2828,4294]},{"type":"call","value":[1180,1852,2828,4413]},{"type":"call","value":[1180,1852,2828,4358]},{"type":"call","value":[1180,1852,2828,4477]},{"type":"call","value":[1180,1852,2828,4303]},{"type":"call","value":[1180,1852,2828,4422]},{"type":"call","value":[1180,1852,2828,4541]},{"type":"call","value":[1180,1852,2828,4367]},{"type":"call","value":[1180,1852,2828,4312]},{"type":"call","value":[1180,1852,2828,4431]},{"type":"call","value":[1180,1852,2828,4550]},{"type":"call","value":[1180,1852,2828,4376]},{"type":"call","value":[1180,1852,2828,4495]},{"type":"call","value":[1180,1852,2828,4440]},{"type":"call","value":[1180,1852,2828,4559]},{"type":"call","value":[1180,1852,2828,4504]},{"type":"call","value":[1180,1852,2828,4449]},{"type":"call","value":[1180,1852,2828,4568]},{"type":"call","value":[1180,1852,2828,4513]},{"type":"call","value":[1180,1852,2828,4577]},{"type":"call","value":[1180,1852,2828,4342]},{"type":"call","value":[1180,1852,2828,4351]},{"type":"call","value":[1180,1852,2828,4470]},{"type":"call","value":[1180,1852,2828,4296]},{"type":"call","value":[1180,1852,2828,4415]},{"type":"call","value":[1180,1852,2828,4534]},{"type":"call","value":[1180,1852,2828,4360]},{"type":"call","value":[1180,1852,2828,4479]},{"type":"call","value":[1180,1852,2828,4305]},{"type":"call","value":[1180,1852,2828,4424]},{"type":"call","value":[1180,1852,2828,4543]},{"type":"call","value":[1180,1852,2828,4369]},{"type":"call","value":[1180,1852,2828,4314]},{"type":"call","value":[1180,1852,2828,4433]},{"type":"call","value":[1180,1852,2828,4552]},{"type":"call","value":[1180,1852,2828,4378]},{"type":"call","value":[1180,1852,2828,4497]},{"type":"call","value":[1180,1852,2828,4442]},{"type":"call","value":[1180,1852,2828,4561]},{"type":"call","value":[1180,1852,2828,4506]},{"type":"call","value":[1180,1852,2828,4570]},{"type":"call","value":[1180,1852,2828,4335]},{"type":"call","value":[1180,1852,2828,4344]},{"type":"call","value":[1180,1852,2828,4463]},{"type":"call","value":[1180,1852,2828,4527]},{"type":"call","value":[1180,1852,2828,4353]},{"type":"call","value":[1180,1852,2828,4472]},{"type":"call","value":[1180,1852,2828,4298]},{"type":"call","value":[1180,1852,2828,4417]},{"type":"call","value":[1180,1852,2828,4536]},{"type":"call","value":[1180,1852,2828,4362]},{"type":"call","value":[1180,1852,2828,4481]},{"type":"call","value":[1180,1852,2828,4307]},{"type":"call","value":[1180,1852,2828,4426]},{"type":"call","value":[1180,1852,2828,4545]},{"type":"call","value":[1180,1852,2828,4371]},{"type":"call","value":[1180,1852,2828,4490]},{"type":"call","value":[1180,1852,2828,4435]},{"type":"call","value":[1180,1852,2828,4554]},{"type":"call","value":[1180,1852,2828,4499]},{"type":"call","value":[1180,1852,2828,4563]},{"type":"call","value":[1180,1852,2828,4328]},{"type":"call","value":[1180,1852,2828,4337]},{"type":"call","value":[1180,1852,2828,4456]},{"type":"call","value":[1180,1852,2828,4520]},{"type":"call","value":[1180,1852,2828,4346]},{"type":"call","value":[1180,1852,2828,4465]},{"type":"call","value":[1180,1852,2828,4529]},{"type":"call","value":[1180,1852,2828,4355]},{"type":"call","value":[1180,1852,2828,4474]},{"type":"call","value":[1180,1852,2828,4300]},{"type":"call","value":[1180,1852,2828,4419]},{"type":"call","value":[1180,1852,2828,4538]},{"type":"call","value":[1180,1852,2828,4364]},{"type":"call","value":[1180,1852,2828,4483]},{"type":"call","value":[1180,1852,2828,4428]},{"type":"call","value":[1180,1852,2828,4547]},{"type":"call","value":[1180,1852,2828,4492]},{"type":"call","value":[1180,1852,2828,4556]},{"type":"call","value":[1180,1852,2828,4321]},{"type":"call","value":[1180,1852,2828,4385]},{"type":"call","value":[1180,1852,2828,4330]},{"type":"call","value":[1180,1852,2828,4339]},{"type":"call","value":[1180,1852,2828,4458]},{"type":"call","value":[1180,1852,2828,4522]},{"type":"call","value":[1180,1852,2828,4348]},{"type":"call","value":[1180,1852,2828,4467]},{"type":"call","value":[1180,1852,2828,4293]},{"type":"call","value":[1180,1852,2828,4412]},{"type":"call","value":[1180,1852,2828,4531]},{"type":"call","value":[1180,1852,2828,4357]},{"type":"call","value":[1180,1852,2828,4476]},{"type":"call","value":[1180,1852,2828,4421]},{"type":"call","value":[1180,1852,2828,4540]},{"type":"call","value":[1180,1852,2828,4549]},{"type":"call","value":[1180,1852,2828,4494]},{"type":"call","value":[1180,1852,2828,4558]},{"type":"call","value":[1180,1852,2828,4387]},{"type":"call","value":[1180,1852,2828,4332]},{"type":"call","value":[1180,1852,2828,4451]},{"type":"call","value":[1180,1852,2828,4515]},{"type":"call","value":[1180,1852,2828,4341]},{"type":"call","value":[1180,1852,2828,4460]},{"type":"call","value":[1180,1852,2828,2364]},{"type":"call","value":[1180,1852,2828,4350]},{"type":"call","value":[1180,1852,2828,4469]},{"type":"call","value":[1180,1852,2828,4524]},{"type":"call","value":[1180,1852,2828,4414]},{"type":"call","value":[1180,1852,2828,4533]},{"type":"call","value":[1180,1852,2828,4359]},{"type":"call","value":[1180,1852,2828,4478]},{"type":"call","value":[1180,1852,2828,4423]},{"type":"call","value":[1180,1852,2828,4542]},{"type":"call","value":[1180,1852,2828,4551]},{"type":"call","value":[1180,1852,2828,4316]},{"type":"call","value":[1180,1852,2828,4380]},{"type":"call","value":[1180,1852,2828,4444]},{"type":"call","value":[1180,1852,2828,4389]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2,"description":"AF_INET"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,1050]},{"type":"call","value":[1180,1852,2828,2366]},{"type":"call","value":[1180,1852,2828,4241]},{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.socket"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.WSASocket"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"socket"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2828,4585]}],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"get system information on Windows":{"meta":{"name":"get system information on Windows","namespace":"host-interaction/os/info","authors":["moritz.raabe@mandiant.com","joakim@intezer.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Discovery","System Information Discovery"],"tactic":"Discovery","technique":"System Information Discovery","subtechnique":"","id":"T1082"}],"mbc":[],"references":[],"examples":["563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140002280"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: get system information on Windows\n namespace: host-interaction/os/info\n authors:\n - moritz.raabe@mandiant.com\n - joakim@intezer.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Discovery::System Information Discovery [T1082]\n examples:\n - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140002280\n features:\n - and:\n - os: windows\n - or:\n - api: kernel32.GetSystemInfo\n - api: kernel32.GetNativeSystemInfo\n - api: NtQuerySystemInformation\n - api: NtQuerySystemInformationEx\n - api: ntdll.RtlGetNativeSystemInformation\n - api: ZwQuerySystemInformation\n - api: ZwQuerySystemInformationEx\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetSystemInfo"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetNativeSystemInfo"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQuerySystemInformation"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,484]},{"type":"call","value":[2456,3052,3064,481]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtQuerySystemInformationEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ntdll.RtlGetNativeSystemInformation"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQuerySystemInformation"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQuerySystemInformationEx"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"create or open section object":{"meta":{"name":"create or open section object","authors":["william.ballenthin@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[],"mbc":[],"references":[],"examples":["daa13ae302fe8b618ddbf590537443ef:0x401116"],"description":"","lib":true,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: create or open section object\n authors:\n - william.ballenthin@mandiant.com\n lib: 'true'\n scopes:\n static: function\n dynamic: process\n examples:\n - daa13ae302fe8b618ddbf590537443ef:0x401116\n features:\n - and:\n - os: windows\n - or:\n - api: NtCreateSection\n - api: ZwCreateSection\n - api: NtOpenSection\n - api: ZwOpenSection\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateSection"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,371]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"read file on Windows":{"meta":{"name":"read file on Windows","namespace":"host-interaction/file-system/read","authors":["moritz.raabe@mandiant.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[],"mbc":[{"parts":["File System","Read File"],"objective":"File System","behavior":"Read File","method":"","id":"C0051"}],"references":[],"examples":["BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: read file on Windows\n namespace: host-interaction/file-system/read\n authors:\n - moritz.raabe@mandiant.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: function\n dynamic: process\n mbc:\n - File System::Read File [C0051]\n examples:\n - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B\n features:\n - or:\n - and:\n - os: windows\n - optional:\n - and:\n - number: 0x80000000 = GENERIC_READ\n - match: create or open file\n - or:\n - api: kernel32.ReadFile\n - api: ReadFileEx\n - api: NtReadFile\n - api: ZwReadFile\n - api: LZRead\n - api: _read\n - api: fread\n - api: System.IO.File::ReadAllBytes\n - api: System.IO.File::ReadAllBytesAsync\n - api: System.IO.File::ReadAllLines\n - api: System.IO.File::ReadAllLinesAsync\n - api: System.IO.File::ReadAllText\n - api: System.IO.File::ReadAllTextAsync\n - api: System.IO.File::ReadLines\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadAllBytes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadAllBytesAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadAllLines"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadAllLinesAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadAllText"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadAllTextAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::ReadLines"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"number","number":2147483648,"description":"GENERIC_READ"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open file"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,916]},{"type":"call","value":[2456,3052,2792,911]},{"type":"call","value":[2456,3052,2792,903]},{"type":"call","value":[2456,3052,2792,898]},{"type":"call","value":[2456,3052,2792,893]},{"type":"call","value":[2456,3052,2792,888]},{"type":"call","value":[2456,3052,2792,883]},{"type":"call","value":[2456,3052,2792,907]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,782]},{"type":"call","value":[2456,3052,3064,716]},{"type":"call","value":[2456,3052,3064,739]},{"type":"call","value":[2456,3052,3064,751]},{"type":"call","value":[2456,3052,3064,730]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,370]},{"type":"call","value":[2456,3052,3064,804]},{"type":"call","value":[2456,3052,3064,813]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2456,3052,2792]},{"type":"thread","value":[2456,3052,3064]}],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.ReadFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ReadFileEx"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtReadFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,816]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwReadFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZRead"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"_read"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fread"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"write file on Windows":{"meta":{"name":"write file on Windows","namespace":"host-interaction/file-system/write","authors":["william.ballenthin@mandiant.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[],"mbc":[{"parts":["File System","Writes File"],"objective":"File System","behavior":"Writes File","method":"","id":"C0052"}],"references":[],"examples":["Practical Malware Analysis Lab 01-04.exe_:0x4011FC","563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: write file on Windows\n namespace: host-interaction/file-system/write\n authors:\n - william.ballenthin@mandiant.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: function\n dynamic: process\n mbc:\n - File System::Writes File [C0052]\n examples:\n - Practical Malware Analysis Lab 01-04.exe_:0x4011FC\n # ntdll\n - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4\n features:\n - or:\n - and:\n - os: windows\n - optional:\n - or:\n - basic block:\n - or:\n - number: 0x40000000 = GENERIC_WRITE\n - number: 0x2 = FILE_WRITE_DATA\n - match: create or open file\n - thread:\n - or:\n - number: 0x40000000 = GENERIC_WRITE\n - number: 0x2 = FILE_WRITE_DATA\n - match: create or open file\n - or:\n - api: kernel32.WriteFile\n - api: kernel32.WriteFileEx\n - api: NtWriteFile\n - api: ZwWriteFile\n - api: _fwrite\n - api: fwrite\n - api: System.IO.File::WriteAllBytes\n - api: System.IO.File::WriteAllBytesAsync\n - api: System.IO.File::WriteAllLines\n - api: System.IO.File::WriteAllLinesAsync\n - api: System.IO.File::WriteAllText\n - api: System.IO.File::WriteAllTextAsync\n - api: System.IO.File::AppendAllLines\n - api: System.IO.File::AppendAllLinesAsync\n - api: System.IO.File::AppendAllText\n - api: System.IO.File::AppendAllTextAsync\n - api: System.IO.File::AppendText\n - api: System.IO.FileInfo::AppendText\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::WriteAllBytes"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::WriteAllBytesAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::WriteAllLines"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::WriteAllLinesAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::WriteAllText"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::WriteAllTextAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::AppendAllLines"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::AppendAllLinesAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::AppendAllText"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::AppendAllTextAsync"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.File::AppendText"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.IO.FileInfo::AppendText"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"write file on Windows/d45b98346a26410b86a0189a2e52b6df"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"subscope","scope":"thread"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"number","number":1073741824,"description":"GENERIC_WRITE"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2,"description":"FILE_WRITE_DATA"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,866]},{"type":"call","value":[2456,3052,2792,834]},{"type":"call","value":[2456,3052,2792,850]},{"type":"call","value":[2456,3052,2792,828]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open file"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,916]},{"type":"call","value":[2456,3052,2792,911]},{"type":"call","value":[2456,3052,2792,903]},{"type":"call","value":[2456,3052,2792,898]},{"type":"call","value":[2456,3052,2792,893]},{"type":"call","value":[2456,3052,2792,888]},{"type":"call","value":[2456,3052,2792,883]},{"type":"call","value":[2456,3052,2792,907]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2456,3052,2792]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"number","number":1073741824,"description":"GENERIC_WRITE"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2,"description":"FILE_WRITE_DATA"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,372]},{"type":"call","value":[2456,3052,3064,279]},{"type":"call","value":[2456,3052,3064,274]},{"type":"call","value":[2456,3052,3064,280]},{"type":"call","value":[2456,3052,3064,275]},{"type":"call","value":[2456,3052,3064,277]},{"type":"call","value":[2456,3052,3064,363]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open file"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"CreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"IoCreateFileEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,782]},{"type":"call","value":[2456,3052,3064,716]},{"type":"call","value":[2456,3052,3064,739]},{"type":"call","value":[2456,3052,3064,751]},{"type":"call","value":[2456,3052,3064,730]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,370]},{"type":"call","value":[2456,3052,3064,804]},{"type":"call","value":[2456,3052,3064,813]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZCreateFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"LZOpenFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fopen64"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fdopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"freopen"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"open"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"openat"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2456,3052,3064]}],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2456,3052,2792]},{"type":"thread","value":[2456,3052,3064]}],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.WriteFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.WriteFileEx"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtWriteFile"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,805]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwWriteFile"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"_fwrite"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"fwrite"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"query or enumerate registry value":{"meta":{"name":"query or enumerate registry value","namespace":"host-interaction/registry","authors":["william.ballenthin@mandiant.com","michael.hunhoff@mandiant.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Discovery","Query Registry"],"tactic":"Discovery","technique":"Query Registry","subtechnique":"","id":"T1012"}],"mbc":[{"parts":["Operating System","Registry","Query Registry Value"],"objective":"Operating System","behavior":"Registry","method":"Query Registry Value","id":"C0036.006"}],"references":[],"examples":["BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A","Practical Malware Analysis Lab 03-02.dll_:0x100047AD"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: query or enumerate registry value\n namespace: host-interaction/registry\n authors:\n - william.ballenthin@mandiant.com\n - michael.hunhoff@mandiant.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Discovery::Query Registry [T1012]\n mbc:\n - Operating System::Registry::Query Registry Value [C0036.006]\n examples:\n - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A\n - Practical Malware Analysis Lab 03-02.dll_:0x100047AD\n features:\n - and:\n - optional:\n - match: create or open registry key\n - or:\n - api: advapi32.RegGetValue\n - api: advapi32.RegEnumValue\n - api: advapi32.RegQueryValue\n - api: advapi32.RegQueryValueEx\n - api: advapi32.RegQueryMultipleValues\n - api: ZwQueryValueKey\n - api: ZwEnumerateValueKey\n - api: NtQueryValueKey\n - api: NtEnumerateValueKey\n - api: RtlQueryRegistryValues\n - api: SHGetValue\n - api: SHEnumValue\n - api: SHRegGetInt\n - api: SHRegGetPath\n - api: SHRegGetValue\n - api: SHQueryValueEx\n - api: SHRegGetUSValue\n - api: SHOpenRegStream\n - api: SHRegEnumUSValue\n - api: SHOpenRegStream2\n - api: SHRegQueryUSValue\n - api: SHRegGetBoolUSValue\n - api: SHRegGetValueFromHKCUHKLM\n - api: SHRegGetBoolValueFromHKCUHKLM\n - api: Microsoft.Win32.RegistryKey::GetValue\n - api: Microsoft.Win32.RegistryKey::GetValueKind\n - api: Microsoft.Win32.RegistryKey::GetValueNames\n - api: Microsoft.Win32.Registry::GetValue\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,46]},{"type":"call","value":[2456,3052,3064,1022]},{"type":"call","value":[2456,3052,3064,32]},{"type":"call","value":[2456,3052,3064,47]},{"type":"call","value":[2456,3052,3064,48]},{"type":"call","value":[2456,3052,3064,43]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2456,3052,3064]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,366]},{"type":"call","value":[2456,3052,3064,49]},{"type":"call","value":[2456,3052,3064,44]},{"type":"call","value":[2456,3052,3064,50]},{"type":"call","value":[2456,3052,3064,145]},{"type":"call","value":[2456,3052,3064,1023]},{"type":"call","value":[2456,3052,3064,37]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[3052,2192]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,35]},{"type":"call","value":[3052,2192,2204,1206]},{"type":"call","value":[3052,2192,2204,39]},{"type":"call","value":[3052,2192,2204,40]},{"type":"call","value":[3052,2192,2204,32]},{"type":"call","value":[3052,2192,2204,38]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[3052,2192,2204]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[3052,2192,2204,41]},{"type":"call","value":[3052,2192,2204,36]},{"type":"call","value":[3052,2192,2204,359]},{"type":"call","value":[3052,2192,2204,137]},{"type":"call","value":[3052,2192,2204,42]},{"type":"call","value":[3052,2192,2204,1207]},{"type":"call","value":[3052,2192,2204,33]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[3052,1180]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,742]},{"type":"call","value":[3052,1180,500,31]},{"type":"call","value":[3052,1180,500,39]},{"type":"call","value":[3052,1180,500,34]},{"type":"call","value":[3052,1180,500,37]},{"type":"call","value":[3052,1180,500,38]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[3052,1180,500]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[3052,1180,500,40]},{"type":"call","value":[3052,1180,500,35]},{"type":"call","value":[3052,1180,500,41]},{"type":"call","value":[3052,1180,500,136]},{"type":"call","value":[3052,1180,500,358]},{"type":"call","value":[3052,1180,500,743]},{"type":"call","value":[3052,1180,500,32]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[3052,2852]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,63]},{"type":"call","value":[3052,2852,2804,58]},{"type":"call","value":[3052,2852,2804,55]},{"type":"call","value":[3052,2852,2804,61]},{"type":"call","value":[3052,2852,2804,1957]},{"type":"call","value":[3052,2852,2804,62]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[3052,2852,2804]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[3052,2852,2804,80]},{"type":"call","value":[3052,2852,2804,56]},{"type":"call","value":[3052,2852,2804,1]},{"type":"call","value":[3052,2852,2804,64]},{"type":"call","value":[3052,2852,2804,59]},{"type":"call","value":[3052,2852,2804,65]},{"type":"call","value":[3052,2852,2804,1958]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[2852,2900]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,85]},{"type":"call","value":[2852,2900,2904,200]},{"type":"call","value":[2852,2900,2904,43]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2852,2900,2904]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,201]},{"type":"call","value":[2852,2900,2904,16]},{"type":"call","value":[2852,2900,2904,44]},{"type":"call","value":[2852,2900,2904,86]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1180,1852]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,2351]},{"type":"call","value":[1180,1852,1156,3679]},{"type":"call","value":[1180,1852,1156,2573]},{"type":"call","value":[1180,1852,1156,4964]},{"type":"call","value":[1180,1852,1156,4956]},{"type":"call","value":[1180,1852,1156,2567]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1181]},{"type":"call","value":[1180,1852,236,1160]},{"type":"call","value":[1180,1852,236,1133]},{"type":"call","value":[1180,1852,236,1173]},{"type":"call","value":[1180,1852,236,1113]},{"type":"call","value":[1180,1852,236,1121]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,45]},{"type":"call","value":[1180,1852,920,42]},{"type":"call","value":[1180,1852,920,32]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1180,1852,1156]},{"type":"thread","value":[1180,1852,236]},{"type":"thread","value":[1180,1852,920]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,43]},{"type":"call","value":[1180,1852,920,72]},{"type":"call","value":[1180,1852,920,33]},{"type":"call","value":[1180,1852,1156,2568]},{"type":"call","value":[1180,1852,920,46]},{"type":"call","value":[1180,1852,764,591]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1200,1248]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1560,6276]},{"type":"call","value":[1200,1248,1560,6255]},{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,1560,6280]},{"type":"call","value":[1200,1248,1560,6254]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1200,1248,1560]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6252]},{"type":"call","value":[1200,1248,1560,6258]},{"type":"call","value":[1200,1248,1560,6283]},{"type":"call","value":[1200,1248,1560,6277]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1852,2420]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2420,2524,32]},{"type":"call","value":[1852,2420,2524,24]},{"type":"call","value":[1852,2420,2524,30]},{"type":"call","value":[1852,2420,2524,27]},{"type":"call","value":[1852,2420,2524,31]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1852,2420,2524]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1852,2420,2524,129]},{"type":"call","value":[1852,2420,2524,34]},{"type":"call","value":[1852,2420,2524,25]},{"type":"call","value":[1852,2420,2524,33]},{"type":"call","value":[1852,2420,2524,28]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[2820,2360]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2820,2360,1788,165]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2820,2360,1788]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[2820,2360,1788,166]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1852,2724]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,26]},{"type":"call","value":[1852,2724,1816,44]},{"type":"call","value":[1852,2724,1816,95]},{"type":"call","value":[1852,2724,1816,969]},{"type":"call","value":[1852,2724,1816,77]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1852,2724,1816]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,96]},{"type":"call","value":[1852,2724,1816,970]},{"type":"call","value":[1852,2724,1816,45]},{"type":"call","value":[1852,2724,1816,18]},{"type":"call","value":[1852,2724,1816,35]},{"type":"call","value":[1852,2724,1816,27]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1852,2800]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,36]},{"type":"call","value":[1852,2800,640,87]},{"type":"call","value":[1852,2800,640,1236]},{"type":"call","value":[1852,2800,640,69]},{"type":"call","value":[1852,2800,640,17]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1852,2800,640]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,37]},{"type":"call","value":[1852,2800,640,27]},{"type":"call","value":[1852,2800,640,11]},{"type":"call","value":[1852,2800,640,88]},{"type":"call","value":[1852,2800,640,1237]},{"type":"call","value":[1852,2800,640,18]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1852,2744]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,37]},{"type":"call","value":[1852,2744,2916,38]},{"type":"call","value":[1852,2744,2916,732]},{"type":"call","value":[1852,2744,2916,31]},{"type":"call","value":[1852,2744,2916,39]},{"type":"call","value":[1852,2744,2916,34]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1852,2744,2916]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1852,2744,2916,32]},{"type":"call","value":[1852,2744,2916,358]},{"type":"call","value":[1852,2744,2916,40]},{"type":"call","value":[1852,2744,2916,35]},{"type":"call","value":[1852,2744,2916,41]},{"type":"call","value":[1852,2744,2916,136]},{"type":"call","value":[1852,2744,2916,733]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1852,500]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1852,500,240,31]},{"type":"call","value":[1852,500,240,32]},{"type":"call","value":[1852,500,240,27]},{"type":"call","value":[1852,500,240,24]},{"type":"call","value":[1852,500,240,30]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1852,500,240]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[1852,500,240,28]},{"type":"call","value":[1852,500,240,34]},{"type":"call","value":[1852,500,240,129]},{"type":"call","value":[1852,500,240,25]},{"type":"call","value":[1852,500,240,33]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[2820,1572]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2804,1016]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[2820,1572,2804]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryMultipleValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryValueKey"}},"children":[],"locations":[{"type":"call","value":[2820,1572,2804,1017]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateValueKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlQueryRegistryValues"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetInt"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHOpenRegStream2"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegGetBoolValueFromHKCUHKLM"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueKind"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetValueNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::GetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"map section object":{"meta":{"name":"map section object","namespace":"host-interaction/process","authors":["william.ballenthin@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[],"mbc":[],"references":[],"examples":["61908f4d70ce6f16173e76aa42a8c25a:0x4018F0"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: map section object\n namespace: host-interaction/process\n authors:\n - william.ballenthin@mandiant.com\n scopes:\n static: function\n dynamic: process\n examples:\n - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0\n features:\n - and:\n - os: windows\n - or:\n - api: NtMapViewOfSection\n - api: ZwMapViewOfSection\n - optional:\n - api: NtUnmapViewOfSection\n - api: ZwUnmapViewOfSection\n - match: create or open section object\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtMapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,372]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwMapViewOfSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtUnmapViewOfSection"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,961]},{"type":"call","value":[2456,3052,3064,940]},{"type":"call","value":[2456,3052,3064,959]},{"type":"call","value":[2456,3052,3064,1015]},{"type":"call","value":[2456,3052,3064,1013]},{"type":"call","value":[2456,3052,3064,993]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwUnmapViewOfSection"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open section object"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"os","os":"windows"}},"children":[],"locations":[{"type":"no address"}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateSection"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,371]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenSection"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenSection"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"process","value":[2456,3052]}],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"persist via Run registry key":{"meta":{"name":"persist via Run registry key","namespace":"persistence/registry/run","authors":["moritz.raabe@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Persistence","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder"],"tactic":"Persistence","technique":"Boot or Logon Autostart Execution","subtechnique":"Registry Run Keys / Startup Folder","id":"T1547.001"}],"mbc":[{"parts":["Persistence","Registry Run Keys / Startup Folder"],"objective":"Persistence","behavior":"Registry Run Keys / Startup Folder","method":"","id":"F0012"}],"references":[],"examples":["Practical Malware Analysis Lab 06-03.exe_:0x401130","b87e9dd18a5533a09d3e48a7a1efbcf6:0x1400070E0","9ff8e68343cc29c1036650fc153e69f7:0x470624"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: persist via Run registry key\n namespace: persistence/registry/run\n authors:\n - moritz.raabe@mandiant.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]\n mbc:\n - Persistence::Registry Run Keys / Startup Folder [F0012]\n examples:\n - Practical Malware Analysis Lab 06-03.exe_:0x401130\n - b87e9dd18a5533a09d3e48a7a1efbcf6:0x1400070E0\n - 9ff8e68343cc29c1036650fc153e69f7:0x470624\n features:\n - and:\n - or:\n - match: set registry value\n - number: 0x80000001 = HKEY_CURRENT_USER\n - number: 0x80000002 = HKEY_LOCAL_MACHINE\n - or:\n - and:\n - string: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion/i\n - or:\n - string: /Run/i\n - string: /Explorer\\\\Shell Folders/i\n - string: /User Shell Folders/i\n - string: /RunServices/i\n - string: /Policies\\\\Explorer\\\\Run/i\n - string: /Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\load/i\n - string: /System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute/i\n","matches":[[{"type":"process","value":[2456,3052]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"set registry value"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2147483649,"description":"HKEY_CURRENT_USER"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,861]},{"type":"call","value":[2456,3052,2792,856]},{"type":"call","value":[2456,3052,2792,845]},{"type":"call","value":[2456,3052,2792,877]},{"type":"call","value":[2456,3052,2792,872]},{"type":"call","value":[2456,3052,2792,840]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2147483650,"description":"HKEY_LOCAL_MACHINE"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,721]},{"type":"call","value":[2456,3052,3064,711]},{"type":"call","value":[2456,3052,3064,734]},{"type":"call","value":[2456,3052,3064,775]},{"type":"call","value":[2456,3052,3064,823]},{"type":"call","value":[2456,3052,3064,746]},{"type":"call","value":[2456,3052,3064,758]},{"type":"call","value":[2456,3052,3064,765]},{"type":"call","value":[2456,3052,3064,725]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/Software\\\\Microsoft\\\\Windows\\\\CurrentVersion/i"}},"children":[],"locations":[{"type":"call","value":[2456,3052,2792,861]},{"type":"call","value":[2456,3052,2792,864]},{"type":"call","value":[2456,3052,3064,823]},{"type":"call","value":[2456,3052,2792,873]},{"type":"call","value":[2456,3052,2792,841]},{"type":"call","value":[2456,3052,2792,856]},{"type":"call","value":[2456,3052,2792,859]},{"type":"call","value":[2456,3052,2792,862]},{"type":"call","value":[2456,3052,2792,845]},{"type":"call","value":[2456,3052,2792,880]},{"type":"call","value":[2456,3052,2792,848]},{"type":"call","value":[2456,3052,2792,877]},{"type":"call","value":[2456,3052,2792,857]},{"type":"call","value":[2456,3052,2792,840]},{"type":"call","value":[2456,3052,2792,875]},{"type":"call","value":[2456,3052,2792,843]},{"type":"call","value":[2456,3052,2792,872]},{"type":"call","value":[2456,3052,2792,878]},{"type":"call","value":[2456,3052,2792,846]}],"captures":{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\0000A65749F5902C4D82.exe":[{"type":"call","value":[2456,3052,3064,823]}],"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\0000A65749F5902C4D82.exe":[{"type":"call","value":[2456,3052,3064,823]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume":[{"type":"call","value":[2456,3052,2792,861]},{"type":"call","value":[2456,3052,2792,856]},{"type":"call","value":[2456,3052,2792,845]},{"type":"call","value":[2456,3052,2792,877]},{"type":"call","value":[2456,3052,2792,872]},{"type":"call","value":[2456,3052,2792,840]}],"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume":[{"type":"call","value":[2456,3052,2792,861]},{"type":"call","value":[2456,3052,2792,856]},{"type":"call","value":[2456,3052,2792,845]},{"type":"call","value":[2456,3052,2792,877]},{"type":"call","value":[2456,3052,2792,872]},{"type":"call","value":[2456,3052,2792,840]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\":[{"type":"call","value":[2456,3052,2792,841]},{"type":"call","value":[2456,3052,2792,846]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\Data":[{"type":"call","value":[2456,3052,2792,843]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3479-f160-11ea-9f0e-806e6f6e6963}\\Generation":[{"type":"call","value":[2456,3052,2792,848]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\":[{"type":"call","value":[2456,3052,2792,862]},{"type":"call","value":[2456,3052,2792,857]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\Data":[{"type":"call","value":[2456,3052,2792,859]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3475-f160-11ea-9f0e-806e6f6e6963}\\Generation":[{"type":"call","value":[2456,3052,2792,864]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\":[{"type":"call","value":[2456,3052,2792,878]},{"type":"call","value":[2456,3052,2792,873]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\Data":[{"type":"call","value":[2456,3052,2792,875]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5f0c3476-f160-11ea-9f0e-806e6f6e6963}\\Generation":[{"type":"call","value":[2456,3052,2792,880]}]}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/Run/i"}},"children":[],"locations":[{"type":"call","value":[2456,3052,3064,816]},{"type":"call","value":[2456,3052,3064,115]}],"captures":{"SplDriverUnloadComplete":[{"type":"call","value":[2456,3052,3064,115]}],"MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x04\\x00 \\xe61[\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x02\\x01\\x0b\\x01\\x0c\\x00\\x00@\\x00\\x00\\x00P\\x08\\x00\\x00\\x00\\x00\\x00\\xe0'\\x00\\x00\\x00\\x10\\x00\\x00\\x00P\\x00\\x00\\x00\\x00@\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x00":[{"type":"call","value":[2456,3052,3064,816]}]}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Explorer\\\\Shell Folders/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/User Shell Folders/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/RunServices/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Policies\\\\Explorer\\\\Run/i"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\load/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute/i"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1180,1852]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"set registry value"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2147483649,"description":"HKEY_CURRENT_USER"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,236,1217]},{"type":"call","value":[1180,1852,1028,946]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2147483650,"description":"HKEY_LOCAL_MACHINE"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1406]},{"type":"call","value":[1180,1852,236,1390]},{"type":"call","value":[1180,1852,920,35]},{"type":"call","value":[1180,1852,1020,2687]},{"type":"call","value":[1180,1852,920,9]},{"type":"call","value":[1180,1852,236,1441]},{"type":"call","value":[1180,1852,236,1171]},{"type":"call","value":[1180,1852,236,1450]},{"type":"call","value":[1180,1852,236,1395]},{"type":"call","value":[1180,1852,920,40]},{"type":"call","value":[1180,1852,236,1432]},{"type":"call","value":[1180,1852,1020,2669]},{"type":"call","value":[1180,1852,1020,3073]},{"type":"call","value":[1180,1852,1156,807]},{"type":"call","value":[1180,1852,1156,797]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/Software\\\\Microsoft\\\\Windows\\\\CurrentVersion/i"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1028,4875]},{"type":"call","value":[1180,1852,236,1403]},{"type":"call","value":[1180,1852,236,1464]},{"type":"call","value":[1180,1852,236,1470]},{"type":"call","value":[1180,1852,236,1354]},{"type":"call","value":[1180,1852,236,1467]},{"type":"call","value":[1180,1852,236,1357]},{"type":"call","value":[1180,1852,1028,2007]},{"type":"call","value":[1180,1852,236,1360]},{"type":"call","value":[1180,1852,920,40]},{"type":"call","value":[1180,1852,236,1363]},{"type":"call","value":[1180,1852,236,1430]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,236,1439]},{"type":"call","value":[1180,1852,236,1448]},{"type":"call","value":[1180,1852,1028,3483]},{"type":"call","value":[1180,1852,236,1219]},{"type":"call","value":[1180,1852,236,1466]},{"type":"call","value":[1180,1852,236,1472]},{"type":"call","value":[1180,1852,236,1405]},{"type":"call","value":[1180,1852,236,1356]},{"type":"call","value":[1180,1852,236,1359]},{"type":"call","value":[1180,1852,236,1362]},{"type":"call","value":[1180,1852,236,1365]},{"type":"call","value":[1180,1852,1028,947]},{"type":"call","value":[1180,1852,236,1429]},{"type":"call","value":[1180,1852,236,1438]},{"type":"call","value":[1180,1852,236,1447]},{"type":"call","value":[1180,1852,236,1221]},{"type":"call","value":[1180,1852,236,1218]},{"type":"call","value":[1180,1852,236,1404]},{"type":"call","value":[1180,1852,236,1465]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,236,1352]},{"type":"call","value":[1180,1852,236,1355]},{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,920,35]},{"type":"call","value":[1180,1852,236,1364]},{"type":"call","value":[1180,1852,920,38]},{"type":"call","value":[1180,1852,236,1431]},{"type":"call","value":[1180,1852,1028,946]},{"type":"call","value":[1180,1852,236,1440]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,236,1449]},{"type":"call","value":[1180,1852,236,1217]},{"type":"call","value":[1180,1852,236,1220]}],"captures":{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup":[{"type":"call","value":[1180,1852,920,35]}],"Software\\Microsoft\\Windows\\CurrentVersion\\Setup":[{"type":"call","value":[1180,1852,920,35]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath":[{"type":"call","value":[1180,1852,920,38]}],"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion":[{"type":"call","value":[1180,1852,920,40]}],"Software\\Microsoft\\Windows\\CurrentVersion":[{"type":"call","value":[1180,1852,920,40]}],"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run":[{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,1028,946]}],"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run":[{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,1028,946]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\yfeaxxbea":[{"type":"call","value":[1180,1852,1028,947]},{"type":"call","value":[1180,1852,1028,4875]},{"type":"call","value":[1180,1852,1028,2007]},{"type":"call","value":[1180,1852,1028,3483]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad":[{"type":"call","value":[1180,1852,236,1217]}],"Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad":[{"type":"call","value":[1180,1852,236,1217]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}":[{"type":"call","value":[1180,1852,236,1352]},{"type":"call","value":[1180,1852,236,1218]},{"type":"call","value":[1180,1852,236,1359]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork":[{"type":"call","value":[1180,1852,236,1472]},{"type":"call","value":[1180,1852,236,1219]},{"type":"call","value":[1180,1852,236,1220]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType":[{"type":"call","value":[1180,1852,236,1221]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadDecisionReason":[{"type":"call","value":[1180,1852,236,1354]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadDecisionTime":[{"type":"call","value":[1180,1852,236,1355]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadDecision":[{"type":"call","value":[1180,1852,236,1356]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\WpadNetworkName":[{"type":"call","value":[1180,1852,236,1357]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E529480E-F7A1-4923-843A-F7D2F243A5B1}\\be-56-7b-0a-70-d1":[{"type":"call","value":[1180,1852,236,1360]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1":[{"type":"call","value":[1180,1852,236,1362]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\\WpadDecisionReason":[{"type":"call","value":[1180,1852,236,1363]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\\WpadDecisionTime":[{"type":"call","value":[1180,1852,236,1364]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\be-56-7b-0a-70-d1\\WpadDecision":[{"type":"call","value":[1180,1852,236,1365]}],"HKEY_USERS\\S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders":[{"type":"call","value":[1180,1852,236,1429]},{"type":"call","value":[1180,1852,236,1447]},{"type":"call","value":[1180,1852,236,1403]},{"type":"call","value":[1180,1852,236,1438]}],"S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders":[{"type":"call","value":[1180,1852,236,1429]},{"type":"call","value":[1180,1852,236,1447]},{"type":"call","value":[1180,1852,236,1403]},{"type":"call","value":[1180,1852,236,1438]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData":[{"type":"call","value":[1180,1852,236,1448]},{"type":"call","value":[1180,1852,236,1431]},{"type":"call","value":[1180,1852,236,1405]},{"type":"call","value":[1180,1852,236,1440]},{"type":"call","value":[1180,1852,236,1430]},{"type":"call","value":[1180,1852,236,1404]},{"type":"call","value":[1180,1852,236,1449]},{"type":"call","value":[1180,1852,236,1439]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections":[{"type":"call","value":[1180,1852,236,1464]},{"type":"call","value":[1180,1852,236,1467]}],"Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections":[{"type":"call","value":[1180,1852,236,1464]},{"type":"call","value":[1180,1852,236,1467]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings":[{"type":"call","value":[1180,1852,236,1470]},{"type":"call","value":[1180,1852,236,1465]},{"type":"call","value":[1180,1852,236,1466]}]}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/Run/i"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,1028,947]},{"type":"call","value":[1180,1852,1028,4875]},{"type":"call","value":[1180,1852,2828,4347]},{"type":"call","value":[1180,1852,1028,3483]},{"type":"call","value":[1180,1852,2828,4346]},{"type":"call","value":[1180,1852,1028,2007]},{"type":"call","value":[1180,1852,1028,946]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,2828,4432]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,2828,4431]}],"captures":{"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run":[{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,1028,946]}],"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run":[{"type":"call","value":[1180,1852,1028,2005]},{"type":"call","value":[1180,1852,1028,3481]},{"type":"call","value":[1180,1852,1028,939]},{"type":"call","value":[1180,1852,1028,4873]},{"type":"call","value":[1180,1852,1028,946]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\yfeaxxbea":[{"type":"call","value":[1180,1852,1028,947]},{"type":"call","value":[1180,1852,1028,4875]},{"type":"call","value":[1180,1852,1028,2007]},{"type":"call","value":[1180,1852,1028,3483]}],"VCRUNTIME140.dll":[{"type":"call","value":[1180,1852,2828,4346]},{"type":"call","value":[1180,1852,2828,4431]}],"api-ms-win-crt-runtime-l1-1-0.dll":[{"type":"call","value":[1180,1852,2828,4347]},{"type":"call","value":[1180,1852,2828,4432]}]}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Explorer\\\\Shell Folders/i"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/User Shell Folders/i"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1429]},{"type":"call","value":[1180,1852,236,1403]},{"type":"call","value":[1180,1852,236,1448]},{"type":"call","value":[1180,1852,236,1438]},{"type":"call","value":[1180,1852,236,1447]},{"type":"call","value":[1180,1852,236,1431]},{"type":"call","value":[1180,1852,236,1405]},{"type":"call","value":[1180,1852,236,1440]},{"type":"call","value":[1180,1852,236,1430]},{"type":"call","value":[1180,1852,236,1404]},{"type":"call","value":[1180,1852,236,1449]},{"type":"call","value":[1180,1852,236,1439]}],"captures":{"HKEY_USERS\\S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders":[{"type":"call","value":[1180,1852,236,1429]},{"type":"call","value":[1180,1852,236,1447]},{"type":"call","value":[1180,1852,236,1403]},{"type":"call","value":[1180,1852,236,1438]}],"S-1-5-21-2237850072-885592287-911325625-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders":[{"type":"call","value":[1180,1852,236,1429]},{"type":"call","value":[1180,1852,236,1447]},{"type":"call","value":[1180,1852,236,1403]},{"type":"call","value":[1180,1852,236,1438]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData":[{"type":"call","value":[1180,1852,236,1448]},{"type":"call","value":[1180,1852,236,1431]},{"type":"call","value":[1180,1852,236,1405]},{"type":"call","value":[1180,1852,236,1440]},{"type":"call","value":[1180,1852,236,1430]},{"type":"call","value":[1180,1852,236,1404]},{"type":"call","value":[1180,1852,236,1449]},{"type":"call","value":[1180,1852,236,1439]}]}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/RunServices/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Policies\\\\Explorer\\\\Run/i"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\load/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute/i"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"resolve DNS":{"meta":{"name":"resolve DNS","namespace":"communication/dns","authors":["william.ballenthin@mandiant.com","johnk3r","joakim@intezer.com","michael.hunhoff@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[],"mbc":[{"parts":["Communication","DNS Communication","Resolve"],"objective":"Communication","behavior":"DNS Communication","method":"Resolve","id":"C0011.001"}],"references":[],"examples":["17264e3126a97c319a6a0c61e6da951e:0x5FDC25D0"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: resolve DNS\n namespace: communication/dns\n authors:\n - william.ballenthin@mandiant.com\n - johnk3r\n - joakim@intezer.com\n - michael.hunhoff@mandiant.com\n scopes:\n static: function\n dynamic: process\n mbc:\n - Communication::DNS Communication::Resolve [C0011.001]\n examples:\n - 17264e3126a97c319a6a0c61e6da951e:0x5FDC25D0\n features:\n - or:\n - api: ws2_32.gethostbyname\n - api: DnsQuery_A\n - api: DnsQuery_W\n - api: DnsQuery_UTF8\n - api: DnsQueryEx\n - api: getaddrinfo\n - api: GetAddrInfo\n - api: GetAddrInfoEx\n - api: gethostbyname\n - api: getaddrinfo\n - api: getnameinfo\n - api: gethostent\n - api: System.Net.Dns::GetHostAddresses\n","matches":[[{"type":"process","value":[2852,2900]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.gethostbyname"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQuery_A"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQuery_W"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQuery_UTF8"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQueryEx"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"getaddrinfo"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,23]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"GetAddrInfo"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"GetAddrInfoEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"gethostbyname"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"getaddrinfo"}},"children":[],"locations":[{"type":"call","value":[2852,2900,2904,23]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"getnameinfo"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"gethostent"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.Net.Dns::GetHostAddresses"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1180,1852]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.gethostbyname"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQuery_A"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQuery_W"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQuery_UTF8"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"DnsQueryEx"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"getaddrinfo"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1103]},{"type":"call","value":[1180,1852,236,1101]},{"type":"call","value":[1180,1852,2784,1342]},{"type":"call","value":[1180,1852,236,1462]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"GetAddrInfo"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"GetAddrInfoEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"gethostbyname"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"getaddrinfo"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1103]},{"type":"call","value":[1180,1852,236,1101]},{"type":"call","value":[1180,1852,2784,1342]},{"type":"call","value":[1180,1852,236,1462]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"getnameinfo"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"gethostent"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"System.Net.Dns::GetHostAddresses"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"get hostname":{"meta":{"name":"get hostname","namespace":"host-interaction/os/hostname","authors":["moritz.raabe@mandiant.com","joakim@intezer.com","anushka.virgaonkar@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Discovery","System Information Discovery"],"tactic":"Discovery","technique":"System Information Discovery","subtechnique":"","id":"T1082"}],"mbc":[{"parts":["Discovery","System Information Discovery"],"objective":"Discovery","behavior":"System Information Discovery","method":"","id":"E1082"}],"references":[],"examples":["9324D1A8AE37A36AE560C37448C9705A:0x4052A0","7351f8a40c5450557b24622417fc478d:0x405438"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: get hostname\n namespace: host-interaction/os/hostname\n authors:\n - moritz.raabe@mandiant.com\n - joakim@intezer.com\n - anushka.virgaonkar@mandiant.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Discovery::System Information Discovery [T1082]\n mbc:\n - Discovery::System Information Discovery [E1082]\n examples:\n - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0\n - 7351f8a40c5450557b24622417fc478d:0x405438\n features:\n - or:\n - api: kernel32.GetComputerName\n - api: kernel32.GetComputerNameEx\n - api: GetComputerObjectName\n - api: ws2_32.gethostname\n - api: gethostname\n - property/read: System.Environment::MachineName\n","matches":[[{"type":"process","value":[1180,1852]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetComputerName"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"kernel32.GetComputerNameEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"GetComputerObjectName"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ws2_32.gethostname"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"gethostname"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1099]},{"type":"call","value":[1180,1852,236,1461]},{"type":"call","value":[1180,1852,236,1102]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"property","access":"read","property":"System.Environment::MachineName"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"get local IPv4 addresses":{"meta":{"name":"get local IPv4 addresses","namespace":"host-interaction/network/address","authors":["moritz.raabe@mandiant.com","joakim@intezer.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Discovery","System Network Configuration Discovery"],"tactic":"Discovery","technique":"System Network Configuration Discovery","subtechnique":"","id":"T1016"}],"mbc":[],"references":[],"examples":["Practical Malware Analysis Lab 05-01.dll_:0x100037e6","4C0553285D724DCAF5909924B4E3E90A:0x402010"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: get local IPv4 addresses\n namespace: host-interaction/network/address\n authors:\n - moritz.raabe@mandiant.com\n - joakim@intezer.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Discovery::System Network Configuration Discovery [T1016]\n examples:\n - Practical Malware Analysis Lab 05-01.dll_:0x100037e6\n - 4C0553285D724DCAF5909924B4E3E90A:0x402010\n features:\n - or:\n - api: getsockname\n - and:\n - api: GetAdaptersInfo\n - offset: 0x1B0 = IP_ADAPTER_INFO.IpAddressList.IpAddress\n # loop feature?\n - and:\n - api: GetAdaptersAddresses\n - optional:\n - or:\n - number: 0 = AF_UNSPEC\n - number: 2 = AF_INET\n - number: 23 = AF_INET6\n","matches":[[{"type":"process","value":[1180,1852]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"getsockname"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"GetAdaptersInfo"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"offset","offset":432,"description":"IP_ADAPTER_INFO.IpAddressList.IpAddress"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"GetAdaptersAddresses"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1228]}],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"number","number":0,"description":"AF_UNSPEC"}},"children":[],"locations":[{"type":"call","value":[1180,1852,2596,4748]},{"type":"call","value":[1180,1852,764,577]},{"type":"call","value":[1180,1852,2596,3436]},{"type":"call","value":[1180,1852,2596,3863]},{"type":"call","value":[1180,1852,1156,3712]},{"type":"call","value":[1180,1852,2596,2780]},{"type":"call","value":[1180,1852,2596,4766]},{"type":"call","value":[1180,1852,2596,3454]},{"type":"call","value":[1180,1852,2596,2798]},{"type":"call","value":[1180,1852,2596,4784]},{"type":"call","value":[1180,1852,2596,2389]},{"type":"call","value":[1180,1852,764,433]},{"type":"call","value":[1180,1852,2596,4622]},{"type":"call","value":[1180,1852,236,1158]},{"type":"call","value":[1180,1852,2596,2407]},{"type":"call","value":[1180,1852,764,451]},{"type":"call","value":[1180,1852,1400,2538]},{"type":"call","value":[1180,1852,2596,1095]},{"type":"call","value":[1180,1852,2596,4640]},{"type":"call","value":[1180,1852,2596,2425]},{"type":"call","value":[1180,1852,764,469]},{"type":"call","value":[1180,1852,1808,4033]},{"type":"call","value":[1180,1852,920,91]},{"type":"call","value":[1180,1852,2856,1030]},{"type":"call","value":[1180,1852,920,109]},{"type":"call","value":[1180,1852,2596,2263]},{"type":"call","value":[1180,1852,2856,3263]},{"type":"call","value":[1180,1852,2596,3593]},{"type":"call","value":[1180,1852,2856,1048]},{"type":"call","value":[1180,1852,764,554]},{"type":"call","value":[1180,1852,2596,295]},{"type":"call","value":[1180,1852,2832,4001]},{"type":"call","value":[1180,1852,1020,2657]},{"type":"call","value":[1180,1852,2596,4743]},{"type":"call","value":[1180,1852,2596,4087]},{"type":"call","value":[1180,1852,764,572]},{"type":"call","value":[1180,1852,1020,2904]},{"type":"call","value":[1180,1852,2596,4761]},{"type":"call","value":[1180,1852,1156,836]},{"type":"call","value":[1180,1852,2596,2119]},{"type":"call","value":[1180,1852,2596,4105]},{"type":"call","value":[1180,1852,764,590]},{"type":"call","value":[1180,1852,2832,986]},{"type":"call","value":[1180,1852,2596,2384]},{"type":"call","value":[1180,1852,2596,3943]},{"type":"call","value":[1180,1852,764,428]},{"type":"call","value":[1180,1852,2596,1728]},{"type":"call","value":[1180,1852,2596,2402]},{"type":"call","value":[1180,1852,2596,3961]},{"type":"call","value":[1180,1852,764,446]},{"type":"call","value":[1180,1852,2596,1746]},{"type":"call","value":[1180,1852,920,68]},{"type":"call","value":[1180,1852,2596,3552]},{"type":"call","value":[1180,1852,920,86]},{"type":"call","value":[1180,1852,1020,3043]},{"type":"call","value":[1180,1852,2596,3570]},{"type":"call","value":[1180,1852,2856,1025]},{"type":"call","value":[1180,1852,1808,4046]},{"type":"call","value":[1180,1852,920,104]},{"type":"call","value":[1180,1852,2596,2258]},{"type":"call","value":[1180,1852,1020,3061]},{"type":"call","value":[1180,1852,2596,3588]},{"type":"call","value":[1180,1852,764,549]},{"type":"call","value":[1180,1852,2596,290]},{"type":"call","value":[1180,1852,2596,1849]},{"type":"call","value":[1180,1852,2596,2276]},{"type":"call","value":[1180,1852,764,320]},{"type":"call","value":[1180,1852,1156,3684]},{"type":"call","value":[1180,1852,1020,2652]},{"type":"call","value":[1180,1852,2596,4082]},{"type":"call","value":[1180,1852,764,567]},{"type":"call","value":[1180,1852,676,3340]},{"type":"call","value":[1180,1852,2596,2770]},{"type":"call","value":[1180,1852,2596,2114]},{"type":"call","value":[1180,1852,2596,4100]},{"type":"call","value":[1180,1852,1028,2006]},{"type":"call","value":[1180,1852,1020,2917]},{"type":"call","value":[1180,1852,2596,3444]},{"type":"call","value":[1180,1852,2596,2788]},{"type":"call","value":[1180,1852,1200,3793]},{"type":"call","value":[1180,1852,2596,2132]},{"type":"call","value":[1180,1852,2596,4594]},{"type":"call","value":[1180,1852,236,1130]},{"type":"call","value":[1180,1852,2596,2379]},{"type":"call","value":[1180,1852,764,423]},{"type":"call","value":[1180,1852,2596,1723]},{"type":"call","value":[1180,1852,2596,4612]},{"type":"call","value":[1180,1852,2596,3956]},{"type":"call","value":[1180,1852,764,441]},{"type":"call","value":[1180,1852,2596,1741]},{"type":"call","value":[1180,1852,2596,3974]},{"type":"call","value":[1180,1852,2836,1068]},{"type":"call","value":[1180,1852,1020,3038]},{"type":"call","value":[1180,1852,1808,4041]},{"type":"call","value":[1180,1852,920,99]},{"type":"call","value":[1180,1852,764,297]},{"type":"call","value":[1180,1852,1020,3056]},{"type":"call","value":[1180,1852,1156,1873]},{"type":"call","value":[1180,1852,764,544]},{"type":"call","value":[1180,1852,2596,3403]},{"type":"call","value":[1180,1852,1156,3679]},{"type":"call","value":[1180,1852,1020,2647]},{"type":"call","value":[1180,1852,2596,2747]},{"type":"call","value":[1180,1852,2596,4733]},{"type":"call","value":[1180,1852,764,562]},{"type":"call","value":[1180,1852,1020,2665]},{"type":"call","value":[1180,1852,676,3335]},{"type":"call","value":[1180,1852,2596,2765]},{"type":"call","value":[1180,1852,2596,4751]},{"type":"call","value":[1180,1852,1156,826]},{"type":"call","value":[1180,1852,1020,2912]},{"type":"call","value":[1180,1852,676,3353]},{"type":"call","value":[1180,1852,2596,2783]},{"type":"call","value":[1180,1852,764,400]},{"type":"call","value":[1180,1852,1200,3788]},{"type":"call","value":[1180,1852,2596,4589]},{"type":"call","value":[1180,1852,764,418]},{"type":"call","value":[1180,1852,2596,4836]},{"type":"call","value":[1180,1852,2596,4607]},{"type":"call","value":[1180,1852,2596,2392]},{"type":"call","value":[1180,1852,764,436]},{"type":"call","value":[1180,1852,2596,1309]},{"type":"call","value":[1180,1852,2596,3542]},{"type":"call","value":[1180,1852,2596,3560]},{"type":"call","value":[1180,1852,1808,4036]},{"type":"call","value":[1180,1852,2596,2477]},{"type":"call","value":[1180,1852,764,521]},{"type":"call","value":[1180,1852,2596,262]},{"type":"call","value":[1180,1852,1020,3051]},{"type":"call","value":[1180,1852,764,539]},{"type":"call","value":[1180,1852,2596,280]},{"type":"call","value":[1180,1852,1020,2642]},{"type":"call","value":[1180,1852,2596,4072]},{"type":"call","value":[1180,1852,764,557]},{"type":"call","value":[1180,1852,676,3330]},{"type":"call","value":[1180,1852,2596,2104]},{"type":"call","value":[1180,1852,1020,2907]},{"type":"call","value":[1180,1852,676,3348]},{"type":"call","value":[1180,1852,920,197]},{"type":"call","value":[1180,1852,2596,3910]},{"type":"call","value":[1180,1852,764,395]},{"type":"call","value":[1180,1852,2596,2122]},{"type":"call","value":[1180,1852,764,413]},{"type":"call","value":[1180,1852,1020,2745]},{"type":"call","value":[1180,1852,2596,3519]},{"type":"call","value":[1180,1852,2596,3946]},{"type":"call","value":[1180,1852,2596,1304]},{"type":"call","value":[1180,1852,2596,1731]},{"type":"call","value":[1180,1852,236,1385]},{"type":"call","value":[1180,1852,2656,2626]},{"type":"call","value":[1180,1852,2596,2207]},{"type":"call","value":[1180,1852,1020,3010]},{"type":"call","value":[1180,1852,2596,3537]},{"type":"call","value":[1180,1852,2832,1483]},{"type":"call","value":[1180,1852,920,71]},{"type":"call","value":[1180,1852,2596,2225]},{"type":"call","value":[1180,1852,2596,3555]},{"type":"call","value":[1180,1852,236,1223]},{"type":"call","value":[1180,1852,1808,4031]},{"type":"call","value":[1180,1852,764,516]},{"type":"call","value":[1180,1852,2596,257]},{"type":"call","value":[1180,1852,2596,1816]},{"type":"call","value":[1180,1852,2596,2243]},{"type":"call","value":[1180,1852,2832,3307]},{"type":"call","value":[1180,1852,764,534]},{"type":"call","value":[1180,1852,2596,275]},{"type":"call","value":[1180,1852,2596,3393]},{"type":"call","value":[1180,1852,2596,2081]},{"type":"call","value":[1180,1852,2596,4067]},{"type":"call","value":[1180,1852,764,552]},{"type":"call","value":[1180,1852,2596,3411]},{"type":"call","value":[1180,1852,1156,3687]},{"type":"call","value":[1180,1852,2596,2755]},{"type":"call","value":[1180,1852,676,3343]},{"type":"call","value":[1180,1852,2596,3905]},{"type":"call","value":[1180,1852,764,390]},{"type":"call","value":[1180,1852,2596,3923]},{"type":"call","value":[1180,1852,764,408]},{"type":"call","value":[1180,1852,1020,2740]},{"type":"call","value":[1180,1852,2596,4826]},{"type":"call","value":[1180,1852,1156,901]},{"type":"call","value":[1180,1852,2596,4597]},{"type":"call","value":[1180,1852,2616,3992]},{"type":"call","value":[1180,1852,2208,1531]},{"type":"call","value":[1180,1852,920,66]},{"type":"call","value":[1180,1852,2596,234]},{"type":"call","value":[1180,1852,2596,4682]},{"type":"call","value":[1180,1852,1156,4958]},{"type":"call","value":[1180,1852,2596,2467]},{"type":"call","value":[1180,1852,236,1218]},{"type":"call","value":[1180,1852,1156,775]},{"type":"call","value":[1180,1852,2596,2485]},{"type":"call","value":[1180,1852,764,529]},{"type":"call","value":[1180,1852,2596,3388]},{"type":"call","value":[1180,1852,920,151]},{"type":"call","value":[1180,1852,2832,3796]},{"type":"call","value":[1180,1852,2596,3406]},{"type":"call","value":[1180,1852,2596,2750]},{"type":"call","value":[1180,1852,764,367]},{"type":"call","value":[1180,1852,236,1092]},{"type":"call","value":[1180,1852,676,3338]},{"type":"call","value":[1180,1852,764,385]},{"type":"call","value":[1180,1852,764,403]},{"type":"call","value":[1180,1852,1020,2735]},{"type":"call","value":[1180,1852,2596,4821]},{"type":"call","value":[1180,1852,1156,896]},{"type":"call","value":[1180,1852,2596,4165]},{"type":"call","value":[1180,1852,1020,2982]},{"type":"call","value":[1180,1852,2596,3509]},{"type":"call","value":[1180,1852,2596,1294]},{"type":"call","value":[1180,1852,2616,3987]},{"type":"call","value":[1180,1852,2596,4839]},{"type":"call","value":[1180,1852,1156,914]},{"type":"call","value":[1180,1852,2596,2197]},{"type":"call","value":[1180,1852,2596,4183]},{"type":"call","value":[1180,1852,236,1375]},{"type":"call","value":[1180,1852,2736,2372]},{"type":"call","value":[1180,1852,2596,3527]},{"type":"call","value":[1180,1852,2208,1526]},{"type":"call","value":[1180,1852,2596,1312]},{"type":"call","value":[1180,1852,2700,3826]},{"type":"call","value":[1180,1852,2596,2215]},{"type":"call","value":[1180,1852,2700,3844]},{"type":"call","value":[1180,1852,2596,3118]},{"type":"call","value":[1180,1852,1156,4953]},{"type":"call","value":[1180,1852,2596,2462]},{"type":"call","value":[1180,1852,764,506]},{"type":"call","value":[1180,1852,2596,247]},{"type":"call","value":[1180,1852,2596,1806]},{"type":"call","value":[1180,1852,2832,3297]},{"type":"call","value":[1180,1852,1156,770]},{"type":"call","value":[1180,1852,2596,2053]},{"type":"call","value":[1180,1852,2596,2480]},{"type":"call","value":[1180,1852,2596,265]},{"type":"call","value":[1180,1852,2596,1824]},{"type":"call","value":[1180,1852,764,524]},{"type":"call","value":[1180,1852,2596,2071]},{"type":"call","value":[1180,1852,920,164]},{"type":"call","value":[1180,1852,764,362]},{"type":"call","value":[1180,1852,2596,2089]},{"type":"call","value":[1180,1852,236,1087]},{"type":"call","value":[1180,1852,676,3333]},{"type":"call","value":[1180,1852,2596,3895]},{"type":"call","value":[1180,1852,764,380]},{"type":"call","value":[1180,1852,2596,3913]},{"type":"call","value":[1180,1852,764,398]},{"type":"call","value":[1180,1852,2596,1271]},{"type":"call","value":[1180,1852,1156,891]},{"type":"call","value":[1180,1852,2596,4160]},{"type":"call","value":[1180,1852,2596,3504]},{"type":"call","value":[1180,1852,2596,1289]},{"type":"call","value":[1180,1852,2596,2848]},{"type":"call","value":[1180,1852,2596,2192]},{"type":"call","value":[1180,1852,2596,4178]},{"type":"call","value":[1180,1852,2596,3522]},{"type":"call","value":[1180,1852,2596,5081]},{"type":"call","value":[1180,1852,2596,1307]},{"type":"call","value":[1180,1852,2208,1521]},{"type":"call","value":[1180,1852,764,483]},{"type":"call","value":[1180,1852,1476,1663]},{"type":"call","value":[1180,1852,2596,2210]},{"type":"call","value":[1180,1852,2832,1944]},{"type":"call","value":[1180,1852,968,3034]},{"type":"call","value":[1180,1852,2700,3839]},{"type":"call","value":[1180,1852,2596,4672]},{"type":"call","value":[1180,1852,1476,1681]},{"type":"call","value":[1180,1852,2596,242]},{"type":"call","value":[1180,1852,2596,1801]},{"type":"call","value":[1180,1852,2596,4690]},{"type":"call","value":[1180,1852,1156,4966]},{"type":"call","value":[1180,1852,2596,2048]},{"type":"call","value":[1180,1852,764,519]},{"type":"call","value":[1180,1852,1156,765]},{"type":"call","value":[1180,1852,2596,1819]},{"type":"call","value":[1180,1852,2596,3378]},{"type":"call","value":[1180,1852,236,1226]},{"type":"call","value":[1180,1852,920,141]},{"type":"call","value":[1180,1852,1156,783]},{"type":"call","value":[1180,1852,2596,2066]},{"type":"call","value":[1180,1852,920,159]},{"type":"call","value":[1180,1852,2596,3872]},{"type":"call","value":[1180,1852,1400,4906]},{"type":"call","value":[1180,1852,2596,3890]},{"type":"call","value":[1180,1852,764,375]},{"type":"call","value":[1180,1852,2596,4793]},{"type":"call","value":[1180,1852,2596,3908]},{"type":"call","value":[1180,1852,920,15]},{"type":"call","value":[1180,1852,1020,2972]},{"type":"call","value":[1180,1852,2596,3499]},{"type":"call","value":[1180,1852,2616,1991]},{"type":"call","value":[1180,1852,1400,2547]},{"type":"call","value":[1180,1852,2596,2843]},{"type":"call","value":[1180,1852,2596,4829]},{"type":"call","value":[1180,1852,1156,904]},{"type":"call","value":[1180,1852,1020,2743]},{"type":"call","value":[1180,1852,2208,1516]},{"type":"call","value":[1180,1852,2596,2434]},{"type":"call","value":[1180,1852,2596,2861]},{"type":"call","value":[1180,1852,764,478]},{"type":"call","value":[1180,1852,1876,3172]},{"type":"call","value":[1180,1852,2700,3834]},{"type":"call","value":[1180,1852,2208,1534]},{"type":"call","value":[1180,1852,1156,742]},{"type":"call","value":[1180,1852,2596,2452]},{"type":"call","value":[1180,1852,2596,4685]},{"type":"call","value":[1180,1852,1156,4961]},{"type":"call","value":[1180,1852,2596,2470]},{"type":"call","value":[1180,1852,2596,3602]},{"type":"call","value":[1180,1852,764,514]},{"type":"call","value":[1180,1852,1156,760]},{"type":"call","value":[1180,1852,2596,3373]},{"type":"call","value":[1180,1852,920,136]},{"type":"call","value":[1180,1852,1020,3093]},{"type":"call","value":[1180,1852,920,154]},{"type":"call","value":[1180,1852,764,352]},{"type":"call","value":[1180,1852,1400,4901]},{"type":"call","value":[1180,1852,1156,2602]},{"type":"call","value":[1180,1852,764,370]},{"type":"call","value":[1180,1852,2596,4788]},{"type":"call","value":[1180,1852,2596,3476]},{"type":"call","value":[1180,1852,1020,2720]},{"type":"call","value":[1180,1852,2596,4806]},{"type":"call","value":[1180,1852,2596,4150]},{"type":"call","value":[1180,1852,1020,2967]},{"type":"call","value":[1180,1852,2616,1986]},{"type":"call","value":[1180,1852,1400,2542]},{"type":"call","value":[1180,1852,920,28]},{"type":"call","value":[1180,1852,2596,2182]},{"type":"call","value":[1180,1852,1156,899]},{"type":"call","value":[1180,1852,2596,2429]},{"type":"call","value":[1180,1852,764,473]},{"type":"call","value":[1180,1852,1876,3167]},{"type":"call","value":[1180,1852,2596,1773]},{"type":"call","value":[1180,1852,2596,2200]},{"type":"call","value":[1180,1852,2700,3829]},{"type":"call","value":[1180,1852,2596,232]},{"type":"call","value":[1180,1852,2596,1791]},{"type":"call","value":[1180,1852,920,113]},{"type":"call","value":[1180,1852,1156,755]},{"type":"call","value":[1180,1852,2596,2038]},{"type":"call","value":[1180,1852,2596,3597]},{"type":"call","value":[1180,1852,920,131]},{"type":"call","value":[1180,1852,2596,2285]},{"type":"call","value":[1180,1852,2596,2056]},{"type":"call","value":[1180,1852,920,149]},{"type":"call","value":[1180,1852,2596,3862]},{"type":"call","value":[1180,1852,764,594]},{"type":"call","value":[1180,1852,2828,4241]},{"type":"call","value":[1180,1852,2596,3880]},{"type":"call","value":[1180,1852,764,365]},{"type":"call","value":[1180,1852,2596,4127]},{"type":"call","value":[1180,1852,1020,2715]},{"type":"call","value":[1180,1852,1020,2962]},{"type":"call","value":[1180,1852,2616,1981]},{"type":"call","value":[1180,1852,1400,2537]},{"type":"call","value":[1180,1852,2596,2833]},{"type":"call","value":[1180,1852,2596,2177]},{"type":"call","value":[1180,1852,1020,2980]},{"type":"call","value":[1180,1852,2596,4639]},{"type":"call","value":[1180,1852,1476,1648]},{"type":"call","value":[1180,1852,1876,3162]},{"type":"call","value":[1180,1852,2596,1768]},{"type":"call","value":[1180,1852,2856,1029]},{"type":"call","value":[1180,1852,920,108]},{"type":"call","value":[1180,1852,764,733]},{"type":"call","value":[1180,1852,1156,750]},{"type":"call","value":[1180,1852,2596,2033]},{"type":"call","value":[1180,1852,2596,3363]},{"type":"call","value":[1180,1852,236,1458]},{"type":"call","value":[1180,1852,920,126]},{"type":"call","value":[1180,1852,2832,4000]},{"type":"call","value":[1180,1852,2596,2051]},{"type":"call","value":[1180,1852,920,144]},{"type":"call","value":[1180,1852,2596,4760]},{"type":"call","value":[1180,1852,764,589]},{"type":"call","value":[1180,1852,2596,3448]},{"type":"call","value":[1180,1852,2596,3875]},{"type":"call","value":[1180,1852,764,360]},{"type":"call","value":[1180,1852,2596,2792]},{"type":"call","value":[1180,1852,2596,4778]},{"type":"call","value":[1180,1852,2596,3466]},{"type":"call","value":[1180,1852,2596,2810]},{"type":"call","value":[1180,1852,1020,2957]},{"type":"call","value":[1180,1852,2616,1976]},{"type":"call","value":[1180,1852,1400,2532]},{"type":"call","value":[1180,1852,2596,2401]},{"type":"call","value":[1180,1852,764,445]},{"type":"call","value":[1180,1852,2596,2172]},{"type":"call","value":[1180,1852,2596,4634]},{"type":"call","value":[1180,1852,236,1170]},{"type":"call","value":[1180,1852,2596,2419]},{"type":"call","value":[1180,1852,764,463]},{"type":"call","value":[1180,1852,1876,3157]},{"type":"call","value":[1180,1852,2596,4652]},{"type":"call","value":[1180,1852,764,481]},{"type":"call","value":[1180,1852,2832,1942]},{"type":"call","value":[1180,1852,1808,4045]},{"type":"call","value":[1180,1852,920,103]},{"type":"call","value":[1180,1852,1020,3060]},{"type":"call","value":[1180,1852,1156,745]},{"type":"call","value":[1180,1852,2596,3587]},{"type":"call","value":[1180,1852,2856,1042]},{"type":"call","value":[1180,1852,920,121]},{"type":"call","value":[1180,1852,2596,2275]},{"type":"call","value":[1180,1852,2596,3605]},{"type":"call","value":[1180,1852,764,566]},{"type":"call","value":[1180,1852,1020,2669]},{"type":"call","value":[1180,1852,1020,3096]},{"type":"call","value":[1180,1852,2596,4755]},{"type":"call","value":[1180,1852,2596,4099]},{"type":"call","value":[1180,1852,2596,4773]},{"type":"call","value":[1180,1852,2596,4117]},{"type":"call","value":[1180,1852,2596,1246]},{"type":"call","value":[1180,1852,1156,866]},{"type":"call","value":[1180,1852,236,1147]},{"type":"call","value":[1180,1852,2832,998]},{"type":"call","value":[1180,1852,2596,2396]},{"type":"call","value":[1180,1852,2596,3955]},{"type":"call","value":[1180,1852,764,440]},{"type":"call","value":[1180,1852,2596,1740]},{"type":"call","value":[1180,1852,2596,2414]},{"type":"call","value":[1180,1852,764,458]},{"type":"call","value":[1180,1852,2596,1758]},{"type":"call","value":[1180,1852,1808,4040]},{"type":"call","value":[1180,1852,920,98]},{"type":"call","value":[1180,1852,764,296]},{"type":"call","value":[1180,1852,2596,2023]},{"type":"call","value":[1180,1852,2596,3582]},{"type":"call","value":[1180,1852,2856,1037]},{"type":"call","value":[1180,1852,920,116]},{"type":"call","value":[1180,1852,2596,2270]},{"type":"call","value":[1180,1852,2596,3600]},{"type":"call","value":[1180,1852,764,561]},{"type":"call","value":[1180,1852,1156,2564]},{"type":"call","value":[1180,1852,764,332]},{"type":"call","value":[1180,1852,1020,2664]},{"type":"call","value":[1180,1852,1156,5026]},{"type":"call","value":[1180,1852,2596,4094]},{"type":"call","value":[1180,1852,1020,2911]},{"type":"call","value":[1180,1852,2596,3865]},{"type":"call","value":[1180,1852,2596,2782]},{"type":"call","value":[1180,1852,2596,3209]},{"type":"call","value":[1180,1852,2596,2126]},{"type":"call","value":[1180,1852,2596,4112]},{"type":"call","value":[1180,1852,2596,3456]},{"type":"call","value":[1180,1852,2596,2800]},{"type":"call","value":[1180,1852,2596,4606]},{"type":"call","value":[1180,1852,236,1142]},{"type":"call","value":[1180,1852,2596,3950]},{"type":"call","value":[1180,1852,2596,176]},{"type":"call","value":[1180,1852,2596,1735]},{"type":"call","value":[1180,1852,764,435]},{"type":"call","value":[1180,1852,236,1389]},{"type":"call","value":[1180,1852,2596,4624]},{"type":"call","value":[1180,1852,236,1160]},{"type":"call","value":[1180,1852,2596,3968]},{"type":"call","value":[1180,1852,764,453]},{"type":"call","value":[1180,1852,2596,1753]},{"type":"call","value":[1180,1852,920,75]},{"type":"call","value":[1180,1852,2596,4642]},{"type":"call","value":[1180,1852,2284,4920]},{"type":"call","value":[1180,1852,1808,4035]},{"type":"call","value":[1180,1852,920,93]},{"type":"call","value":[1180,1852,1020,3050]},{"type":"call","value":[1180,1852,2596,2018]},{"type":"call","value":[1180,1852,2856,1032]},{"type":"call","value":[1180,1852,920,111]},{"type":"call","value":[1180,1852,1020,3068]},{"type":"call","value":[1180,1852,764,556]},{"type":"call","value":[1180,1852,1020,2659]},{"type":"call","value":[1180,1852,2596,4745]},{"type":"call","value":[1180,1852,764,574]},{"type":"call","value":[1180,1852,1020,2906]},{"type":"call","value":[1180,1852,2596,3433]},{"type":"call","value":[1180,1852,920,196]},{"type":"call","value":[1180,1852,2596,2777]},{"type":"call","value":[1180,1852,2596,4763]},{"type":"call","value":[1180,1852,1156,838]},{"type":"call","value":[1180,1852,2596,3451]},{"type":"call","value":[1180,1852,2596,2795]},{"type":"call","value":[1180,1852,764,412]},{"type":"call","value":[1180,1852,2596,4601]},{"type":"call","value":[1180,1852,2596,2386]},{"type":"call","value":[1180,1852,764,430]},{"type":"call","value":[1180,1852,2596,171]},{"type":"call","value":[1180,1852,2596,4619]},{"type":"call","value":[1180,1852,2596,2404]},{"type":"call","value":[1180,1852,764,448]},{"type":"call","value":[1180,1852,2832,1482]},{"type":"call","value":[1180,1852,920,70]},{"type":"call","value":[1180,1852,2596,3554]},{"type":"call","value":[1180,1852,1808,4030]},{"type":"call","value":[1180,1852,920,88]},{"type":"call","value":[1180,1852,2596,2242]},{"type":"call","value":[1180,1852,2596,3572]},{"type":"call","value":[1180,1852,2856,1027]},{"type":"call","value":[1180,1852,1808,4048]},{"type":"call","value":[1180,1852,2596,274]},{"type":"call","value":[1180,1852,2596,2260]},{"type":"call","value":[1180,1852,1020,2636]},{"type":"call","value":[1180,1852,2596,4066]},{"type":"call","value":[1180,1852,2596,292]},{"type":"call","value":[1180,1852,2596,1851]},{"type":"call","value":[1180,1852,764,551]},{"type":"call","value":[1180,1852,1156,3686]},{"type":"call","value":[1180,1852,2596,4740]},{"type":"call","value":[1180,1852,2596,4084]},{"type":"call","value":[1180,1852,764,569]},{"type":"call","value":[1180,1852,1020,2672]},{"type":"call","value":[1180,1852,676,3342]},{"type":"call","value":[1180,1852,2596,4758]},{"type":"call","value":[1180,1852,2596,2116]},{"type":"call","value":[1180,1852,2596,4102]},{"type":"call","value":[1180,1852,1020,2919]},{"type":"call","value":[1180,1852,2832,965]},{"type":"call","value":[1180,1852,764,407]},{"type":"call","value":[1180,1852,2596,2381]},{"type":"call","value":[1180,1852,764,425]},{"type":"call","value":[1180,1852,2596,1725]},{"type":"call","value":[1180,1852,2596,2399]},{"type":"call","value":[1180,1852,2596,3531]},{"type":"call","value":[1180,1852,2596,3958]},{"type":"call","value":[1180,1852,2596,1743]},{"type":"call","value":[1180,1852,764,443]},{"type":"call","value":[1180,1852,2596,4861]},{"type":"call","value":[1180,1852,920,65]},{"type":"call","value":[1180,1852,2596,3549]},{"type":"call","value":[1180,1852,2596,1334]},{"type":"call","value":[1180,1852,920,83]},{"type":"call","value":[1180,1852,2836,1070]},{"type":"call","value":[1180,1852,1020,3040]},{"type":"call","value":[1180,1852,2856,1022]},{"type":"call","value":[1180,1852,1808,4043]},{"type":"call","value":[1180,1852,764,528]},{"type":"call","value":[1180,1852,2596,269]},{"type":"call","value":[1180,1852,2596,2255]},{"type":"call","value":[1180,1852,1020,3058]},{"type":"call","value":[1180,1852,764,546]},{"type":"call","value":[1180,1852,2596,287]},{"type":"call","value":[1180,1852,236,2156]},{"type":"call","value":[1180,1852,2596,3405]},{"type":"call","value":[1180,1852,1156,3681]},{"type":"call","value":[1180,1852,1020,2649]},{"type":"call","value":[1180,1852,2596,2749]},{"type":"call","value":[1180,1852,1156,810]},{"type":"call","value":[1180,1852,2596,2093]},{"type":"call","value":[1180,1852,2596,4079]},{"type":"call","value":[1180,1852,764,564]},{"type":"call","value":[1180,1852,2596,1864]},{"type":"call","value":[1180,1852,2596,3423]},{"type":"call","value":[1180,1852,676,3337]},{"type":"call","value":[1180,1852,2596,2767]},{"type":"call","value":[1180,1852,1028,4874]},{"type":"call","value":[1180,1852,1156,828]},{"type":"call","value":[1180,1852,2596,2111]},{"type":"call","value":[1180,1852,1020,2914]},{"type":"call","value":[1180,1852,2596,2785]},{"type":"call","value":[1180,1852,2596,3917]},{"type":"call","value":[1180,1852,764,402]},{"type":"call","value":[1180,1852,2596,4591]},{"type":"call","value":[1180,1852,2596,3935]},{"type":"call","value":[1180,1852,764,420]},{"type":"call","value":[1180,1852,2596,1720]},{"type":"call","value":[1180,1852,2596,4838]},{"type":"call","value":[1180,1852,920,42]},{"type":"call","value":[1180,1852,2596,4609]},{"type":"call","value":[1180,1852,2596,3953]},{"type":"call","value":[1180,1852,1732,5020]},{"type":"call","value":[1180,1852,2832,3296]},{"type":"call","value":[1180,1852,1476,1703]},{"type":"call","value":[1180,1852,1808,4038]},{"type":"call","value":[1180,1852,2596,2479]},{"type":"call","value":[1180,1852,764,523]},{"type":"call","value":[1180,1852,1156,1870]},{"type":"call","value":[1180,1852,764,541]},{"type":"call","value":[1180,1852,2596,3400]},{"type":"call","value":[1180,1852,1020,2644]},{"type":"call","value":[1180,1852,764,559]},{"type":"call","value":[1180,1852,2596,3418]},{"type":"call","value":[1180,1852,676,3332]},{"type":"call","value":[1180,1852,2596,2762]},{"type":"call","value":[1180,1852,1020,2909]},{"type":"call","value":[1180,1852,236,1104]},{"type":"call","value":[1180,1852,920,199]},{"type":"call","value":[1180,1852,764,397]},{"type":"call","value":[1180,1852,236,1351]},{"type":"call","value":[1180,1852,764,415]},{"type":"call","value":[1180,1852,2596,1288]},{"type":"call","value":[1180,1852,2596,1715]},{"type":"call","value":[1180,1852,2596,4833]},{"type":"call","value":[1180,1852,920,37]},{"type":"call","value":[1180,1852,236,1369]},{"type":"call","value":[1180,1852,2596,4604]},{"type":"call","value":[1180,1852,2596,3521]},{"type":"call","value":[1180,1852,2596,1306]},{"type":"call","value":[1180,1852,2596,2209]},{"type":"call","value":[1180,1852,2596,3539]},{"type":"call","value":[1180,1852,1732,5015]},{"type":"call","value":[1180,1852,2596,241]},{"type":"call","value":[1180,1852,2596,2227]},{"type":"call","value":[1180,1852,2596,1571]},{"type":"call","value":[1180,1852,236,1225]},{"type":"call","value":[1180,1852,2596,2474]},{"type":"call","value":[1180,1852,764,518]},{"type":"call","value":[1180,1852,2596,259]},{"type":"call","value":[1180,1852,2596,1818]},{"type":"call","value":[1180,1852,2596,2245]},{"type":"call","value":[1180,1852,2596,2492]},{"type":"call","value":[1180,1852,764,536]},{"type":"call","value":[1180,1852,2596,277]},{"type":"call","value":[1180,1852,920,158]},{"type":"call","value":[1180,1852,2596,4069]},{"type":"call","value":[1180,1852,676,3327]},{"type":"call","value":[1180,1852,764,374]},{"type":"call","value":[1180,1852,2596,2101]},{"type":"call","value":[1180,1852,676,3345]},{"type":"call","value":[1180,1852,2596,3907]},{"type":"call","value":[1180,1852,764,392]},{"type":"call","value":[1180,1852,764,410]},{"type":"call","value":[1180,1852,1020,2742]},{"type":"call","value":[1180,1852,920,32]},{"type":"call","value":[1180,1852,1156,903]},{"type":"call","value":[1180,1852,2596,4172]},{"type":"call","value":[1180,1852,2596,3516]},{"type":"call","value":[1180,1852,2596,1301]},{"type":"call","value":[1180,1852,2596,4846]},{"type":"call","value":[1180,1852,920,50]},{"type":"call","value":[1180,1852,2596,2204]},{"type":"call","value":[1180,1852,236,1382]},{"type":"call","value":[1180,1852,1020,3007]},{"type":"call","value":[1180,1852,2700,3833]},{"type":"call","value":[1180,1852,2596,3534]},{"type":"call","value":[1180,1852,2208,1533]},{"type":"call","value":[1180,1852,2596,236]},{"type":"call","value":[1180,1852,2596,2222]},{"type":"call","value":[1180,1852,2596,4684]},{"type":"call","value":[1180,1852,1156,759]},{"type":"call","value":[1180,1852,2596,254]},{"type":"call","value":[1180,1852,2596,1813]},{"type":"call","value":[1180,1852,2596,3372]},{"type":"call","value":[1180,1852,2596,2060]},{"type":"call","value":[1180,1852,764,531]},{"type":"call","value":[1180,1852,2596,272]},{"type":"call","value":[1180,1852,2596,1831]},{"type":"call","value":[1180,1852,2596,3390]},{"type":"call","value":[1180,1852,920,153]},{"type":"call","value":[1180,1852,2596,4064]},{"type":"call","value":[1180,1852,2832,3798]},{"type":"call","value":[1180,1852,2596,3408]},{"type":"call","value":[1180,1852,2596,2752]},{"type":"call","value":[1180,1852,764,369]},{"type":"call","value":[1180,1852,2596,3902]},{"type":"call","value":[1180,1852,764,387]},{"type":"call","value":[1180,1852,2596,4805]},{"type":"call","value":[1180,1852,764,405]},{"type":"call","value":[1180,1852,1020,2737]},{"type":"call","value":[1180,1852,968,3005]},{"type":"call","value":[1180,1852,2596,2837]},{"type":"call","value":[1180,1852,2596,4823]},{"type":"call","value":[1180,1852,920,27]},{"type":"call","value":[1180,1852,1156,898]},{"type":"call","value":[1180,1852,2596,2855]},{"type":"call","value":[1180,1852,920,45]},{"type":"call","value":[1180,1852,2596,640]},{"type":"call","value":[1180,1852,1156,916]},{"type":"call","value":[1180,1852,2700,3828]},{"type":"call","value":[1180,1852,2208,1528]},{"type":"call","value":[1180,1852,1476,1670]},{"type":"call","value":[1180,1852,1876,3184]},{"type":"call","value":[1180,1852,2596,4679]},{"type":"call","value":[1180,1852,1156,754]},{"type":"call","value":[1180,1852,2596,2464]},{"type":"call","value":[1180,1852,236,1215]},{"type":"call","value":[1180,1852,2596,3367]},{"type":"call","value":[1180,1852,2596,4697]},{"type":"call","value":[1180,1852,1156,772]},{"type":"call","value":[1180,1852,2596,2482]},{"type":"call","value":[1180,1852,764,526]},{"type":"call","value":[1180,1852,2596,3385]},{"type":"call","value":[1180,1852,920,148]},{"type":"call","value":[1180,1852,1156,2578]},{"type":"call","value":[1180,1852,1156,790]},{"type":"call","value":[1180,1852,920,166]},{"type":"call","value":[1180,1852,236,1089]},{"type":"call","value":[1180,1852,2832,2499]},{"type":"call","value":[1180,1852,764,382]},{"type":"call","value":[1180,1852,1020,2714]},{"type":"call","value":[1180,1852,1200,3770]},{"type":"call","value":[1180,1852,1020,2732]},{"type":"call","value":[1180,1852,2616,1980]},{"type":"call","value":[1180,1852,2596,4818]},{"type":"call","value":[1180,1852,920,22]},{"type":"call","value":[1180,1852,2596,2176]},{"type":"call","value":[1180,1852,2596,4162]},{"type":"call","value":[1180,1852,1156,893]},{"type":"call","value":[1180,1852,2596,3506]},{"type":"call","value":[1180,1852,2596,1291]},{"type":"call","value":[1180,1852,2596,2194]},{"type":"call","value":[1180,1852,2596,3524]},{"type":"call","value":[1180,1852,2208,1523]},{"type":"call","value":[1180,1852,2596,2441]},{"type":"call","value":[1180,1852,1876,3179]},{"type":"call","value":[1180,1852,2596,2212]},{"type":"call","value":[1180,1852,2700,3841]},{"type":"call","value":[1180,1852,2596,1556]},{"type":"call","value":[1180,1852,2596,3115]},{"type":"call","value":[1180,1852,2596,244]},{"type":"call","value":[1180,1852,2596,1803]},{"type":"call","value":[1180,1852,2596,3362]},{"type":"call","value":[1180,1852,1028,3483]},{"type":"call","value":[1180,1852,1156,767]},{"type":"call","value":[1180,1852,2596,2050]},{"type":"call","value":[1180,1852,2596,1821]},{"type":"call","value":[1180,1852,1156,2573]},{"type":"call","value":[1180,1852,1020,3100]},{"type":"call","value":[1180,1852,2596,2068]},{"type":"call","value":[1180,1852,920,161]},{"type":"call","value":[1180,1852,2596,3874]},{"type":"call","value":[1180,1852,764,359]},{"type":"call","value":[1180,1852,2596,3892]},{"type":"call","value":[1180,1852,764,377]},{"type":"call","value":[1180,1852,2596,1250]},{"type":"call","value":[1180,1852,2596,4139]},{"type":"call","value":[1180,1852,2616,1975]},{"type":"call","value":[1180,1852,236,1349]},{"type":"call","value":[1180,1852,1156,888]},{"type":"call","value":[1180,1852,2596,2171]},{"type":"call","value":[1180,1852,2596,4157]},{"type":"call","value":[1180,1852,1020,2974]},{"type":"call","value":[1180,1852,2596,3501]},{"type":"call","value":[1180,1852,2596,2845]},{"type":"call","value":[1180,1852,1156,906]},{"type":"call","value":[1180,1852,2596,2189]},{"type":"call","value":[1180,1852,1876,3156]},{"type":"call","value":[1180,1852,2596,4651]},{"type":"call","value":[1180,1852,2208,1518]},{"type":"call","value":[1180,1852,764,480]},{"type":"call","value":[1180,1852,2596,221]},{"type":"call","value":[1180,1852,2596,1780]},{"type":"call","value":[1180,1852,1876,3174]},{"type":"call","value":[1180,1852,2700,3836]},{"type":"call","value":[1180,1852,2596,2027]},{"type":"call","value":[1180,1852,2596,239]},{"type":"call","value":[1180,1852,920,120]},{"type":"call","value":[1180,1852,2596,4687]},{"type":"call","value":[1180,1852,1156,762]},{"type":"call","value":[1180,1852,2596,2045]},{"type":"call","value":[1180,1852,2596,3375]},{"type":"call","value":[1180,1852,920,138]},{"type":"call","value":[1180,1852,1156,2568]},{"type":"call","value":[1180,1852,764,336]},{"type":"call","value":[1180,1852,1020,3095]},{"type":"call","value":[1180,1852,2596,2063]},{"type":"call","value":[1180,1852,2832,3127]},{"type":"call","value":[1180,1852,920,156]},{"type":"call","value":[1180,1852,2596,3869]},{"type":"call","value":[1180,1852,764,354]},{"type":"call","value":[1180,1852,1020,3113]},{"type":"call","value":[1180,1852,2596,4772]},{"type":"call","value":[1180,1852,2596,3887]},{"type":"call","value":[1180,1852,764,372]},{"type":"call","value":[1180,1852,2596,1263]},{"type":"call","value":[1180,1852,2596,2822]},{"type":"call","value":[1180,1852,920,12]},{"type":"call","value":[1180,1852,1020,2969]},{"type":"call","value":[1180,1852,236,1164]},{"type":"call","value":[1180,1852,1476,1637]},{"type":"call","value":[1180,1852,2596,2413]},{"type":"call","value":[1180,1852,2596,2840]},{"type":"call","value":[1180,1852,2616,1988]},{"type":"call","value":[1180,1852,1400,2544]},{"type":"call","value":[1180,1852,2596,4646]},{"type":"call","value":[1180,1852,2596,2431]},{"type":"call","value":[1180,1852,764,475]},{"type":"call","value":[1180,1852,1876,3169]},{"type":"call","value":[1180,1852,2700,3831]},{"type":"call","value":[1180,1852,2596,4664]},{"type":"call","value":[1180,1852,2596,2449]},{"type":"call","value":[1180,1852,2856,1036]},{"type":"call","value":[1180,1852,920,115]},{"type":"call","value":[1180,1852,1156,757]},{"type":"call","value":[1180,1852,2596,3599]},{"type":"call","value":[1180,1852,2596,3370]},{"type":"call","value":[1180,1852,920,133]},{"type":"call","value":[1180,1852,1156,2563]},{"type":"call","value":[1180,1852,2596,1631]},{"type":"call","value":[1180,1852,2596,3617]},{"type":"call","value":[1180,1852,2596,4767]},{"type":"call","value":[1180,1852,2596,4111]},{"type":"call","value":[1180,1852,2596,4785]},{"type":"call","value":[1180,1852,1156,860]},{"type":"call","value":[1180,1852,2832,992]},{"type":"call","value":[1180,1852,2596,4803]},{"type":"call","value":[1180,1852,2596,4147]},{"type":"call","value":[1180,1852,1020,2964]},{"type":"call","value":[1180,1852,2616,1983]},{"type":"call","value":[1180,1852,1400,2539]},{"type":"call","value":[1180,1852,2596,2408]},{"type":"call","value":[1180,1852,764,452]},{"type":"call","value":[1180,1852,2596,1752]},{"type":"call","value":[1180,1852,2596,2179]},{"type":"call","value":[1180,1852,2596,2426]},{"type":"call","value":[1180,1852,764,470]},{"type":"call","value":[1180,1852,1876,3164]},{"type":"call","value":[1180,1852,2596,1770]},{"type":"call","value":[1180,1852,1156,2949]},{"type":"call","value":[1180,1852,2856,1031]},{"type":"call","value":[1180,1852,2596,1788]},{"type":"call","value":[1180,1852,1808,4052]},{"type":"call","value":[1180,1852,920,110]},{"type":"call","value":[1180,1852,1020,3067]},{"type":"call","value":[1180,1852,2596,2035]},{"type":"call","value":[1180,1852,2596,3594]},{"type":"call","value":[1180,1852,2596,4924]},{"type":"call","value":[1180,1852,920,128]},{"type":"call","value":[1180,1852,2832,4002]},{"type":"call","value":[1180,1852,2596,3612]},{"type":"call","value":[1180,1852,764,573]},{"type":"call","value":[1180,1852,1020,2676]},{"type":"call","value":[1180,1852,2444,5051]},{"type":"call","value":[1180,1852,2596,3203]},{"type":"call","value":[1180,1852,2596,4106]},{"type":"call","value":[1180,1852,2596,3450]},{"type":"call","value":[1180,1852,2596,3877]},{"type":"call","value":[1180,1852,2596,2794]},{"type":"call","value":[1180,1852,2596,3468]},{"type":"call","value":[1180,1852,2596,170]},{"type":"call","value":[1180,1852,1020,2959]},{"type":"call","value":[1180,1852,2596,4618]},{"type":"call","value":[1180,1852,2616,1978]},{"type":"call","value":[1180,1852,2596,2830]},{"type":"call","value":[1180,1852,2596,3962]},{"type":"call","value":[1180,1852,764,447]},{"type":"call","value":[1180,1852,2596,1747]},{"type":"call","value":[1180,1852,2596,2174]},{"type":"call","value":[1180,1852,1400,2534]},{"type":"call","value":[1180,1852,2596,4636]},{"type":"call","value":[1180,1852,764,465]},{"type":"call","value":[1180,1852,2596,206]},{"type":"call","value":[1180,1852,2596,1765]},{"type":"call","value":[1180,1852,1876,3159]},{"type":"call","value":[1180,1852,920,87]},{"type":"call","value":[1180,1852,2856,1026]},{"type":"call","value":[1180,1852,1808,4047]},{"type":"call","value":[1180,1852,920,105]},{"type":"call","value":[1180,1852,1020,3062]},{"type":"call","value":[1180,1852,2596,2030]},{"type":"call","value":[1180,1852,920,123]},{"type":"call","value":[1180,1852,764,321]},{"type":"call","value":[1180,1852,764,568]},{"type":"call","value":[1180,1852,2596,4757]},{"type":"call","value":[1180,1852,1020,2918]},{"type":"call","value":[1180,1852,1028,2007]},{"type":"call","value":[1180,1852,2596,3445]},{"type":"call","value":[1180,1852,2596,2789]},{"type":"call","value":[1180,1852,2596,4775]},{"type":"call","value":[1180,1852,2596,2133]},{"type":"call","value":[1180,1852,2596,3463]},{"type":"call","value":[1180,1852,2596,4613]},{"type":"call","value":[1180,1852,2832,1000]},{"type":"call","value":[1180,1852,2596,2398]},{"type":"call","value":[1180,1852,764,442]},{"type":"call","value":[1180,1852,2616,1973]},{"type":"call","value":[1180,1852,1400,2529]},{"type":"call","value":[1180,1852,2596,4631]},{"type":"call","value":[1180,1852,236,1167]},{"type":"call","value":[1180,1852,2596,2416]},{"type":"call","value":[1180,1852,2596,3975]},{"type":"call","value":[1180,1852,764,460]},{"type":"call","value":[1180,1852,920,82]},{"type":"call","value":[1180,1852,1808,4042]},{"type":"call","value":[1180,1852,920,100]},{"type":"call","value":[1180,1852,2596,2254]},{"type":"call","value":[1180,1852,1020,3057]},{"type":"call","value":[1180,1852,2596,3584]},{"type":"call","value":[1180,1852,2856,1039]},{"type":"call","value":[1180,1852,920,118]},{"type":"call","value":[1180,1852,2596,286]},{"type":"call","value":[1180,1852,2596,2272]},{"type":"call","value":[1180,1852,1020,2648]},{"type":"call","value":[1180,1852,2596,4734]},{"type":"call","value":[1180,1852,2596,4078]},{"type":"call","value":[1180,1852,764,563]},{"type":"call","value":[1180,1852,2596,2290]},{"type":"call","value":[1180,1852,764,334]},{"type":"call","value":[1180,1852,2596,3193]},{"type":"call","value":[1180,1852,2596,4752]},{"type":"call","value":[1180,1852,2596,4096]},{"type":"call","value":[1180,1852,1020,2913]},{"type":"call","value":[1180,1852,2596,4770]},{"type":"call","value":[1180,1852,2596,4114]},{"type":"call","value":[1180,1852,764,419]},{"type":"call","value":[1180,1852,2596,1719]},{"type":"call","value":[1180,1852,2596,2393]},{"type":"call","value":[1180,1852,2596,3952]},{"type":"call","value":[1180,1852,764,437]},{"type":"call","value":[1180,1852,2596,1737]},{"type":"call","value":[1180,1852,2596,2411]},{"type":"call","value":[1180,1852,764,455]},{"type":"call","value":[1180,1852,2596,1328]},{"type":"call","value":[1180,1852,2596,1755]},{"type":"call","value":[1180,1852,2596,3561]},{"type":"call","value":[1180,1852,1808,4037]},{"type":"call","value":[1180,1852,920,95]},{"type":"call","value":[1180,1852,1020,3052]},{"type":"call","value":[1180,1852,2596,2020]},{"type":"call","value":[1180,1852,2856,1034]},{"type":"call","value":[1180,1852,2596,281]},{"type":"call","value":[1180,1852,2596,2267]},{"type":"call","value":[1180,1852,1020,2643]},{"type":"call","value":[1180,1852,1020,3070]},{"type":"call","value":[1180,1852,2596,4073]},{"type":"call","value":[1180,1852,764,558]},{"type":"call","value":[1180,1852,2596,3417]},{"type":"call","value":[1180,1852,2596,2761]},{"type":"call","value":[1180,1852,1156,822]},{"type":"call","value":[1180,1852,2596,2105]},{"type":"call","value":[1180,1852,2596,4091]},{"type":"call","value":[1180,1852,764,576]},{"type":"call","value":[1180,1852,1020,2908]},{"type":"call","value":[1180,1852,2596,3435]},{"type":"call","value":[1180,1852,920,198]},{"type":"call","value":[1180,1852,2596,2779]},{"type":"call","value":[1180,1852,2596,2123]},{"type":"call","value":[1180,1852,2596,4109]},{"type":"call","value":[1180,1852,2596,3453]},{"type":"call","value":[1180,1852,236,1121]},{"type":"call","value":[1180,1852,2596,2797]},{"type":"call","value":[1180,1852,764,414]},{"type":"call","value":[1180,1852,2596,1714]},{"type":"call","value":[1180,1852,2596,4603]},{"type":"call","value":[1180,1852,2596,3947]},{"type":"call","value":[1180,1852,764,432]},{"type":"call","value":[1180,1852,2596,1732]},{"type":"call","value":[1180,1852,2596,4621]},{"type":"call","value":[1180,1852,236,1157]},{"type":"call","value":[1180,1852,2596,3965]},{"type":"call","value":[1180,1852,764,450]},{"type":"call","value":[1180,1852,2596,1750]},{"type":"call","value":[1180,1852,2596,4868]},{"type":"call","value":[1180,1852,920,72]},{"type":"call","value":[1180,1852,2828,1046]},{"type":"call","value":[1180,1852,1808,4032]},{"type":"call","value":[1180,1852,920,90]},{"type":"call","value":[1180,1852,1020,3047]},{"type":"call","value":[1180,1852,764,535]},{"type":"call","value":[1180,1852,764,553]},{"type":"call","value":[1180,1852,2596,3412]},{"type":"call","value":[1180,1852,1020,2656]},{"type":"call","value":[1180,1852,2596,2756]},{"type":"call","value":[1180,1852,2596,4742]},{"type":"call","value":[1180,1852,764,571]},{"type":"call","value":[1180,1852,1020,2903]},{"type":"call","value":[1180,1852,676,3344]},{"type":"call","value":[1180,1852,2596,2774]},{"type":"call","value":[1180,1852,764,409]},{"type":"call","value":[1180,1852,2596,4598]},{"type":"call","value":[1180,1852,2596,2383]},{"type":"call","value":[1180,1852,764,427]},{"type":"call","value":[1180,1852,2596,4845]},{"type":"call","value":[1180,1852,920,49]},{"type":"call","value":[1180,1852,1156,920]},{"type":"call","value":[1180,1852,2596,4616]},{"type":"call","value":[1180,1852,2596,3533]},{"type":"call","value":[1180,1852,2596,2221]},{"type":"call","value":[1180,1852,2596,3551]},{"type":"call","value":[1180,1852,920,85]},{"type":"call","value":[1180,1852,2596,3569]},{"type":"call","value":[1180,1852,2596,2486]},{"type":"call","value":[1180,1852,764,530]},{"type":"call","value":[1180,1852,2596,271]},{"type":"call","value":[1180,1852,2596,2257]},{"type":"call","value":[1180,1852,1156,1877]},{"type":"call","value":[1180,1852,1156,4995]},{"type":"call","value":[1180,1852,1156,2353]},{"type":"call","value":[1180,1852,764,548]},{"type":"call","value":[1180,1852,2596,289]},{"type":"call","value":[1180,1852,2596,1848]},{"type":"call","value":[1180,1852,1020,2651]},{"type":"call","value":[1180,1852,2596,4737]},{"type":"call","value":[1180,1852,1156,812]},{"type":"call","value":[1180,1852,2596,4081]},{"type":"call","value":[1180,1852,676,3339]},{"type":"call","value":[1180,1852,764,386]},{"type":"call","value":[1180,1852,2596,2113]},{"type":"call","value":[1180,1852,1020,2916]},{"type":"call","value":[1180,1852,764,404]},{"type":"call","value":[1180,1852,1028,940]},{"type":"call","value":[1180,1852,236,1129]},{"type":"call","value":[1180,1852,2596,2378]},{"type":"call","value":[1180,1852,764,422]},{"type":"call","value":[1180,1852,1476,1602]},{"type":"call","value":[1180,1852,2596,1295]},{"type":"call","value":[1180,1852,2596,1722]},{"type":"call","value":[1180,1852,236,1376]},{"type":"call","value":[1180,1852,2736,2373]},{"type":"call","value":[1180,1852,2596,4184]},{"type":"call","value":[1180,1852,2596,3528]},{"type":"call","value":[1180,1852,2596,1313]},{"type":"call","value":[1180,1852,2596,2216]},{"type":"call","value":[1180,1852,2700,3845]},{"type":"call","value":[1180,1852,2596,3546]},{"type":"call","value":[1180,1852,920,80]},{"type":"call","value":[1180,1852,2596,248]},{"type":"call","value":[1180,1852,2596,2234]},{"type":"call","value":[1180,1852,1020,3037]},{"type":"call","value":[1180,1852,2832,3298]},{"type":"call","value":[1180,1852,2596,4696]},{"type":"call","value":[1180,1852,764,525]},{"type":"call","value":[1180,1852,2596,266]},{"type":"call","value":[1180,1852,2596,1825]},{"type":"call","value":[1180,1852,2596,3384]},{"type":"call","value":[1180,1852,2596,2072]},{"type":"call","value":[1180,1852,764,543]},{"type":"call","value":[1180,1852,2596,284]},{"type":"call","value":[1180,1852,2596,3402]},{"type":"call","value":[1180,1852,1020,2646]},{"type":"call","value":[1180,1852,920,165]},{"type":"call","value":[1180,1852,2596,4732]},{"type":"call","value":[1180,1852,2596,2090]},{"type":"call","value":[1180,1852,2596,4076]},{"type":"call","value":[1180,1852,1156,3696]},{"type":"call","value":[1180,1852,676,3334]},{"type":"call","value":[1180,1852,920,183]},{"type":"call","value":[1180,1852,2596,2764]},{"type":"call","value":[1180,1852,764,381]},{"type":"call","value":[1180,1852,1200,3769]},{"type":"call","value":[1180,1852,2596,2108]},{"type":"call","value":[1180,1852,2596,3914]},{"type":"call","value":[1180,1852,764,399]},{"type":"call","value":[1180,1852,2596,4817]},{"type":"call","value":[1180,1852,2596,3932]},{"type":"call","value":[1180,1852,764,417]},{"type":"call","value":[1180,1852,2596,1717]},{"type":"call","value":[1180,1852,2596,4835]},{"type":"call","value":[1180,1852,2596,4179]},{"type":"call","value":[1180,1852,2596,5082]},{"type":"call","value":[1180,1852,1156,1584]},{"type":"call","value":[1180,1852,1020,3014]},{"type":"call","value":[1180,1852,2700,3840]},{"type":"call","value":[1180,1852,1732,5017]},{"type":"call","value":[1180,1852,2596,1573]},{"type":"call","value":[1180,1852,2596,4691]},{"type":"call","value":[1180,1852,1156,766]},{"type":"call","value":[1180,1852,2596,2476]},{"type":"call","value":[1180,1852,764,520]},{"type":"call","value":[1180,1852,2596,3379]},{"type":"call","value":[1180,1852,764,538]},{"type":"call","value":[1180,1852,2596,3397]},{"type":"call","value":[1180,1852,920,160]},{"type":"call","value":[1180,1852,1156,802]},{"type":"call","value":[1180,1852,2596,3415]},{"type":"call","value":[1180,1852,676,3329]},{"type":"call","value":[1180,1852,2596,2759]},{"type":"call","value":[1180,1852,764,376]},{"type":"call","value":[1180,1852,764,394]},{"type":"call","value":[1180,1852,920,16]},{"type":"call","value":[1180,1852,2596,4156]},{"type":"call","value":[1180,1852,2596,3500]},{"type":"call","value":[1180,1852,1020,2744]},{"type":"call","value":[1180,1852,2596,4830]},{"type":"call","value":[1180,1852,1156,905]},{"type":"call","value":[1180,1852,2596,2188]},{"type":"call","value":[1180,1852,2596,3518]},{"type":"call","value":[1180,1852,2208,1517]},{"type":"call","value":[1180,1852,2596,1303]},{"type":"call","value":[1180,1852,2596,2862]},{"type":"call","value":[1180,1852,2596,4848]},{"type":"call","value":[1180,1852,2596,2206]},{"type":"call","value":[1180,1852,1020,3009]},{"type":"call","value":[1180,1852,2700,3835]},{"type":"call","value":[1180,1852,2596,1550]},{"type":"call","value":[1180,1852,2596,3536]},{"type":"call","value":[1180,1852,2596,2453]},{"type":"call","value":[1180,1852,2596,238]},{"type":"call","value":[1180,1852,2596,2224]},{"type":"call","value":[1180,1852,2700,3853]},{"type":"call","value":[1180,1852,236,1222]},{"type":"call","value":[1180,1852,1156,761]},{"type":"call","value":[1180,1852,2596,2471]},{"type":"call","value":[1180,1852,764,515]},{"type":"call","value":[1180,1852,2596,256]},{"type":"call","value":[1180,1852,2596,1815]},{"type":"call","value":[1180,1852,2596,4704]},{"type":"call","value":[1180,1852,1156,779]},{"type":"call","value":[1180,1852,2596,2062]},{"type":"call","value":[1180,1852,764,533]},{"type":"call","value":[1180,1852,236,2143]},{"type":"call","value":[1180,1852,920,155]},{"type":"call","value":[1180,1852,2596,2080]},{"type":"call","value":[1180,1852,2596,3886]},{"type":"call","value":[1180,1852,764,371]},{"type":"call","value":[1180,1852,2596,3904]},{"type":"call","value":[1180,1852,764,389]},{"type":"call","value":[1180,1852,920,11]},{"type":"call","value":[1180,1852,2596,4151]},{"type":"call","value":[1180,1852,2596,3922]},{"type":"call","value":[1180,1852,2616,1987]},{"type":"call","value":[1180,1852,1020,2739]},{"type":"call","value":[1180,1852,2596,2839]},{"type":"call","value":[1180,1852,1156,900]},{"type":"call","value":[1180,1852,2596,2183]},{"type":"call","value":[1180,1852,2596,4169]},{"type":"call","value":[1180,1852,2596,3513]},{"type":"call","value":[1180,1852,2596,1298]},{"type":"call","value":[1180,1852,2596,642]},{"type":"call","value":[1180,1852,2596,2201]},{"type":"call","value":[1180,1852,1156,918]},{"type":"call","value":[1180,1852,1876,3168]},{"type":"call","value":[1180,1852,2700,3830]},{"type":"call","value":[1180,1852,2596,4663]},{"type":"call","value":[1180,1852,2208,1530]},{"type":"call","value":[1180,1852,2596,233]},{"type":"call","value":[1180,1852,2596,1792]},{"type":"call","value":[1180,1852,2596,2219]},{"type":"call","value":[1180,1852,2832,1953]},{"type":"call","value":[1180,1852,2700,3848]},{"type":"call","value":[1180,1852,2596,4681]},{"type":"call","value":[1180,1852,1156,756]},{"type":"call","value":[1180,1852,2596,251]},{"type":"call","value":[1180,1852,2596,1810]},{"type":"call","value":[1180,1852,2596,3369]},{"type":"call","value":[1180,1852,920,132]},{"type":"call","value":[1180,1852,2596,2057]},{"type":"call","value":[1180,1852,2596,3387]},{"type":"call","value":[1180,1852,920,150]},{"type":"call","value":[1180,1852,2596,2075]},{"type":"call","value":[1180,1852,1156,2351]},{"type":"call","value":[1180,1852,2828,4242]},{"type":"call","value":[1180,1852,920,168]},{"type":"call","value":[1180,1852,2596,3881]},{"type":"call","value":[1180,1852,764,366]},{"type":"call","value":[1180,1852,236,1091]},{"type":"call","value":[1180,1852,2832,2501]},{"type":"call","value":[1180,1852,2596,3899]},{"type":"call","value":[1180,1852,764,384]},{"type":"call","value":[1180,1852,1020,2716]},{"type":"call","value":[1180,1852,2596,4802]},{"type":"call","value":[1180,1852,1020,2963]},{"type":"call","value":[1180,1852,1020,2734]},{"type":"call","value":[1180,1852,2616,1982]},{"type":"call","value":[1180,1852,2596,2834]},{"type":"call","value":[1180,1852,2596,4820]},{"type":"call","value":[1180,1852,920,24]},{"type":"call","value":[1180,1852,1156,895]},{"type":"call","value":[1180,1852,1020,2981]},{"type":"call","value":[1180,1852,1400,2556]},{"type":"call","value":[1180,1852,2596,2852]},{"type":"call","value":[1180,1852,2596,210]},{"type":"call","value":[1180,1852,2596,637]},{"type":"call","value":[1180,1852,1876,3163]},{"type":"call","value":[1180,1852,2208,1525]},{"type":"call","value":[1180,1852,2596,228]},{"type":"call","value":[1180,1852,2700,3843]},{"type":"call","value":[1180,1852,2596,4676]},{"type":"call","value":[1180,1852,764,734]},{"type":"call","value":[1180,1852,2596,2461]},{"type":"call","value":[1180,1852,764,505]},{"type":"call","value":[1180,1852,1156,751]},{"type":"call","value":[1180,1852,1476,1685]},{"type":"call","value":[1180,1852,2596,3364]},{"type":"call","value":[1180,1852,920,127]},{"type":"call","value":[1180,1852,2596,4694]},{"type":"call","value":[1180,1852,1156,769]},{"type":"call","value":[1180,1852,2596,3382]},{"type":"call","value":[1180,1852,1156,2575]},{"type":"call","value":[1180,1852,920,163]},{"type":"call","value":[1180,1852,764,361]},{"type":"call","value":[1180,1852,2596,4779]},{"type":"call","value":[1180,1852,236,1086]},{"type":"call","value":[1180,1852,764,379]},{"type":"call","value":[1180,1852,2596,1252]},{"type":"call","value":[1180,1852,1020,2958]},{"type":"call","value":[1180,1852,2616,1977]},{"type":"call","value":[1180,1852,1400,2533]},{"type":"call","value":[1180,1852,2596,4815]},{"type":"call","value":[1180,1852,1156,890]},{"type":"call","value":[1180,1852,2596,2173]},{"type":"call","value":[1180,1852,2596,4159]},{"type":"call","value":[1180,1852,2596,3503]},{"type":"call","value":[1180,1852,236,1171]},{"type":"call","value":[1180,1852,1400,2551]},{"type":"call","value":[1180,1852,2596,2420]},{"type":"call","value":[1180,1852,764,464]},{"type":"call","value":[1180,1852,2596,205]},{"type":"call","value":[1180,1852,2596,1764]},{"type":"call","value":[1180,1852,2596,2191]},{"type":"call","value":[1180,1852,1876,3158]},{"type":"call","value":[1180,1852,2208,1520]},{"type":"call","value":[1180,1852,764,482]},{"type":"call","value":[1180,1852,2832,1943]},{"type":"call","value":[1180,1852,2700,3838]},{"type":"call","value":[1180,1852,1156,4947]},{"type":"call","value":[1180,1852,1156,746]},{"type":"call","value":[1180,1852,2596,2029]},{"type":"call","value":[1180,1852,2596,1800]},{"type":"call","value":[1180,1852,920,122]},{"type":"call","value":[1180,1852,1156,764]},{"type":"call","value":[1180,1852,2596,2047]},{"type":"call","value":[1180,1852,2596,3606]},{"type":"call","value":[1180,1852,920,140]},{"type":"call","value":[1180,1852,2596,2065]},{"type":"call","value":[1180,1852,2832,3129]},{"type":"call","value":[1180,1852,2596,3871]},{"type":"call","value":[1180,1852,764,356]},{"type":"call","value":[1180,1852,2596,4118]},{"type":"call","value":[1180,1852,2596,3462]},{"type":"call","value":[1180,1852,2596,3889]},{"type":"call","value":[1180,1852,2596,1247]},{"type":"call","value":[1180,1852,2596,4136]},{"type":"call","value":[1180,1852,2616,1972]},{"type":"call","value":[1180,1852,920,14]},{"type":"call","value":[1180,1852,2596,4154]},{"type":"call","value":[1180,1852,1020,2971]},{"type":"call","value":[1180,1852,2596,3498]},{"type":"call","value":[1180,1852,2596,4630]},{"type":"call","value":[1180,1852,236,1166]},{"type":"call","value":[1180,1852,2596,2842]},{"type":"call","value":[1180,1852,764,459]},{"type":"call","value":[1180,1852,2616,1990]},{"type":"call","value":[1180,1852,2596,1759]},{"type":"call","value":[1180,1852,2596,2186]},{"type":"call","value":[1180,1852,1400,2546]},{"type":"call","value":[1180,1852,1876,5139]},{"type":"call","value":[1180,1852,2208,1515]},{"type":"call","value":[1180,1852,764,477]},{"type":"call","value":[1180,1852,1876,3171]},{"type":"call","value":[1180,1852,2596,2024]},{"type":"call","value":[1180,1852,2856,1038]},{"type":"call","value":[1180,1852,920,117]},{"type":"call","value":[1180,1852,2596,2042]},{"type":"call","value":[1180,1852,920,135]},{"type":"call","value":[1180,1852,1156,2565]},{"type":"call","value":[1180,1852,1020,3092]},{"type":"call","value":[1180,1852,2596,1633]},{"type":"call","value":[1180,1852,2596,3866]},{"type":"call","value":[1180,1852,2596,3210]},{"type":"call","value":[1180,1852,2596,4769]},{"type":"call","value":[1180,1852,2596,3457]},{"type":"call","value":[1180,1852,2596,3884]},{"type":"call","value":[1180,1852,2596,2801]},{"type":"call","value":[1180,1852,2596,4787]},{"type":"call","value":[1180,1852,1156,862]},{"type":"call","value":[1180,1852,2596,3475]},{"type":"call","value":[1180,1852,2832,994]},{"type":"call","value":[1180,1852,2596,2819]},{"type":"call","value":[1180,1852,920,9]},{"type":"call","value":[1180,1852,1020,2966]},{"type":"call","value":[1180,1852,2596,4625]},{"type":"call","value":[1180,1852,2616,1985]},{"type":"call","value":[1180,1852,2596,2410]},{"type":"call","value":[1180,1852,764,454]},{"type":"call","value":[1180,1852,1400,2541]},{"type":"call","value":[1180,1852,1156,2933]},{"type":"call","value":[1180,1852,2596,4643]},{"type":"call","value":[1180,1852,1476,1652]},{"type":"call","value":[1180,1852,2596,2428]},{"type":"call","value":[1180,1852,764,472]},{"type":"call","value":[1180,1852,2596,213]},{"type":"call","value":[1180,1852,1876,3166]},{"type":"call","value":[1180,1852,920,94]},{"type":"call","value":[1180,1852,2596,4661]},{"type":"call","value":[1180,1852,2596,2019]},{"type":"call","value":[1180,1852,2856,1033]},{"type":"call","value":[1180,1852,920,112]},{"type":"call","value":[1180,1852,2596,2266]},{"type":"call","value":[1180,1852,2596,3596]},{"type":"call","value":[1180,1852,920,130]},{"type":"call","value":[1180,1852,1020,2660]},{"type":"call","value":[1180,1852,2596,4746]},{"type":"call","value":[1180,1852,2596,4090]},{"type":"call","value":[1180,1852,2596,3861]},{"type":"call","value":[1180,1852,2596,4764]},{"type":"call","value":[1180,1852,2596,4108]},{"type":"call","value":[1180,1852,764,593]},{"type":"call","value":[1180,1852,1156,3728]},{"type":"call","value":[1180,1852,2596,4782]},{"type":"call","value":[1180,1852,2596,4126]},{"type":"call","value":[1180,1852,2596,2387]},{"type":"call","value":[1180,1852,764,431]},{"type":"call","value":[1180,1852,1020,2961]},{"type":"call","value":[1180,1852,1400,2536]},{"type":"call","value":[1180,1852,2596,2405]},{"type":"call","value":[1180,1852,2596,3964]},{"type":"call","value":[1180,1852,764,449]},{"type":"call","value":[1180,1852,2596,1749]},{"type":"call","value":[1180,1852,2596,2423]},{"type":"call","value":[1180,1852,764,467]},{"type":"call","value":[1180,1852,1876,3161]},{"type":"call","value":[1180,1852,2596,1767]},{"type":"call","value":[1180,1852,2596,4885]},{"type":"call","value":[1180,1852,920,89]},{"type":"call","value":[1180,1852,236,1421]},{"type":"call","value":[1180,1852,1020,3046]},{"type":"call","value":[1180,1852,2596,3573]},{"type":"call","value":[1180,1852,2856,1028]},{"type":"call","value":[1180,1852,1808,4049]},{"type":"call","value":[1180,1852,920,107]},{"type":"call","value":[1180,1852,2596,2261]},{"type":"call","value":[1180,1852,764,732]},{"type":"call","value":[1180,1852,2596,2032]},{"type":"call","value":[1180,1852,2596,3591]},{"type":"call","value":[1180,1852,920,125]},{"type":"call","value":[1180,1852,2596,293]},{"type":"call","value":[1180,1852,2596,2279]},{"type":"call","value":[1180,1852,764,323]},{"type":"call","value":[1180,1852,2596,4085]},{"type":"call","value":[1180,1852,764,570]},{"type":"call","value":[1180,1852,2596,2773]},{"type":"call","value":[1180,1852,1156,834]},{"type":"call","value":[1180,1852,2596,2117]},{"type":"call","value":[1180,1852,2596,4103]},{"type":"call","value":[1180,1852,2596,1888]},{"type":"call","value":[1180,1852,2596,3447]},{"type":"call","value":[1180,1852,2596,2791]},{"type":"call","value":[1180,1852,2596,4121]},{"type":"call","value":[1180,1852,2596,3465]},{"type":"call","value":[1180,1852,236,1133]},{"type":"call","value":[1180,1852,1476,1606]},{"type":"call","value":[1180,1852,2596,2809]},{"type":"call","value":[1180,1852,764,426]},{"type":"call","value":[1180,1852,2596,1726]},{"type":"call","value":[1180,1852,2596,4615]},{"type":"call","value":[1180,1852,2832,1002]},{"type":"call","value":[1180,1852,1400,2531]},{"type":"call","value":[1180,1852,2596,3959]},{"type":"call","value":[1180,1852,764,444]},{"type":"call","value":[1180,1852,2596,1744]},{"type":"call","value":[1180,1852,2208,3288]},{"type":"call","value":[1180,1852,2596,4633]},{"type":"call","value":[1180,1852,236,1169]},{"type":"call","value":[1180,1852,764,462]},{"type":"call","value":[1180,1852,2596,1762]},{"type":"call","value":[1180,1852,2832,1496]},{"type":"call","value":[1180,1852,920,84]},{"type":"call","value":[1180,1852,2856,1023]},{"type":"call","value":[1180,1852,1808,4044]},{"type":"call","value":[1180,1852,920,102]},{"type":"call","value":[1180,1852,1020,3059]},{"type":"call","value":[1180,1852,2856,1041]},{"type":"call","value":[1180,1852,764,547]},{"type":"call","value":[1180,1852,764,318]},{"type":"call","value":[1180,1852,1020,2650]},{"type":"call","value":[1180,1852,2596,4736]},{"type":"call","value":[1180,1852,764,565]},{"type":"call","value":[1180,1852,2596,3424]},{"type":"call","value":[1180,1852,2596,2768]},{"type":"call","value":[1180,1852,2596,4754]},{"type":"call","value":[1180,1852,1028,4875]},{"type":"call","value":[1180,1852,1020,2915]},{"type":"call","value":[1180,1852,2596,2786]},{"type":"call","value":[1180,1852,1156,847]},{"type":"call","value":[1180,1852,2596,3460]},{"type":"call","value":[1180,1852,2596,4592]},{"type":"call","value":[1180,1852,2596,2804]},{"type":"call","value":[1180,1852,764,421]},{"type":"call","value":[1180,1852,2596,4610]},{"type":"call","value":[1180,1852,2596,2395]},{"type":"call","value":[1180,1852,764,439]},{"type":"call","value":[1180,1852,2208,3283]},{"type":"call","value":[1180,1852,2596,4628]},{"type":"call","value":[1180,1852,2596,3545]},{"type":"call","value":[1180,1852,2832,1491]},{"type":"call","value":[1180,1852,2596,2233]},{"type":"call","value":[1180,1852,2828,1053]},{"type":"call","value":[1180,1852,1808,4039]},{"type":"call","value":[1180,1852,920,97]},{"type":"call","value":[1180,1852,1020,3054]},{"type":"call","value":[1180,1852,2596,3581]},{"type":"call","value":[1180,1852,1808,4057]},{"type":"call","value":[1180,1852,764,542]},{"type":"call","value":[1180,1852,2596,283]},{"type":"call","value":[1180,1852,2596,1842]},{"type":"call","value":[1180,1852,2596,2269]},{"type":"call","value":[1180,1852,1020,2645]},{"type":"call","value":[1180,1852,2596,4731]},{"type":"call","value":[1180,1852,2596,4075]},{"type":"call","value":[1180,1852,764,560]},{"type":"call","value":[1180,1852,236,2170]},{"type":"call","value":[1180,1852,1020,2663]},{"type":"call","value":[1180,1852,2596,4749]},{"type":"call","value":[1180,1852,2596,2107]},{"type":"call","value":[1180,1852,2596,4093]},{"type":"call","value":[1180,1852,1020,2910]},{"type":"call","value":[1180,1852,2596,2125]},{"type":"call","value":[1180,1852,2596,3931]},{"type":"call","value":[1180,1852,764,416]},{"type":"call","value":[1180,1852,2596,1716]},{"type":"call","value":[1180,1852,1476,1614]},{"type":"call","value":[1180,1852,2596,2390]},{"type":"call","value":[1180,1852,2596,3949]},{"type":"call","value":[1180,1852,2596,175]},{"type":"call","value":[1180,1852,2596,1734]},{"type":"call","value":[1180,1852,764,434]},{"type":"call","value":[1180,1852,2596,3540]},{"type":"call","value":[1180,1852,2596,3967]},{"type":"call","value":[1180,1852,1732,5016]},{"type":"call","value":[1180,1852,920,74]},{"type":"call","value":[1180,1852,2596,2228]},{"type":"call","value":[1180,1852,2596,1572]},{"type":"call","value":[1180,1852,1808,4034]},{"type":"call","value":[1180,1852,920,92]},{"type":"call","value":[1180,1852,2596,260]},{"type":"call","value":[1180,1852,2596,2246]},{"type":"call","value":[1180,1852,1020,3049]},{"type":"call","value":[1180,1852,2596,2493]},{"type":"call","value":[1180,1852,764,537]},{"type":"call","value":[1180,1852,2596,278]},{"type":"call","value":[1180,1852,2596,2264]},{"type":"call","value":[1180,1852,2596,3396]},{"type":"call","value":[1180,1852,2596,4070]},{"type":"call","value":[1180,1852,764,555]},{"type":"call","value":[1180,1852,2596,3414]},{"type":"call","value":[1180,1852,1020,2658]},{"type":"call","value":[1180,1852,676,3328]},{"type":"call","value":[1180,1852,2596,2758]},{"type":"call","value":[1180,1852,1156,819]},{"type":"call","value":[1180,1852,2596,2102]},{"type":"call","value":[1180,1852,2596,4088]},{"type":"call","value":[1180,1852,1020,2905]},{"type":"call","value":[1180,1852,2596,3432]},{"type":"call","value":[1180,1852,2596,2776]},{"type":"call","value":[1180,1852,764,393]},{"type":"call","value":[1180,1852,2832,2510]},{"type":"call","value":[1180,1852,2596,2120]},{"type":"call","value":[1180,1852,764,411]},{"type":"call","value":[1180,1852,2596,4600]},{"type":"call","value":[1180,1852,2596,3944]},{"type":"call","value":[1180,1852,764,429]},{"type":"call","value":[1180,1852,2596,1729]},{"type":"call","value":[1180,1852,968,3029]},{"type":"call","value":[1180,1852,236,1383]},{"type":"call","value":[1180,1852,1020,3008]},{"type":"call","value":[1180,1852,2832,1481]},{"type":"call","value":[1180,1852,920,69]},{"type":"call","value":[1180,1852,1020,3044]},{"type":"call","value":[1180,1852,2596,4703]},{"type":"call","value":[1180,1852,1156,4979]},{"type":"call","value":[1180,1852,764,532]},{"type":"call","value":[1180,1852,2596,3391]},{"type":"call","value":[1180,1852,1020,2635]},{"type":"call","value":[1180,1852,1156,796]},{"type":"call","value":[1180,1852,2596,4065]},{"type":"call","value":[1180,1852,764,550]},{"type":"call","value":[1180,1852,2596,3409]},{"type":"call","value":[1180,1852,1020,2653]},{"type":"call","value":[1180,1852,2596,2753]},{"type":"call","value":[1180,1852,2596,4739]},{"type":"call","value":[1180,1852,676,3341]},{"type":"call","value":[1180,1852,2596,2771]},{"type":"call","value":[1180,1852,764,388]},{"type":"call","value":[1180,1852,236,1113]},{"type":"call","value":[1180,1852,764,406]},{"type":"call","value":[1180,1852,1020,2738]},{"type":"call","value":[1180,1852,2596,4824]},{"type":"call","value":[1180,1852,2596,4168]},{"type":"call","value":[1180,1852,2596,4595]},{"type":"call","value":[1180,1852,2596,2380]},{"type":"call","value":[1180,1852,2596,3512]},{"type":"call","value":[1180,1852,764,424]},{"type":"call","value":[1180,1852,2596,1297]},{"type":"call","value":[1180,1852,236,1378]},{"type":"call","value":[1180,1852,2596,3530]},{"type":"call","value":[1180,1852,2208,1529]},{"type":"call","value":[1180,1852,2596,1315]},{"type":"call","value":[1180,1852,2596,2218]},{"type":"call","value":[1180,1852,2596,3548]},{"type":"call","value":[1180,1852,1156,4956]},{"type":"call","value":[1180,1852,236,1216]},{"type":"call","value":[1180,1852,2596,2465]},{"type":"call","value":[1180,1852,2596,250]},{"type":"call","value":[1180,1852,2596,1809]},{"type":"call","value":[1180,1852,2836,1069]},{"type":"call","value":[1180,1852,2596,2483]},{"type":"call","value":[1180,1852,764,527]},{"type":"call","value":[1180,1852,2596,268]},{"type":"call","value":[1180,1852,2596,2074]},{"type":"call","value":[1180,1852,764,545]},{"type":"call","value":[1180,1852,2832,3138]},{"type":"call","value":[1180,1852,920,167]},{"type":"call","value":[1180,1852,2596,2748]},{"type":"call","value":[1180,1852,2596,2092]},{"type":"call","value":[1180,1852,676,3336]},{"type":"call","value":[1180,1852,2832,2500]},{"type":"call","value":[1180,1852,2596,3898]},{"type":"call","value":[1180,1852,764,383]},{"type":"call","value":[1180,1852,2596,2110]},{"type":"call","value":[1180,1852,2596,3916]},{"type":"call","value":[1180,1852,764,401]},{"type":"call","value":[1180,1852,1020,2733]},{"type":"call","value":[1180,1852,920,23]},{"type":"call","value":[1180,1852,1156,894]},{"type":"call","value":[1180,1852,2596,4163]},{"type":"call","value":[1180,1852,2596,4590]},{"type":"call","value":[1180,1852,2596,3507]},{"type":"call","value":[1180,1852,2596,3934]},{"type":"call","value":[1180,1852,2596,1292]},{"type":"call","value":[1180,1852,2596,2851]},{"type":"call","value":[1180,1852,2616,1999]},{"type":"call","value":[1180,1852,1156,912]},{"type":"call","value":[1180,1852,2596,2195]},{"type":"call","value":[1180,1852,2596,3525]},{"type":"call","value":[1180,1852,2208,1524]},{"type":"call","value":[1180,1852,2596,1310]},{"type":"call","value":[1180,1852,1156,930]},{"type":"call","value":[1180,1852,2596,2213]},{"type":"call","value":[1180,1852,2700,3842]},{"type":"call","value":[1180,1852,2596,3116]},{"type":"call","value":[1180,1852,2596,3543]},{"type":"call","value":[1180,1852,2596,4675]},{"type":"call","value":[1180,1852,2596,2887]},{"type":"call","value":[1180,1852,2208,1542]},{"type":"call","value":[1180,1852,2596,245]},{"type":"call","value":[1180,1852,2596,1804]},{"type":"call","value":[1180,1852,2596,4693]},{"type":"call","value":[1180,1852,1156,4969]},{"type":"call","value":[1180,1852,1156,768]},{"type":"call","value":[1180,1852,764,522]},{"type":"call","value":[1180,1852,2596,263]},{"type":"call","value":[1180,1852,2596,1822]},{"type":"call","value":[1180,1852,2596,3381]},{"type":"call","value":[1180,1852,2596,2069]},{"type":"call","value":[1180,1852,764,540]},{"type":"call","value":[1180,1852,1156,2345]},{"type":"call","value":[1180,1852,2596,3399]},{"type":"call","value":[1180,1852,920,162]},{"type":"call","value":[1180,1852,1156,2592]},{"type":"call","value":[1180,1852,2832,3807]},{"type":"call","value":[1180,1852,676,3331]},{"type":"call","value":[1180,1852,2596,3893]},{"type":"call","value":[1180,1852,764,378]},{"type":"call","value":[1180,1852,2596,3911]},{"type":"call","value":[1180,1852,764,396]},{"type":"call","value":[1180,1852,2596,4814]},{"type":"call","value":[1180,1852,1156,889]},{"type":"call","value":[1180,1852,1020,2746]},{"type":"call","value":[1180,1852,2616,1994]},{"type":"call","value":[1180,1852,2596,2846]},{"type":"call","value":[1180,1852,2596,4832]},{"type":"call","value":[1180,1852,920,36]},{"type":"call","value":[1180,1852,1156,907]},{"type":"call","value":[1180,1852,2784,1062]},{"type":"call","value":[1180,1852,2208,1519]},{"type":"call","value":[1180,1852,2596,2864]},{"type":"call","value":[1180,1852,2700,3837]},{"type":"call","value":[1180,1852,2208,1537]},{"type":"call","value":[1180,1852,2596,4688]},{"type":"call","value":[1180,1852,1156,4964]},{"type":"call","value":[1180,1852,2596,2473]},{"type":"call","value":[1180,1852,764,517]},{"type":"call","value":[1180,1852,1156,763]},{"type":"call","value":[1180,1852,236,1224]},{"type":"call","value":[1180,1852,2596,3376]},{"type":"call","value":[1180,1852,920,139]},{"type":"call","value":[1180,1852,2596,3394]},{"type":"call","value":[1180,1852,2832,3128]},{"type":"call","value":[1180,1852,920,157]},{"type":"call","value":[1180,1852,764,355]},{"type":"call","value":[1180,1852,676,3326]},{"type":"call","value":[1180,1852,764,373]},{"type":"call","value":[1180,1852,2596,4135]},{"type":"call","value":[1180,1852,764,391]},{"type":"call","value":[1180,1852,920,13]},{"type":"call","value":[1180,1852,2596,4153]},{"type":"call","value":[1180,1852,1020,2970]},{"type":"call","value":[1180,1852,1020,2741]},{"type":"call","value":[1180,1852,2616,1989]},{"type":"call","value":[1180,1852,2596,1282]},{"type":"call","value":[1180,1852,1400,2545]},{"type":"call","value":[1180,1852,2596,4827]},{"type":"call","value":[1180,1852,1156,902]},{"type":"call","value":[1180,1852,2596,2185]},{"type":"call","value":[1180,1852,2596,4171]},{"type":"call","value":[1180,1852,2596,3515]},{"type":"call","value":[1180,1852,2596,1300]},{"type":"call","value":[1180,1852,2596,2432]},{"type":"call","value":[1180,1852,764,476]},{"type":"call","value":[1180,1852,2596,217]},{"type":"call","value":[1180,1852,2596,2203]},{"type":"call","value":[1180,1852,1020,3006]},{"type":"call","value":[1180,1852,1876,3170]},{"type":"call","value":[1180,1852,2700,3832]},{"type":"call","value":[1180,1852,2208,1532]},{"type":"call","value":[1180,1852,1476,1674]},{"type":"call","value":[1180,1852,2596,2450]},{"type":"call","value":[1180,1852,2596,235]},{"type":"call","value":[1180,1852,764,741]},{"type":"call","value":[1180,1852,1156,758]},{"type":"call","value":[1180,1852,2596,2041]},{"type":"call","value":[1180,1852,2596,2468]},{"type":"call","value":[1180,1852,2596,253]},{"type":"call","value":[1180,1852,2596,1812]},{"type":"call","value":[1180,1852,764,512]},{"type":"call","value":[1180,1852,920,134]},{"type":"call","value":[1180,1852,1020,3091]},{"type":"call","value":[1180,1852,2596,2059]},{"type":"call","value":[1180,1852,2596,3618]},{"type":"call","value":[1180,1852,920,152]},{"type":"call","value":[1180,1852,2832,3797]},{"type":"call","value":[1180,1852,2596,3883]},{"type":"call","value":[1180,1852,764,368]},{"type":"call","value":[1180,1852,2444,5075]},{"type":"call","value":[1180,1852,2596,3901]},{"type":"call","value":[1180,1852,2596,2818]},{"type":"call","value":[1180,1852,2596,4148]},{"type":"call","value":[1180,1852,1020,2965]},{"type":"call","value":[1180,1852,1020,2736]},{"type":"call","value":[1180,1852,2616,1984]},{"type":"call","value":[1180,1852,1400,2540]},{"type":"call","value":[1180,1852,2596,2836]},{"type":"call","value":[1180,1852,968,3004]},{"type":"call","value":[1180,1852,1156,897]},{"type":"call","value":[1180,1852,2596,2180]},{"type":"call","value":[1180,1852,2596,4166]},{"type":"call","value":[1180,1852,2596,3510]},{"type":"call","value":[1180,1852,2596,2854]},{"type":"call","value":[1180,1852,764,471]},{"type":"call","value":[1180,1852,1876,3165]},{"type":"call","value":[1180,1852,2596,1771]},{"type":"call","value":[1180,1852,2596,2198]},{"type":"call","value":[1180,1852,2700,3827]},{"type":"call","value":[1180,1852,2596,4660]},{"type":"call","value":[1180,1852,2208,1527]},{"type":"call","value":[1180,1852,2596,1789]},{"type":"call","value":[1180,1852,2596,4678]},{"type":"call","value":[1180,1852,1156,753]},{"type":"call","value":[1180,1852,2596,2036]},{"type":"call","value":[1180,1852,764,507]},{"type":"call","value":[1180,1852,2596,1807]},{"type":"call","value":[1180,1852,2596,3366]},{"type":"call","value":[1180,1852,920,129]},{"type":"call","value":[1180,1852,1020,3086]},{"type":"call","value":[1180,1852,2596,2054]},{"type":"call","value":[1180,1852,2596,3613]},{"type":"call","value":[1180,1852,920,147]},{"type":"call","value":[1180,1852,2596,3860]},{"type":"call","value":[1180,1852,2444,5052]},{"type":"call","value":[1180,1852,2596,3204]},{"type":"call","value":[1180,1852,764,592]},{"type":"call","value":[1180,1852,2596,3878]},{"type":"call","value":[1180,1852,764,363]},{"type":"call","value":[1180,1852,2444,5070]},{"type":"call","value":[1180,1852,2596,4781]},{"type":"call","value":[1180,1852,2596,3469]},{"type":"call","value":[1180,1852,2596,3896]},{"type":"call","value":[1180,1852,1020,2960]},{"type":"call","value":[1180,1852,2616,1979]},{"type":"call","value":[1180,1852,1400,2535]},{"type":"call","value":[1180,1852,2596,2831]},{"type":"call","value":[1180,1852,1156,892]},{"type":"call","value":[1180,1852,2596,4637]},{"type":"call","value":[1180,1852,236,1173]},{"type":"call","value":[1180,1852,2596,2422]},{"type":"call","value":[1180,1852,2596,2849]},{"type":"call","value":[1180,1852,764,466]},{"type":"call","value":[1180,1852,1876,3160]},{"type":"call","value":[1180,1852,2208,1522]},{"type":"call","value":[1180,1852,2596,2440]},{"type":"call","value":[1180,1852,764,484]},{"type":"call","value":[1180,1852,920,106]},{"type":"call","value":[1180,1852,2596,4673]},{"type":"call","value":[1180,1852,764,731]},{"type":"call","value":[1180,1852,1156,748]},{"type":"call","value":[1180,1852,2596,3590]},{"type":"call","value":[1180,1852,1028,3482]},{"type":"call","value":[1180,1852,2596,3361]},{"type":"call","value":[1180,1852,920,124]},{"type":"call","value":[1180,1852,2596,2278]},{"type":"call","value":[1180,1852,1020,3081]},{"type":"call","value":[1180,1852,920,142]},{"type":"call","value":[1180,1852,1020,3099]},{"type":"call","value":[1180,1852,764,587]},{"type":"call","value":[1180,1852,2596,1887]},{"type":"call","value":[1180,1852,764,358]},{"type":"call","value":[1180,1852,2596,4776]},{"type":"call","value":[1180,1852,2596,4120]},{"type":"call","value":[1180,1852,2596,1249]},{"type":"call","value":[1180,1852,2596,4794]},{"type":"call","value":[1180,1852,2596,4138]},{"type":"call","value":[1180,1852,2616,1974]},{"type":"call","value":[1180,1852,1400,2530]},{"type":"call","value":[1180,1852,1020,2973]},{"type":"call","value":[1180,1852,236,1168]},{"type":"call","value":[1180,1852,1476,1641]},{"type":"call","value":[1180,1852,2596,2417]},{"type":"call","value":[1180,1852,764,461]},{"type":"call","value":[1180,1852,1400,2548]},{"type":"call","value":[1180,1852,2596,1761]},{"type":"call","value":[1180,1852,1876,3155]},{"type":"call","value":[1180,1852,2828,2369]},{"type":"call","value":[1180,1852,1476,1659]},{"type":"call","value":[1180,1852,2596,2435]},{"type":"call","value":[1180,1852,764,479]},{"type":"call","value":[1180,1852,1876,3173]},{"type":"call","value":[1180,1852,2596,1779]},{"type":"call","value":[1180,1852,920,101]},{"type":"call","value":[1180,1852,2596,2026]},{"type":"call","value":[1180,1852,2596,3585]},{"type":"call","value":[1180,1852,2856,1040]},{"type":"call","value":[1180,1852,920,119]},{"type":"call","value":[1180,1852,2596,2273]},{"type":"call","value":[1180,1852,2596,2044]},{"type":"call","value":[1180,1852,2596,3603]},{"type":"call","value":[1180,1852,2856,1058]},{"type":"call","value":[1180,1852,920,137]},{"type":"call","value":[1180,1852,2596,2291]},{"type":"call","value":[1180,1852,1156,2567]},{"type":"call","value":[1180,1852,2832,4011]},{"type":"call","value":[1180,1852,1020,3094]},{"type":"call","value":[1180,1852,2596,4097]},{"type":"call","value":[1180,1852,2596,3868]},{"type":"call","value":[1180,1852,764,353]},{"type":"call","value":[1180,1852,2596,4115]},{"type":"call","value":[1180,1852,2596,3459]},{"type":"call","value":[1180,1852,2688,3743]},{"type":"call","value":[1180,1852,2596,2803]},{"type":"call","value":[1180,1852,1156,864]},{"type":"call","value":[1180,1852,236,1145]},{"type":"call","value":[1180,1852,2832,996]},{"type":"call","value":[1180,1852,2596,2821]},{"type":"call","value":[1180,1852,764,438]},{"type":"call","value":[1180,1852,1476,1618]},{"type":"call","value":[1180,1852,2596,1738]},{"type":"call","value":[1180,1852,1020,2968]},{"type":"call","value":[1180,1852,2596,4627]},{"type":"call","value":[1180,1852,1400,2543]},{"type":"call","value":[1180,1852,764,456]},{"type":"call","value":[1180,1852,2596,1756]},{"type":"call","value":[1180,1852,2828,2364]},{"type":"call","value":[1180,1852,2596,4645]},{"type":"call","value":[1180,1852,236,1181]},{"type":"call","value":[1180,1852,764,474]},{"type":"call","value":[1180,1852,2596,1774]},{"type":"call","value":[1180,1852,920,96]},{"type":"call","value":[1180,1852,2596,2021]},{"type":"call","value":[1180,1852,2856,1035]},{"type":"call","value":[1180,1852,920,114]},{"type":"call","value":[1180,1852,1020,3071]},{"type":"call","value":[1180,1852,2856,3268]},{"type":"call","value":[1180,1852,2596,2039]},{"type":"call","value":[1180,1852,2596,2286]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":2,"description":"AF_INET"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1464]},{"type":"call","value":[1180,1852,676,3350]},{"type":"call","value":[1180,1852,236,1467]},{"type":"call","value":[1180,1852,2828,2366]},{"type":"call","value":[1180,1852,2596,3860]},{"type":"call","value":[1180,1852,2832,967]},{"type":"call","value":[1180,1852,764,589]},{"type":"call","value":[1180,1852,2596,4589]},{"type":"call","value":[1180,1852,1400,4903]},{"type":"call","value":[1180,1852,2596,4064]},{"type":"call","value":[1180,1852,2596,4183]},{"type":"call","value":[1180,1852,920,174]},{"type":"call","value":[1180,1852,2700,3850]},{"type":"call","value":[1180,1852,2856,1055]},{"type":"call","value":[1180,1852,236,1350]},{"type":"call","value":[1180,1852,1200,3790]},{"type":"call","value":[1180,1852,1400,2553]},{"type":"call","value":[1180,1852,2596,3209]},{"type":"call","value":[1180,1852,236,1362]},{"type":"call","value":[1180,1852,2828,1050]},{"type":"call","value":[1180,1852,764,597]},{"type":"call","value":[1180,1852,2320,1080]},{"type":"call","value":[1180,1852,2828,4241]},{"type":"call","value":[1180,1852,2596,1714]},{"type":"call","value":[1180,1852,2616,3989]},{"type":"call","value":[1180,1852,1808,4054]},{"type":"call","value":[1180,1852,1876,3181]},{"type":"call","value":[1180,1852,2444,5072]},{"type":"call","value":[1180,1852,2596,4731]},{"type":"call","value":[1180,1852,2596,176]},{"type":"call","value":[1180,1852,2596,3361]},{"type":"call","value":[1180,1852,2208,3285]},{"type":"call","value":[1180,1852,2284,2013]},{"type":"call","value":[1180,1852,2596,2290]},{"type":"call","value":[1180,1852,764,578]},{"type":"call","value":[1180,1852,2596,3498]},{"type":"call","value":[1180,1852,2596,2171]},{"type":"call","value":[1180,1852,2596,3617]},{"type":"call","value":[1180,1852,920,200]},{"type":"call","value":[1180,1852,2828,4585]},{"type":"call","value":[1180,1852,2616,1996]},{"type":"call","value":[1180,1852,2596,1887]},{"type":"call","value":[1180,1852,2596,2018]},{"type":"call","value":[1180,1852,2596,2378]},{"type":"call","value":[1180,1852,2596,5081]},{"type":"call","value":[1180,1852,968,3031]},{"type":"call","value":[1180,1852,2856,3265]},{"type":"call","value":[1180,1852,2596,175]},{"type":"call","value":[1180,1852,2596,2747]},{"type":"call","value":[1180,1852,2596,233]},{"type":"call","value":[1180,1852,2208,1539]},{"type":"call","value":[1180,1852,764,330]}],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"number","number":23,"description":"AF_INET6"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1346]},{"type":"call","value":[1180,1852,236,1106]}],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"query or enumerate registry key":{"meta":{"name":"query or enumerate registry key","namespace":"host-interaction/registry","authors":["michael.hunhoff@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Discovery","Query Registry"],"tactic":"Discovery","technique":"Query Registry","subtechnique":"","id":"T1012"}],"mbc":[{"parts":["Operating System","Registry","Query Registry Key"],"objective":"Operating System","behavior":"Registry","method":"Query Registry Key","id":"C0036.005"}],"references":[],"examples":["493167E85E45363D09495D0841C30648:0x404930","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402608"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: query or enumerate registry key\n namespace: host-interaction/registry\n authors:\n - michael.hunhoff@mandiant.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Discovery::Query Registry [T1012]\n mbc:\n - Operating System::Registry::Query Registry Key [C0036.005]\n examples:\n - 493167E85E45363D09495D0841C30648:0x404930\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402608\n features:\n - and:\n - optional:\n - match: create or open registry key\n - or:\n - api: advapi32.RegEnumKey\n - api: advapi32.RegEnumKeyEx\n - api: advapi32.RegQueryInfoKeyA\n - api: ZwQueryKey\n - api: ZwEnumerateKey\n - api: NtQueryKey\n - api: NtEnumerateKey\n - api: RtlCheckRegistryKey\n - api: SHEnumKeyEx\n - api: SHQueryInfoKey\n - api: SHRegEnumUSKey\n - api: SHRegQueryInfoUSKey\n - api: Microsoft.Win32.RegistryKey::GetSubKeyNames\n - api: Microsoft.Win32.RegistryKey::OpenBaseKey\n - api: Microsoft.Win32.RegistryKey::OpenRemoteBaseKey\n - api: Microsoft.Win32.RegistryKey::OpenSubKey\n","matches":[[{"type":"process","value":[1180,1852]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,1156,2351]},{"type":"call","value":[1180,1852,1156,3679]},{"type":"call","value":[1180,1852,1156,2573]},{"type":"call","value":[1180,1852,1156,4964]},{"type":"call","value":[1180,1852,1156,4956]},{"type":"call","value":[1180,1852,1156,2567]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1181]},{"type":"call","value":[1180,1852,236,1160]},{"type":"call","value":[1180,1852,236,1133]},{"type":"call","value":[1180,1852,236,1173]},{"type":"call","value":[1180,1852,236,1113]},{"type":"call","value":[1180,1852,236,1121]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,920,45]},{"type":"call","value":[1180,1852,920,42]},{"type":"call","value":[1180,1852,920,32]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1180,1852,1156]},{"type":"thread","value":[1180,1852,236]},{"type":"thread","value":[1180,1852,920]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryInfoKeyA"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryKey"}},"children":[],"locations":[{"type":"call","value":[1180,1852,236,1143]},{"type":"call","value":[1180,1852,236,1144]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCheckRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryInfoKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryInfoUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetSubKeyNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1200,1248]},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1560,6276]},{"type":"call","value":[1200,1248,1560,6255]},{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,1560,6280]},{"type":"call","value":[1200,1248,1560,6254]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1200,1248,1560]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegEnumKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegQueryInfoKeyA"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwQueryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwEnumerateKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtQueryKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2324,6184]},{"type":"call","value":[1200,1248,2324,6187]},{"type":"call","value":[1200,1248,2324,6190]},{"type":"call","value":[1200,1248,2324,6205]},{"type":"call","value":[1200,1248,2324,6176]},{"type":"call","value":[1200,1248,2324,6182]},{"type":"call","value":[1200,1248,2324,6211]},{"type":"call","value":[1200,1248,2324,6191]},{"type":"call","value":[1200,1248,2324,6194]},{"type":"call","value":[1200,1248,2324,6177]},{"type":"call","value":[1200,1248,2324,6206]},{"type":"call","value":[1200,1248,2324,6212]},{"type":"call","value":[1200,1248,2324,6180]},{"type":"call","value":[1200,1248,2324,6209]},{"type":"call","value":[1200,1248,2324,6215]},{"type":"call","value":[1200,1248,2324,6183]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtEnumerateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCheckRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHEnumKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHQueryInfoKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegEnumUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegQueryInfoUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::GetSubKeyNames"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"set registry value":{"meta":{"name":"set registry value","namespace":"host-interaction/registry/create","authors":["moritz.raabe@mandiant.com","michael.hunhoff@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[],"mbc":[{"parts":["Operating System","Registry","Set Registry Key"],"objective":"Operating System","behavior":"Registry","method":"Set Registry Key","id":"C0036.001"}],"references":[],"examples":["BFB9B5391A13D0AFD787E87AB90F14F5:0x13147AF0","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E","B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40415E","98c37c3c23bbfb362dac7754c6ba48e75cf24d73bc963a4cdfca557b9e016909:0x40294D"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: set registry value\n namespace: host-interaction/registry/create\n authors:\n - moritz.raabe@mandiant.com\n - michael.hunhoff@mandiant.com\n scopes:\n static: function\n dynamic: process\n mbc:\n - Operating System::Registry::Set Registry Key [C0036.001]\n examples:\n - BFB9B5391A13D0AFD787E87AB90F14F5:0x13147AF0\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40415E\n - 98c37c3c23bbfb362dac7754c6ba48e75cf24d73bc963a4cdfca557b9e016909:0x40294D\n features:\n - or:\n - and:\n - optional:\n - match: create or open registry key\n - or:\n - api: advapi32.RegSetValue\n - api: advapi32.RegSetValueEx\n - api: advapi32.RegSetKeyValue\n - api: ZwSetValueKey\n - api: NtSetValueKey\n - api: RtlWriteRegistryValue\n - api: SHSetValue\n - api: SHRegSetPath\n - api: SHRegSetValue\n - api: SHRegSetUSValue\n - api: SHRegWriteUSValue\n - api: Microsoft.Win32.RegistryKey::SetValue\n - api: Microsoft.Win32.Registry::SetValue\n - and:\n - match: host-interaction/process/create\n - string: \"/add/i\"\n - or:\n - string: \"/reg(|.exe)/i\"\n - string: \"/hklm/i\"\n - string: \"/HKEY_LOCAL_MACHINE/i\"\n - string: \"/hkcu/i\"\n - string: \"/HKEY_CURRENT_USER/i\"\n","matches":[[{"type":"process","value":[1200,1248]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"match","match":"host-interaction/process/create"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/add/i"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1460,5981]},{"type":"call","value":[1200,1248,1460,5943]},{"type":"call","value":[1200,1248,1460,6161]},{"type":"call","value":[1200,1248,1460,5955]},{"type":"call","value":[1200,1248,1460,5894]},{"type":"call","value":[1200,1248,1460,6167]},{"type":"call","value":[1200,1248,1460,5926]},{"type":"call","value":[1200,1248,1656,6112]},{"type":"call","value":[1200,1248,1460,5967]},{"type":"call","value":[1200,1248,1460,5990]},{"type":"call","value":[1200,1248,1460,5996]},{"type":"call","value":[1200,1248,1460,6147]},{"type":"call","value":[1200,1248,2544,282]},{"type":"call","value":[1200,1248,2544,53]},{"type":"call","value":[1200,1248,2544,294]},{"type":"call","value":[1200,1248,1460,5947]},{"type":"call","value":[1200,1248,424,1782]},{"type":"call","value":[1200,1248,1656,5602]},{"type":"call","value":[1200,1248,1460,5959]},{"type":"call","value":[1200,1248,1460,5910]},{"type":"call","value":[1200,1248,1460,5939]},{"type":"call","value":[1200,1248,2544,254]},{"type":"call","value":[1200,1248,1460,5971]},{"type":"call","value":[1200,1248,1460,5977]},{"type":"call","value":[1200,1248,1460,5916]},{"type":"call","value":[1200,1248,1460,5922]},{"type":"call","value":[1200,1248,1460,5951]},{"type":"call","value":[1200,1248,2544,147]},{"type":"call","value":[1200,1248,1460,5986]},{"type":"call","value":[1200,1248,1460,5963]},{"type":"call","value":[1200,1248,1460,6155]}],"captures":{"LdrLoadDll":[{"type":"call","value":[1200,1248,424,1782]},{"type":"call","value":[1200,1248,2544,294]}],"A2A9545D-A0C2-42B4-9708-A0B2BADD77C8":[{"type":"call","value":[1200,1248,1460,5981]},{"type":"call","value":[1200,1248,1460,5943]},{"type":"call","value":[1200,1248,1460,6161]},{"type":"call","value":[1200,1248,1460,5955]},{"type":"call","value":[1200,1248,1460,5894]},{"type":"call","value":[1200,1248,1460,6167]},{"type":"call","value":[1200,1248,1460,5926]},{"type":"call","value":[1200,1248,1656,6112]},{"type":"call","value":[1200,1248,1460,5967]},{"type":"call","value":[1200,1248,1460,5990]},{"type":"call","value":[1200,1248,1460,5996]},{"type":"call","value":[1200,1248,1460,6147]},{"type":"call","value":[1200,1248,1460,5947]},{"type":"call","value":[1200,1248,1656,5602]},{"type":"call","value":[1200,1248,1460,5959]},{"type":"call","value":[1200,1248,1460,5910]},{"type":"call","value":[1200,1248,1460,5939]},{"type":"call","value":[1200,1248,1460,5971]},{"type":"call","value":[1200,1248,1460,5977]},{"type":"call","value":[1200,1248,1460,5916]},{"type":"call","value":[1200,1248,1460,5922]},{"type":"call","value":[1200,1248,1460,5951]},{"type":"call","value":[1200,1248,1460,5986]},{"type":"call","value":[1200,1248,1460,5963]},{"type":"call","value":[1200,1248,1460,6155]}],"GetProcAddress":[{"type":"call","value":[1200,1248,2544,53]},{"type":"call","value":[1200,1248,2544,147]}],"HttpAddRequestHeadersA":[{"type":"call","value":[1200,1248,2544,282]},{"type":"call","value":[1200,1248,2544,254]}]}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/reg(|.exe)/i"}},"children":[],"locations":[{"type":"call","value":[1200,1248,2544,195]},{"type":"call","value":[1200,1248,2544,192]},{"type":"call","value":[1200,1248,2544,198]},{"type":"call","value":[1200,1248,2324,6190]},{"type":"call","value":[1200,1248,1860,4467]},{"type":"call","value":[1200,1248,2324,6193]},{"type":"call","value":[1200,1248,2324,6205]},{"type":"call","value":[1200,1248,2324,6179]},{"type":"call","value":[1200,1248,2324,6208]},{"type":"call","value":[1200,1248,2544,193]},{"type":"call","value":[1200,1248,2324,6176]},{"type":"call","value":[1200,1248,2324,6211]},{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,2544,196]},{"type":"call","value":[1200,1248,1560,6276]},{"type":"call","value":[1200,1248,2324,6214]},{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,2544,199]},{"type":"call","value":[1200,1248,1460,31]},{"type":"call","value":[1200,1248,1860,4468]},{"type":"call","value":[1200,1248,2544,191]},{"type":"call","value":[1200,1248,2324,6186]},{"type":"call","value":[1200,1248,2544,194]},{"type":"call","value":[1200,1248,2324,6183]},{"type":"call","value":[1200,1248,2544,197]},{"type":"call","value":[1200,1248,1560,6254]}],"captures":{"WerRegisterMemoryBlock":[{"type":"call","value":[1200,1248,1460,31]}],"RegOpenKeyExA":[{"type":"call","value":[1200,1248,2544,191]}],"RegCreateKeyExA":[{"type":"call","value":[1200,1248,2544,192]}],"RegQueryInfoKeyA":[{"type":"call","value":[1200,1248,2544,193]}],"RegEnumValueA":[{"type":"call","value":[1200,1248,2544,194]}],"RegEnumKeyExA":[{"type":"call","value":[1200,1248,2544,195]}],"RegSetValueExA":[{"type":"call","value":[1200,1248,2544,196]}],"RegQueryValueExA":[{"type":"call","value":[1200,1248,2544,197]}],"RegCloseKey":[{"type":"call","value":[1200,1248,2544,198]}],"RegDeleteValueA":[{"type":"call","value":[1200,1248,2544,199]}],"HKEY_CLASSES_ROOT\\.reg":[{"type":"call","value":[1200,1248,1860,4467]}],".reg":[{"type":"call","value":[1200,1248,1860,4467]}],"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.reg":[{"type":"call","value":[1200,1248,1860,4468]}],"SystemFileAssociations\\.reg":[{"type":"call","value":[1200,1248,1860,4468]}],"\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}":[{"type":"call","value":[1200,1248,2324,6176]},{"type":"call","value":[1200,1248,2324,6183]},{"type":"call","value":[1200,1248,2324,6205]},{"type":"call","value":[1200,1248,2324,6211]}],"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs":[{"type":"call","value":[1200,1248,2324,6179]}],"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid":[{"type":"call","value":[1200,1248,2324,6186]}],"\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}":[{"type":"call","value":[1200,1248,2324,6190]}],"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid":[{"type":"call","value":[1200,1248,2324,6193]}],"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32":[{"type":"call","value":[1200,1248,2324,6208]}],"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000_Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler":[{"type":"call","value":[1200,1248,2324,6214]}],"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings":[{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,1560,6276]}],"\\REGISTRY\\USER\\S-1-5-21-2237850072-885592287-911325625-1000":[{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1560,6254]}]}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/hklm/i"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/HKEY_LOCAL_MACHINE/i"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1860,3325]},{"type":"call","value":[1200,1248,1860,2498]},{"type":"call","value":[1200,1248,1860,4740]},{"type":"call","value":[1200,1248,1860,3428]},{"type":"call","value":[1200,1248,1860,3019]},{"type":"call","value":[1200,1248,1860,5243]},{"type":"call","value":[1200,1248,1860,5252]},{"type":"call","value":[1200,1248,1860,3046]},{"type":"call","value":[1200,1248,1560,6237]},{"type":"call","value":[1200,1248,1860,3302]},{"type":"call","value":[1200,1248,1860,3549]},{"type":"call","value":[1200,1248,1860,2228]},{"type":"call","value":[1200,1248,1860,4452]},{"type":"call","value":[1200,1248,1860,2246]},{"type":"call","value":[1200,1248,1860,4479]},{"type":"call","value":[1200,1248,1860,2264]},{"type":"call","value":[1200,1248,1860,4717]},{"type":"call","value":[1200,1248,1860,3405]},{"type":"call","value":[1200,1248,1860,4070]},{"type":"call","value":[1200,1248,1860,3176]},{"type":"call","value":[1200,1248,1860,4735]},{"type":"call","value":[1200,1248,1860,3414]},{"type":"call","value":[1200,1248,1860,2758]},{"type":"call","value":[1200,1248,1860,2529]},{"type":"call","value":[1200,1248,1860,5409]},{"type":"call","value":[1200,1248,1860,4326]},{"type":"call","value":[1200,1248,1860,2111]},{"type":"call","value":[1200,1248,1860,4097]},{"type":"call","value":[1200,1248,1860,2776]},{"type":"call","value":[1200,1248,1860,2120]},{"type":"call","value":[1200,1248,1860,4344]},{"type":"call","value":[1200,1248,1860,3688]},{"type":"call","value":[1200,1248,1860,4591]},{"type":"call","value":[1200,1248,1860,3935]},{"type":"call","value":[1200,1248,1860,4838]},{"type":"call","value":[1200,1248,1860,4182]},{"type":"call","value":[1200,1248,1860,5274]},{"type":"call","value":[1200,1248,1860,3953]},{"type":"call","value":[1200,1248,1860,4618]},{"type":"call","value":[1200,1248,1560,6232]},{"type":"call","value":[1200,1248,1860,1976]},{"type":"call","value":[1200,1248,1860,4856]},{"type":"call","value":[1200,1248,1860,4200]},{"type":"call","value":[1200,1248,1860,5103]},{"type":"call","value":[1200,1248,1860,5530]},{"type":"call","value":[1200,1248,1860,2888]},{"type":"call","value":[1200,1248,1860,1994]},{"type":"call","value":[1200,1248,1860,4874]},{"type":"call","value":[1200,1248,1860,4218]},{"type":"call","value":[1200,1248,1860,3135]},{"type":"call","value":[1200,1248,1860,3562]},{"type":"call","value":[1200,1248,1860,3800]},{"type":"call","value":[1200,1248,1860,2906]},{"type":"call","value":[1200,1248,1860,3571]},{"type":"call","value":[1200,1248,1860,4703]},{"type":"call","value":[1200,1248,1860,5130]},{"type":"call","value":[1200,1248,1860,1832]},{"type":"call","value":[1200,1248,1860,5377]},{"type":"call","value":[1200,1248,1860,3827]},{"type":"call","value":[1200,1248,1860,3171]},{"type":"call","value":[1200,1248,1860,2515]},{"type":"call","value":[1200,1248,1860,4083]},{"type":"call","value":[1200,1248,1860,2344]},{"type":"call","value":[1200,1248,1860,3674]},{"type":"call","value":[1200,1248,1252,6072]},{"type":"call","value":[1200,1248,1860,2362]},{"type":"call","value":[1200,1248,1860,5260]},{"type":"call","value":[1200,1248,1860,4604]},{"type":"call","value":[1200,1248,1860,1962]},{"type":"call","value":[1200,1248,1560,6227]},{"type":"call","value":[1200,1248,1860,4851]},{"type":"call","value":[1200,1248,1860,3795]},{"type":"call","value":[1200,1248,1860,1818]},{"type":"call","value":[1200,1248,1860,2483]},{"type":"call","value":[1200,1248,1860,5363]},{"type":"call","value":[1200,1248,1860,3166]},{"type":"call","value":[1200,1248,1860,2083]},{"type":"call","value":[1200,1248,1860,2510]},{"type":"call","value":[1200,1248,1860,4972]},{"type":"call","value":[1200,1248,1860,3422]},{"type":"call","value":[1200,1248,1860,2101]},{"type":"call","value":[1200,1248,1860,4981]},{"type":"call","value":[1200,1248,1860,4990]},{"type":"call","value":[1200,1248,1860,3013]},{"type":"call","value":[1200,1248,1860,3251]},{"type":"call","value":[1200,1248,1252,6076]},{"type":"call","value":[1200,1248,1860,3031]},{"type":"call","value":[1200,1248,1860,3269]},{"type":"call","value":[1200,1248,1860,3507]},{"type":"call","value":[1200,1248,1860,5493]},{"type":"call","value":[1200,1248,1860,3287]},{"type":"call","value":[1200,1248,1860,3525]},{"type":"call","value":[1200,1248,1860,4428]},{"type":"call","value":[1200,1248,1860,3772]},{"type":"call","value":[1200,1248,1860,2222]},{"type":"call","value":[1200,1248,1860,4446]},{"type":"call","value":[1200,1248,1860,3790]},{"type":"call","value":[1200,1248,1860,2240]},{"type":"call","value":[1200,1248,1860,4464]},{"type":"call","value":[1200,1248,1860,4046]},{"type":"call","value":[1200,1248,1860,4711]},{"type":"call","value":[1200,1248,1860,3390]},{"type":"call","value":[1200,1248,1860,4949]},{"type":"call","value":[1200,1248,1860,2734]},{"type":"call","value":[1200,1248,1860,3399]},{"type":"call","value":[1200,1248,1860,2078]},{"type":"call","value":[1200,1248,1860,4064]},{"type":"call","value":[1200,1248,1860,4302]},{"type":"call","value":[1200,1248,1860,3646]},{"type":"call","value":[1200,1248,1860,2752]},{"type":"call","value":[1200,1248,1860,4320]},{"type":"call","value":[1200,1248,1860,5223]},{"type":"call","value":[1200,1248,1860,4567]},{"type":"call","value":[1200,1248,1860,3911]},{"type":"call","value":[1200,1248,1860,1934]},{"type":"call","value":[1200,1248,1860,4814]},{"type":"call","value":[1200,1248,1860,4158]},{"type":"call","value":[1200,1248,1860,4585]},{"type":"call","value":[1200,1248,1860,3929]},{"type":"call","value":[1200,1248,1860,2608]},{"type":"call","value":[1200,1248,1860,1952]},{"type":"call","value":[1200,1248,1860,4832]},{"type":"call","value":[1200,1248,1860,2617]},{"type":"call","value":[1200,1248,1860,4176]},{"type":"call","value":[1200,1248,1860,2626]},{"type":"call","value":[1200,1248,1860,5079]},{"type":"call","value":[1200,1248,1860,2864]},{"type":"call","value":[1200,1248,1860,1970]},{"type":"call","value":[1200,1248,1860,4194]},{"type":"call","value":[1200,1248,1860,5097]},{"type":"call","value":[1200,1248,1860,2882]},{"type":"call","value":[1200,1248,1560,6293]},{"type":"call","value":[1200,1248,1860,5344]},{"type":"call","value":[1200,1248,1860,3129]},{"type":"call","value":[1200,1248,1860,2055]},{"type":"call","value":[1200,1248,1860,4041]},{"type":"call","value":[1200,1248,1860,3623]},{"type":"call","value":[1200,1248,1860,2073]},{"type":"call","value":[1200,1248,1860,3632]},{"type":"call","value":[1200,1248,1860,2985]},{"type":"call","value":[1200,1248,1860,4553]},{"type":"call","value":[1200,1248,1860,3659]},{"type":"call","value":[1200,1248,1860,2338]},{"type":"call","value":[1200,1248,1860,3897]},{"type":"call","value":[1200,1248,1860,4800]},{"type":"call","value":[1200,1248,1860,2585]},{"type":"call","value":[1200,1248,1860,2356]},{"type":"call","value":[1200,1248,1860,2603]},{"type":"call","value":[1200,1248,1860,2185]},{"type":"call","value":[1200,1248,1560,6288]},{"type":"call","value":[1200,1248,1860,2459]},{"type":"call","value":[1200,1248,1860,1812]},{"type":"call","value":[1200,1248,1860,2477]},{"type":"call","value":[1200,1248,1860,4036]},{"type":"call","value":[1200,1248,1860,2068]},{"type":"call","value":[1200,1248,2324,6216]},{"type":"call","value":[1200,1248,1860,5451]},{"type":"call","value":[1200,1248,1860,3236]},{"type":"call","value":[1200,1248,1860,4139]},{"type":"call","value":[1200,1248,1860,5469]},{"type":"call","value":[1200,1248,1860,2171]},{"type":"call","value":[1200,1248,1860,2836]},{"type":"call","value":[1200,1248,1860,1942]},{"type":"call","value":[1200,1248,1860,3501]},{"type":"call","value":[1200,1248,1860,4404]},{"type":"call","value":[1200,1248,1860,3748]},{"type":"call","value":[1200,1248,1860,3519]},{"type":"call","value":[1200,1248,1860,4422]},{"type":"call","value":[1200,1248,1860,2207]},{"type":"call","value":[1200,1248,1860,3766]},{"type":"call","value":[1200,1248,1860,2454]},{"type":"call","value":[1200,1248,1860,2036]},{"type":"call","value":[1200,1248,1860,4916]},{"type":"call","value":[1200,1248,1860,4260]},{"type":"call","value":[1200,1248,1860,4031]},{"type":"call","value":[1200,1248,1860,2710]},{"type":"call","value":[1200,1248,1860,3375]},{"type":"call","value":[1200,1248,1860,4934]},{"type":"call","value":[1200,1248,1860,5172]},{"type":"call","value":[1200,1248,1860,4278]},{"type":"call","value":[1200,1248,1860,2063]},{"type":"call","value":[1200,1248,1860,2728]},{"type":"call","value":[1200,1248,1860,5190]},{"type":"call","value":[1200,1248,1860,4296]},{"type":"call","value":[1200,1248,2324,6202]},{"type":"call","value":[1200,1248,1860,4534]},{"type":"call","value":[1200,1248,1860,3213]},{"type":"call","value":[1200,1248,1860,3640]},{"type":"call","value":[1200,1248,1860,3878]},{"type":"call","value":[1200,1248,1860,2557]},{"type":"call","value":[1200,1248,1860,3222]},{"type":"call","value":[1200,1248,1252,6038]},{"type":"call","value":[1200,1248,1860,4781]},{"type":"call","value":[1200,1248,1860,3905]},{"type":"call","value":[1200,1248,1860,5037]},{"type":"call","value":[1200,1248,1860,5464]},{"type":"call","value":[1200,1248,1860,4808]},{"type":"call","value":[1200,1248,1860,5055]},{"type":"call","value":[1200,1248,1860,5073]},{"type":"call","value":[1200,1248,1860,2431]},{"type":"call","value":[1200,1248,1860,2202]},{"type":"call","value":[1200,1248,1860,4664]},{"type":"call","value":[1200,1248,1860,2449]},{"type":"call","value":[1200,1248,1560,6287]},{"type":"call","value":[1200,1248,1860,5338]},{"type":"call","value":[1200,1248,1860,4026]},{"type":"call","value":[1200,1248,1860,3608]},{"type":"call","value":[1200,1248,1860,2287]},{"type":"call","value":[1200,1248,1860,2296]},{"type":"call","value":[1200,1248,2324,6188]},{"type":"call","value":[1200,1248,1860,4520]},{"type":"call","value":[1200,1248,1860,2305]},{"type":"call","value":[1200,1248,2324,6197]},{"type":"call","value":[1200,1248,1860,2979]},{"type":"call","value":[1200,1248,1860,5203]},{"type":"call","value":[1200,1248,1860,2152]},{"type":"call","value":[1200,1248,1860,2579]},{"type":"call","value":[1200,1248,1860,3064]},{"type":"call","value":[1200,1248,1860,5288]},{"type":"call","value":[1200,1248,1860,2179]},{"type":"call","value":[1200,1248,1860,3082]},{"type":"call","value":[1200,1248,1860,4659]},{"type":"call","value":[1200,1248,1860,3338]},{"type":"call","value":[1200,1248,1860,5324]},{"type":"call","value":[1200,1248,1860,3347]},{"type":"call","value":[1200,1248,1560,6291]},{"type":"call","value":[1200,1248,1860,3356]},{"type":"call","value":[1200,1248,1860,3365]},{"type":"call","value":[1200,1248,1860,4506]},{"type":"call","value":[1200,1248,2324,6201]},{"type":"call","value":[1200,1248,2324,6210]},{"type":"call","value":[1200,1248,1860,4115]},{"type":"call","value":[1200,1248,1860,5445]},{"type":"call","value":[1200,1248,1860,3230]},{"type":"call","value":[1200,1248,1860,4362]},{"type":"call","value":[1200,1248,1860,4133]},{"type":"call","value":[1200,1248,1860,2812]},{"type":"call","value":[1200,1248,1860,3715]},{"type":"call","value":[1200,1248,1860,4380]},{"type":"call","value":[1200,1248,1860,2403]},{"type":"call","value":[1200,1248,1860,2830]},{"type":"call","value":[1200,1248,1860,4627]},{"type":"call","value":[1200,1248,1860,3971]},{"type":"call","value":[1200,1248,1860,4398]},{"type":"call","value":[1200,1248,1560,6250]},{"type":"call","value":[1200,1248,1860,3742]},{"type":"call","value":[1200,1248,1860,3989]},{"type":"call","value":[1200,1248,1860,5548]},{"type":"call","value":[1200,1248,1860,4654]},{"type":"call","value":[1200,1248,1860,2012]},{"type":"call","value":[1200,1248,1860,5319]},{"type":"call","value":[1200,1248,1860,2677]},{"type":"call","value":[1200,1248,1860,4236]},{"type":"call","value":[1200,1248,1560,6277]},{"type":"call","value":[1200,1248,1860,3580]},{"type":"call","value":[1200,1248,1860,2924]},{"type":"call","value":[1200,1248,1860,2030]},{"type":"call","value":[1200,1248,1860,3589]},{"type":"call","value":[1200,1248,1860,2695]},{"type":"call","value":[1200,1248,1860,4254]},{"type":"call","value":[1200,1248,1860,4910]},{"type":"call","value":[1200,1248,1860,5148]},{"type":"call","value":[1200,1248,1860,3598]},{"type":"call","value":[1200,1248,1860,5575]},{"type":"call","value":[1200,1248,1860,3616]},{"type":"call","value":[1200,1248,1860,3854]},{"type":"call","value":[1200,1248,1860,4092]},{"type":"call","value":[1200,1248,1860,1877]},{"type":"call","value":[1200,1248,1860,4757]},{"type":"call","value":[1200,1248,1860,2542]},{"type":"call","value":[1200,1248,1860,4528]},{"type":"call","value":[1200,1248,1860,3445]},{"type":"call","value":[1200,1248,1860,3872]},{"type":"call","value":[1200,1248,1860,4110]},{"type":"call","value":[1200,1248,1860,4775]},{"type":"call","value":[1200,1248,1860,5013]},{"type":"call","value":[1200,1248,1860,5031]},{"type":"call","value":[1200,1248,1860,3481]},{"type":"call","value":[1200,1248,1860,5049]},{"type":"call","value":[1200,1248,1860,3728]},{"type":"call","value":[1200,1248,1860,2654]},{"type":"call","value":[1200,1248,1860,4640]},{"type":"call","value":[1200,1248,1860,3319]},{"type":"call","value":[1200,1248,1860,2425]},{"type":"call","value":[1200,1248,1860,5305]},{"type":"call","value":[1200,1248,1860,2663]},{"type":"call","value":[1200,1248,1860,5561]},{"type":"call","value":[1200,1248,1860,2281]},{"type":"call","value":[1200,1248,1860,3840]},{"type":"call","value":[1200,1248,1860,2946]},{"type":"call","value":[1200,1248,1860,4999]},{"type":"call","value":[1200,1248,1860,2128]},{"type":"call","value":[1200,1248,1860,2146]},{"type":"call","value":[1200,1248,1560,6222]},{"type":"call","value":[1200,1248,1860,3058]},{"type":"call","value":[1200,1248,1860,5282]},{"type":"call","value":[1200,1248,1560,6240]},{"type":"call","value":[1200,1248,1860,3076]},{"type":"call","value":[1200,1248,1860,4473]},{"type":"call","value":[1200,1248,1860,2258]},{"type":"call","value":[1200,1248,1860,5385]},{"type":"call","value":[1200,1248,1860,4491]},{"type":"call","value":[1200,1248,1860,2276]},{"type":"call","value":[1200,1248,1860,4729]},{"type":"call","value":[1200,1248,1860,2941]},{"type":"call","value":[1200,1248,1860,5165]},{"type":"call","value":[1200,1248,1860,5403]},{"type":"call","value":[1200,1248,1860,2770]},{"type":"call","value":[1200,1248,1860,3197]},{"type":"call","value":[1200,1248,1860,5421]},{"type":"call","value":[1200,1248,1860,4338]},{"type":"call","value":[1200,1248,1860,3682]},{"type":"call","value":[1200,1248,1860,2797]},{"type":"call","value":[1200,1248,1860,4356]},{"type":"call","value":[1200,1248,1860,2379]},{"type":"call","value":[1200,1248,1860,3709]},{"type":"call","value":[1200,1248,1860,3947]},{"type":"call","value":[1200,1248,1860,4374]},{"type":"call","value":[1200,1248,1860,4612]},{"type":"call","value":[1200,1248,1860,2397]},{"type":"call","value":[1200,1248,1860,2635]},{"type":"call","value":[1200,1248,1860,3965]},{"type":"call","value":[1200,1248,1860,2644]},{"type":"call","value":[1200,1248,1860,5524]},{"type":"call","value":[1200,1248,1860,1988]},{"type":"call","value":[1200,1248,1860,4868]},{"type":"call","value":[1200,1248,1860,4212]},{"type":"call","value":[1200,1248,1860,5542]},{"type":"call","value":[1200,1248,1860,2900]},{"type":"call","value":[1200,1248,1860,2006]},{"type":"call","value":[1200,1248,1860,2671]},{"type":"call","value":[1200,1248,1860,4230]},{"type":"call","value":[1200,1248,1860,5124]},{"type":"call","value":[1200,1248,1860,3147]},{"type":"call","value":[1200,1248,1860,2918]},{"type":"call","value":[1200,1248,1860,5371]},{"type":"call","value":[1200,1248,1860,5142]},{"type":"call","value":[1200,1248,1860,3821]},{"type":"call","value":[1200,1248,1860,5398]},{"type":"call","value":[1200,1248,1860,3183]},{"type":"call","value":[1200,1248,1860,1871]},{"type":"call","value":[1200,1248,1860,4751]},{"type":"call","value":[1200,1248,1860,2536]},{"type":"call","value":[1200,1248,1860,3439]},{"type":"call","value":[1200,1248,1860,2783]},{"type":"call","value":[1200,1248,1860,5007]},{"type":"call","value":[1200,1248,1860,3695]},{"type":"call","value":[1200,1248,1860,2374]},{"type":"call","value":[1200,1248,1560,6221]},{"type":"call","value":[1200,1248,1860,2392]},{"type":"call","value":[1200,1248,1860,5510]},{"type":"call","value":[1200,1248,1860,3313]},{"type":"call","value":[1200,1248,1860,5110]},{"type":"call","value":[1200,1248,1860,4881]},{"type":"call","value":[1200,1248,1860,3807]},{"type":"call","value":[1200,1248,1860,3160]},{"type":"call","value":[1200,1248,1860,1839]},{"type":"call","value":[1200,1248,1860,2504]},{"type":"call","value":[1200,1248,1860,1848]},{"type":"call","value":[1200,1248,1860,5393]},{"type":"call","value":[1200,1248,1860,1857]},{"type":"call","value":[1200,1248,1860,3007]},{"type":"call","value":[1200,1248,1860,3434]},{"type":"call","value":[1200,1248,1860,3025]},{"type":"call","value":[1200,1248,1860,3263]},{"type":"call","value":[1200,1248,1860,3281]},{"type":"call","value":[1200,1248,1860,2387]},{"type":"call","value":[1200,1248,1860,5505]},{"type":"call","value":[1200,1248,1560,6225]},{"type":"call","value":[1200,1248,1560,6234]},{"type":"call","value":[1200,1248,1860,4440]},{"type":"call","value":[1200,1248,1860,3784]},{"type":"call","value":[1200,1248,1860,3555]},{"type":"call","value":[1200,1248,1860,2234]},{"type":"call","value":[1200,1248,1860,4458]},{"type":"call","value":[1200,1248,1860,2252]},{"type":"call","value":[1200,1248,1860,2490]},{"type":"call","value":[1200,1248,1860,3155]},{"type":"call","value":[1200,1248,1860,4058]},{"type":"call","value":[1200,1248,1860,4723]},{"type":"call","value":[1200,1248,1860,2746]},{"type":"call","value":[1200,1248,1860,4076]},{"type":"call","value":[1200,1248,1860,4314]},{"type":"call","value":[1200,1248,1860,2764]},{"type":"call","value":[1200,1248,1860,5217]},{"type":"call","value":[1200,1248,1860,3002]},{"type":"call","value":[1200,1248,1860,4561]},{"type":"call","value":[1200,1248,1860,3667]},{"type":"call","value":[1200,1248,1860,4332]},{"type":"call","value":[1200,1248,1860,5235]},{"type":"call","value":[1200,1248,1860,4579]},{"type":"call","value":[1200,1248,1252,6074]},{"type":"call","value":[1200,1248,1860,3923]},{"type":"call","value":[1200,1248,1860,4826]},{"type":"call","value":[1200,1248,1860,4170]},{"type":"call","value":[1200,1248,1860,4597]},{"type":"call","value":[1200,1248,1860,3941]},{"type":"call","value":[1200,1248,1860,2858]},{"type":"call","value":[1200,1248,1860,4844]},{"type":"call","value":[1200,1248,1860,4188]},{"type":"call","value":[1200,1248,1860,3294]},{"type":"call","value":[1200,1248,1860,3532]},{"type":"call","value":[1200,1248,1860,5091]},{"type":"call","value":[1200,1248,1860,5518]},{"type":"call","value":[1200,1248,1860,2876]},{"type":"call","value":[1200,1248,1860,1982]},{"type":"call","value":[1200,1248,1860,3541]},{"type":"call","value":[1200,1248,1860,4862]},{"type":"call","value":[1200,1248,1860,4206]},{"type":"call","value":[1200,1248,1860,3123]},{"type":"call","value":[1200,1248,1860,2894]},{"type":"call","value":[1200,1248,1860,5118]},{"type":"call","value":[1200,1248,1860,5356]},{"type":"call","value":[1200,1248,1860,3141]},{"type":"call","value":[1200,1248,1860,3815]},{"type":"call","value":[1200,1248,1860,4965]},{"type":"call","value":[1200,1248,1860,2094]},{"type":"call","value":[1200,1248,1860,2332]},{"type":"call","value":[1200,1248,1860,2997]},{"type":"call","value":[1200,1248,1860,2350]},{"type":"call","value":[1200,1248,1860,2597]},{"type":"call","value":[1200,1248,1252,6078]},{"type":"call","value":[1200,1248,1860,2368]},{"type":"call","value":[1200,1248,2304,6025]},{"type":"call","value":[1200,1248,1860,2853]},{"type":"call","value":[1200,1248,1860,2197]},{"type":"call","value":[1200,1248,1860,3109]},{"type":"call","value":[1200,1248,1860,5333]},{"type":"call","value":[1200,1248,1560,6300]},{"type":"call","value":[1200,1248,1860,2471]},{"type":"call","value":[1200,1248,1860,4695]},{"type":"call","value":[1200,1248,1860,1824]},{"type":"call","value":[1200,1248,1860,3383]},{"type":"call","value":[1200,1248,1860,4960]},{"type":"call","value":[1200,1248,1860,2089]},{"type":"call","value":[1200,1248,1860,2327]},{"type":"call","value":[1200,1248,1860,3257]},{"type":"call","value":[1200,1248,1860,3495]},{"type":"call","value":[1200,1248,1860,2848]},{"type":"call","value":[1200,1248,1860,3275]},{"type":"call","value":[1200,1248,1860,3513]},{"type":"call","value":[1200,1248,1860,5499]},{"type":"call","value":[1200,1248,2304,6029]},{"type":"call","value":[1200,1248,1860,4416]},{"type":"call","value":[1200,1248,1860,3760]},{"type":"call","value":[1200,1248,1860,3104]},{"type":"call","value":[1200,1248,1860,4434]},{"type":"call","value":[1200,1248,1860,3778]},{"type":"call","value":[1200,1248,1560,6295]},{"type":"call","value":[1200,1248,1860,2048]},{"type":"call","value":[1200,1248,1860,4928]},{"type":"call","value":[1200,1248,1860,4272]},{"type":"call","value":[1200,1248,1860,2722]},{"type":"call","value":[1200,1248,1860,4052]},{"type":"call","value":[1200,1248,1860,4290]},{"type":"call","value":[1200,1248,1860,4955]},{"type":"call","value":[1200,1248,1860,2740]},{"type":"call","value":[1200,1248,1860,2322]},{"type":"call","value":[1200,1248,1860,4308]},{"type":"call","value":[1200,1248,1860,4546]},{"type":"call","value":[1200,1248,1860,3652]},{"type":"call","value":[1200,1248,1860,5211]},{"type":"call","value":[1200,1248,1860,3890]},{"type":"call","value":[1200,1248,1860,1913]},{"type":"call","value":[1200,1248,1860,4793]},{"type":"call","value":[1200,1248,1860,5458]},{"type":"call","value":[1200,1248,1860,3243]},{"type":"call","value":[1200,1248,1860,5229]},{"type":"call","value":[1200,1248,1860,4573]},{"type":"call","value":[1200,1248,1860,3917]},{"type":"call","value":[1200,1248,1860,5476]},{"type":"call","value":[1200,1248,1860,4820]},{"type":"call","value":[1200,1248,1460,6065]},{"type":"call","value":[1200,1248,1860,5485]},{"type":"call","value":[1200,1248,1860,4164]},{"type":"call","value":[1200,1248,1860,5067]},{"type":"call","value":[1200,1248,1860,5085]},{"type":"call","value":[1200,1248,1860,2443]},{"type":"call","value":[1200,1248,1860,2870]},{"type":"call","value":[1200,1248,1860,2214]},{"type":"call","value":[1200,1248,1860,4011]},{"type":"call","value":[1200,1248,1860,3117]},{"type":"call","value":[1200,1248,1860,4020]},{"type":"call","value":[1200,1248,1860,5350]},{"type":"call","value":[1200,1248,1860,2955]},{"type":"call","value":[1200,1248,1860,4941]},{"type":"call","value":[1200,1248,2324,6200]},{"type":"call","value":[1200,1248,1252,6036]},{"type":"call","value":[1200,1248,1860,2991]},{"type":"call","value":[1200,1248,1860,1908]},{"type":"call","value":[1200,1248,1860,2573]},{"type":"call","value":[1200,1248,1860,1926]},{"type":"call","value":[1200,1248,1860,2164]},{"type":"call","value":[1200,1248,1860,2591]},{"type":"call","value":[1200,1248,1860,4150]},{"type":"call","value":[1200,1248,1860,2191]},{"type":"call","value":[1200,1248,1560,6276]},{"type":"call","value":[1200,1248,1860,4006]},{"type":"call","value":[1200,1248,1860,2465]},{"type":"call","value":[1200,1248,1860,4689]},{"type":"call","value":[1200,1248,2324,6195]},{"type":"call","value":[1200,1248,1860,2312]},{"type":"call","value":[1200,1248,1860,2550]},{"type":"call","value":[1200,1248,1860,1894]},{"type":"call","value":[1200,1248,1860,5439]},{"type":"call","value":[1200,1248,1252,6040]},{"type":"call","value":[1200,1248,1860,2568]},{"type":"call","value":[1200,1248,1860,4127]},{"type":"call","value":[1200,1248,1860,3471]},{"type":"call","value":[1200,1248,1860,1921]},{"type":"call","value":[1200,1248,1860,4145]},{"type":"call","value":[1200,1248,1860,2824]},{"type":"call","value":[1200,1248,1860,3489]},{"type":"call","value":[1200,1248,1860,4392]},{"type":"call","value":[1200,1248,1860,3736]},{"type":"call","value":[1200,1248,1860,2842]},{"type":"call","value":[1200,1248,1860,5295]},{"type":"call","value":[1200,1248,1860,3983]},{"type":"call","value":[1200,1248,1860,4410]},{"type":"call","value":[1200,1248,1860,4648]},{"type":"call","value":[1200,1248,1860,3754]},{"type":"call","value":[1200,1248,1860,5313]},{"type":"call","value":[1200,1248,1560,6262]},{"type":"call","value":[1200,1248,1860,3098]},{"type":"call","value":[1200,1248,1860,4001]},{"type":"call","value":[1200,1248,1860,2024]},{"type":"call","value":[1200,1248,1860,4904]},{"type":"call","value":[1200,1248,1860,2689]},{"type":"call","value":[1200,1248,1860,4248]},{"type":"call","value":[1200,1248,1860,5569]},{"type":"call","value":[1200,1248,1560,6298]},{"type":"call","value":[1200,1248,1860,2936]},{"type":"call","value":[1200,1248,1860,2042]},{"type":"call","value":[1200,1248,1860,4922]},{"type":"call","value":[1200,1248,1860,4266]},{"type":"call","value":[1200,1248,1860,2716]},{"type":"call","value":[1200,1248,1860,3848]},{"type":"call","value":[1200,1248,2324,6181]},{"type":"call","value":[1200,1248,1860,4284]},{"type":"call","value":[1200,1248,1860,3866]},{"type":"call","value":[1200,1248,2324,6199]},{"type":"call","value":[1200,1248,1860,1889]},{"type":"call","value":[1200,1248,1860,4769]},{"type":"call","value":[1200,1248,1860,5196]},{"type":"call","value":[1200,1248,1860,4540]},{"type":"call","value":[1200,1248,1860,3884]},{"type":"call","value":[1200,1248,1860,4787]},{"type":"call","value":[1200,1248,1860,5025]},{"type":"call","value":[1200,1248,1860,5043]},{"type":"call","value":[1200,1248,1860,5061]},{"type":"call","value":[1200,1248,1860,2419]},{"type":"call","value":[1200,1248,1860,3093]},{"type":"call","value":[1200,1248,1860,3331]},{"type":"call","value":[1200,1248,1860,2437]},{"type":"call","value":[1200,1248,1860,4890]},{"type":"call","value":[1200,1248,1560,6275]},{"type":"call","value":[1200,1248,1860,4670]},{"type":"call","value":[1200,1248,1860,2702]},{"type":"call","value":[1200,1248,1860,5182]},{"type":"call","value":[1200,1248,2324,6203]},{"type":"call","value":[1200,1248,1860,3452]},{"type":"call","value":[1200,1248,1860,1902]},{"type":"call","value":[1200,1248,1860,3461]},{"type":"call","value":[1200,1248,1860,2140]},{"type":"call","value":[1200,1248,1860,3052]},{"type":"call","value":[1200,1248,1860,2158]},{"type":"call","value":[1200,1248,1860,3070]},{"type":"call","value":[1200,1248,1860,2414]},{"type":"call","value":[1200,1248,1560,6252]},{"type":"call","value":[1200,1248,1860,3088]},{"type":"call","value":[1200,1248,1860,4485]},{"type":"call","value":[1200,1248,1860,2270]},{"type":"call","value":[1200,1248,1860,5159]},{"type":"call","value":[1200,1248,1860,4512]},{"type":"call","value":[1200,1248,1860,3191]},{"type":"call","value":[1200,1248,1860,5415]},{"type":"call","value":[1200,1248,2324,6198]},{"type":"call","value":[1200,1248,1860,4103]},{"type":"call","value":[1200,1248,1860,2791]},{"type":"call","value":[1200,1248,1860,4350]},{"type":"call","value":[1200,1248,1860,2562]},{"type":"call","value":[1200,1248,1860,4121]},{"type":"call","value":[1200,1248,1860,3038]},{"type":"call","value":[1200,1248,1860,3703]},{"type":"call","value":[1200,1248,1860,4368]},{"type":"call","value":[1200,1248,1860,2818]},{"type":"call","value":[1200,1248,1560,6229]},{"type":"call","value":[1200,1248,1860,3721]},{"type":"call","value":[1200,1248,1860,3959]},{"type":"call","value":[1200,1248,1860,4386]},{"type":"call","value":[1200,1248,1860,2409]},{"type":"call","value":[1200,1248,1860,4633]},{"type":"call","value":[1200,1248,1860,3977]},{"type":"call","value":[1200,1248,1860,5536]},{"type":"call","value":[1200,1248,1860,2000]},{"type":"call","value":[1200,1248,1860,4224]},{"type":"call","value":[1200,1248,1560,6265]},{"type":"call","value":[1200,1248,1860,3995]},{"type":"call","value":[1200,1248,1860,5554]},{"type":"call","value":[1200,1248,1860,2912]},{"type":"call","value":[1200,1248,1860,2018]},{"type":"call","value":[1200,1248,1860,4898]},{"type":"call","value":[1200,1248,1860,2683]},{"type":"call","value":[1200,1248,1860,4242]},{"type":"call","value":[1200,1248,1860,5136]},{"type":"call","value":[1200,1248,1860,2930]},{"type":"call","value":[1200,1248,1860,5154]},{"type":"call","value":[1200,1248,1860,3833]},{"type":"call","value":[1200,1248,1860,4498]},{"type":"call","value":[1200,1248,1860,2521]},{"type":"call","value":[1200,1248,1860,1865]},{"type":"call","value":[1200,1248,1860,4745]},{"type":"call","value":[1200,1248,1860,3860]},{"type":"call","value":[1200,1248,1860,3204]},{"type":"call","value":[1200,1248,1860,1883]},{"type":"call","value":[1200,1248,1860,4763]},{"type":"call","value":[1200,1248,1860,5019]},{"type":"call","value":[1200,1248,1860,2804]},{"type":"call","value":[1200,1248,1860,5266]},{"type":"call","value":[1200,1248,1860,3307]},{"type":"call","value":[1200,1248,1560,6251]}],"captures":{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses":[{"type":"call","value":[1200,1248,1252,6074]},{"type":"call","value":[1200,1248,1252,6038]},{"type":"call","value":[1200,1248,1252,6076]},{"type":"call","value":[1200,1248,1252,6040]},{"type":"call","value":[1200,1248,1252,6072]},{"type":"call","value":[1200,1248,1252,6078]},{"type":"call","value":[1200,1248,1252,6036]},{"type":"call","value":[1200,1248,1460,6065]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.001\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1812]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.386\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1818]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3g2\\(Default)":[{"type":"call","value":[1200,1248,1860,1824]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3ga\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1832]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp\\(Default)":[{"type":"call","value":[1200,1248,1860,1839]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp2\\(Default)":[{"type":"call","value":[1200,1248,1860,1848]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gpp\\(Default)":[{"type":"call","value":[1200,1248,1860,1857]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.669\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1865]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.7z\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1871]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1877]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a52\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1883]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1889]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\(Default)":[{"type":"call","value":[1200,1248,1860,1894]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ac3\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1902]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1908]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\(Default)":[{"type":"call","value":[1200,1248,1860,1913]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1921]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\(Default)":[{"type":"call","value":[1200,1248,1860,1926]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ai\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1934]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aif\\(Default)":[{"type":"call","value":[1200,1248,1860,1942]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aifc\\(Default)":[{"type":"call","value":[1200,1248,1860,1952]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aiff\\(Default)":[{"type":"call","value":[1200,1248,1860,1962]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.amr\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1970]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.amv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1976]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ani\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1982]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ans\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1988]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aob\\PerceivedType":[{"type":"call","value":[1200,1248,1860,1994]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ape\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2000]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.application\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2006]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.appref-ms\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2012]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aps\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2018]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.arj\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2024]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.art\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2030]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asa\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2036]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2042]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ascx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2048]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asf\\(Default)":[{"type":"call","value":[1200,1248,1860,2055]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2063]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\(Default)":[{"type":"call","value":[1200,1248,1860,2068]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2073]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\(Default)":[{"type":"call","value":[1200,1248,1860,2078]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2083]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2089]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\(Default)":[{"type":"call","value":[1200,1248,1860,2094]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asx\\(Default)":[{"type":"call","value":[1200,1248,1860,2101]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.au\\(Default)":[{"type":"call","value":[1200,1248,1860,2111]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.avi\\(Default)":[{"type":"call","value":[1200,1248,1860,2120]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.b4s\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2128]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bcp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2140]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bik\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2146]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bin\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2152]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bkf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2158]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.blg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2164]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bmp\\(Default)":[{"type":"call","value":[1200,1248,1860,2171]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bsc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2179]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2185]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bz2\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2191]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2197]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\(Default)":[{"type":"call","value":[1200,1248,1860,2202]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c2r\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2207]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cab\\(Default)":[{"type":"call","value":[1200,1248,1860,2214]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.caf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2222]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.camp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2228]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cat\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2234]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2240]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cda\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2246]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdmp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2252]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2258]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2264]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cgm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2270]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chk\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2276]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2281]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cls\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2287]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cod\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2296]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.compositefont\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2305]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.contact\\(Default)":[{"type":"call","value":[1200,1248,1860,2312]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2322]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\(Default)":[{"type":"call","value":[1200,1248,1860,2327]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2332]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crds\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2338]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2344]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2350]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cs\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2356]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csa\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2362]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csproj\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2368]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2374]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\(Default)":[{"type":"call","value":[1200,1248,1860,2379]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2387]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\(Default)":[{"type":"call","value":[1200,1248,1860,2392]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cue\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2397]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cur\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2403]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2409]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\(Default)":[{"type":"call","value":[1200,1248,1860,2414]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dat\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2419]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.db\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2425]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2431]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbs\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2437]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dct\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2443]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2449]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\(Default)":[{"type":"call","value":[1200,1248,1860,2454]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.der\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2459]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.desklink\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2465]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diagcab\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2471]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diagcfg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2477]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diagpkg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2483]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dib\\(Default)":[{"type":"call","value":[1200,1248,1860,2490]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dic\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2498]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.divx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2504]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2510]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\(Default)":[{"type":"call","value":[1200,1248,1860,2515]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dll\\(Default)":[{"type":"call","value":[1200,1248,1860,2521]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dl_\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2529]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.doc\\(Default)":[{"type":"call","value":[1200,1248,1860,2536]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.docx\\(Default)":[{"type":"call","value":[1200,1248,1860,2542]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dos\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2550]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dot\\(Default)":[{"type":"call","value":[1200,1248,1860,2557]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2562]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2568]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsn\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2573]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2579]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsw\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2585]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dts\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2591]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2597]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2603]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\(Default)":[{"type":"call","value":[1200,1248,1860,2608]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR-MS\\(Default)":[{"type":"call","value":[1200,1248,1860,2617]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dwfx\\(Default)":[{"type":"call","value":[1200,1248,1860,2626]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.easmx\\(Default)":[{"type":"call","value":[1200,1248,1860,2635]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.edrwx\\(Default)":[{"type":"call","value":[1200,1248,1860,2644]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.emf\\(Default)":[{"type":"call","value":[1200,1248,1860,2654]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eprtx\\(Default)":[{"type":"call","value":[1200,1248,1860,2663]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eps\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2671]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.etp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2677]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evo\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2683]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2689]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evtx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2695]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)":[{"type":"call","value":[1200,1248,1860,2702]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2710]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ext\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2716]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ex_\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2722]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eyb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2728]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.f4v\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2734]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.faq\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2740]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fif\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2746]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fky\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2752]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.flac\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2758]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.flv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2764]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2770]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2776]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fon\\(Default)":[{"type":"call","value":[1200,1248,1860,2783]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gadget\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2791]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ghi\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2797]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\(Default)":[{"type":"call","value":[1200,1248,1860,2804]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gmmp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2812]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.group\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2818]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.grp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2824]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gvi\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2830]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gxf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2836]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2842]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2848]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\(Default)":[{"type":"call","value":[1200,1248,1860,2853]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1C\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2858]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1D\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2864]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1F\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2870]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1H\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2876]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1K\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2882]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1Q\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2888]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1S\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2894]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1T\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2900]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1V\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2906]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1W\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2912]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hdp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2918]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hhc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2924]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hlp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2930]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2936]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\(Default)":[{"type":"call","value":[1200,1248,1860,2941]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hqx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2946]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2955]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2979]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htw\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2985]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2991]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,2997]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\(Default)":[{"type":"call","value":[1200,1248,1860,3002]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.i\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3007]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ibq\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3013]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3019]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3025]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3031]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ico\\(Default)":[{"type":"call","value":[1200,1248,1860,3038]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ics\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3046]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3052]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idq\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3058]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ifo\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3064]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ilk\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3070]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.imc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3076]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.img\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3082]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3088]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\(Default)":[{"type":"call","value":[1200,1248,1860,3093]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3098]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3104]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)":[{"type":"call","value":[1200,1248,1860,3109]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3117]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3123]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3129]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.in_\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3135]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.iso\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3141]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.it\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3147]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.IVF\\(Default)":[{"type":"call","value":[1200,1248,1860,3155]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jav\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3160]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3166]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\(Default)":[{"type":"call","value":[1200,1248,1860,3171]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jbf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3176]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jfif\\(Default)":[{"type":"call","value":[1200,1248,1860,3183]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3191]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jod\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3197]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpe\\(Default)":[{"type":"call","value":[1200,1248,1860,3204]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpeg\\(Default)":[{"type":"call","value":[1200,1248,1860,3213]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpg\\(Default)":[{"type":"call","value":[1200,1248,1860,3222]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3230]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.JSE\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3236]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtx\\(Default)":[{"type":"call","value":[1200,1248,1860,3243]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.kci\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3251]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.label\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3257]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.latex\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3263]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lgn\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3269]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lha\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3275]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lib\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3281]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.library-ms\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3287]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lnk\\(Default)":[{"type":"call","value":[1200,1248,1860,3294]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.local\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3302]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.log\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3307]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lst\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3313]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3319]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lzh\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3325]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m14\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3331]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m1v\\(Default)":[{"type":"call","value":[1200,1248,1860,3338]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2T\\(Default)":[{"type":"call","value":[1200,1248,1860,3347]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2TS\\(Default)":[{"type":"call","value":[1200,1248,1860,3356]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2V\\(Default)":[{"type":"call","value":[1200,1248,1860,3365]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u\\(Default)":[{"type":"call","value":[1200,1248,1860,3375]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u8\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3383]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4a\\(Default)":[{"type":"call","value":[1200,1248,1860,3390]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4b\\(Default)":[{"type":"call","value":[1200,1248,1860,3399]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4p\\(Default)":[{"type":"call","value":[1200,1248,1860,3405]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4v\\(Default)":[{"type":"call","value":[1200,1248,1860,3414]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mak\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3422]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.man\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3428]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.manifest\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3434]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mapimail\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3439]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mcl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3445]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mht\\(Default)":[{"type":"call","value":[1200,1248,1860,3452]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mhtml\\(Default)":[{"type":"call","value":[1200,1248,1860,3461]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mid\\(Default)":[{"type":"call","value":[1200,1248,1860,3471]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.midi\\(Default)":[{"type":"call","value":[1200,1248,1860,3481]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mig\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3489]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mk\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3495]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mka\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3501]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mkv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3507]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3513]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3519]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mmf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3525]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MOD\\(Default)":[{"type":"call","value":[1200,1248,1860,3532]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mov\\(Default)":[{"type":"call","value":[1200,1248,1860,3541]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.movie\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3549]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp1\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3555]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2\\(Default)":[{"type":"call","value":[1200,1248,1860,3562]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2v\\(Default)":[{"type":"call","value":[1200,1248,1860,3571]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp3\\(Default)":[{"type":"call","value":[1200,1248,1860,3580]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4\\(Default)":[{"type":"call","value":[1200,1248,1860,3589]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4v\\(Default)":[{"type":"call","value":[1200,1248,1860,3598]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpa\\(Default)":[{"type":"call","value":[1200,1248,1860,3608]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3616]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpe\\(Default)":[{"type":"call","value":[1200,1248,1860,3623]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg\\(Default)":[{"type":"call","value":[1200,1248,1860,3632]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg1\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3640]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg2\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3646]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg4\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3652]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpg\\(Default)":[{"type":"call","value":[1200,1248,1860,3659]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpga\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3667]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpv2\\(Default)":[{"type":"call","value":[1200,1248,1860,3674]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3682]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msdvd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3688]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msg\\(Default)":[{"type":"call","value":[1200,1248,1860,3695]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3703]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msrcincident\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3709]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msstyles\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3715]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msu\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3721]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MTS\\(Default)":[{"type":"call","value":[1200,1248,1860,3728]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mtv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3736]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3742]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mxf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3748]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mydocs\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3754]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ncb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3760]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nfo\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3766]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nls\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3772]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nsv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3778]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nuv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3784]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3790]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\(Default)":[{"type":"call","value":[1200,1248,1860,3795]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.obj\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3800]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ocx\\(Default)":[{"type":"call","value":[1200,1248,1860,3807]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oc_\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3815]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3821]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odh\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3827]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3833]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odt\\(Default)":[{"type":"call","value":[1200,1248,1860,3840]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oga\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3848]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3854]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3860]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3866]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ogx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3872]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oma\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3878]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.opus\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3884]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.osdx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3890]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.otf\\(Default)":[{"type":"call","value":[1200,1248,1860,3897]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oxps\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3905]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p10\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3911]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p12\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3917]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7b\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3923]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7c\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3929]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7m\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3935]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7r\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3941]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7s\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3947]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pbk\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3953]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pch\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3959]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3965]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3971]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pds\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3977]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.perfmoncfg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3983]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3989]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,3995]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4001]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\(Default)":[{"type":"call","value":[1200,1248,1860,4006]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pic\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4011]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pko\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4020]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4026]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\(Default)":[{"type":"call","value":[1200,1248,1860,4031]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4036]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\(Default)":[{"type":"call","value":[1200,1248,1860,4041]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pls\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4046]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pma\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4052]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4058]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pml\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4064]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmr\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4070]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pnf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4076]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\(Default)":[{"type":"call","value":[1200,1248,1860,4083]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pot\\(Default)":[{"type":"call","value":[1200,1248,1860,4092]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppk\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4097]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pps\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4103]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppt\\(Default)":[{"type":"call","value":[1200,1248,1860,4110]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4115]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4121]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.printerExport\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4127]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4133]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4139]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4145]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\(Default)":[{"type":"call","value":[1200,1248,1860,4150]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psc1\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4158]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4164]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd1\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4170]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psm1\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4176]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.py\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4182]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4188]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4194]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyo\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4200]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyw\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4206]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4212]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyzw\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4218]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qcp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4224]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qds\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4230]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r00\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4236]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r01\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4242]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r02\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4248]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r03\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4254]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r04\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4260]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r05\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4266]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r06\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4272]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r07\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4278]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r08\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4284]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r09\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4290]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r10\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4296]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r11\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4302]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r12\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4308]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r13\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4314]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r14\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4320]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r15\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4326]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r16\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4332]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r17\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4338]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r18\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4344]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r19\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4350]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r20\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4356]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r21\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4362]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r22\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4368]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r23\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4374]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r24\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4380]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r25\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4386]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r26\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4392]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r27\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4398]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r28\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4404]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.r29\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4410]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ra\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4416]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ram\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4422]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rar\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4428]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rat\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4434]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4440]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc2\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4446]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rct\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4452]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.RDP\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4458]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rec\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4464]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.res\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4473]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.resmoncfg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4479]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rev\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4485]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rgs\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4491]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rle\\(Default)":[{"type":"call","value":[1200,1248,1860,4498]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rll\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4506]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4512]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmi\\(Default)":[{"type":"call","value":[1200,1248,1860,4520]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmvb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4528]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4534]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4540]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rsp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4546]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rtf\\(Default)":[{"type":"call","value":[1200,1248,1860,4553]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rul\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4561]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4567]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s3m\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4573]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sbr\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4579]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sc2\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4585]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4591]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4597]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scf\\(Default)":[{"type":"call","value":[1200,1248,1860,4604]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sch\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4612]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4618]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sct\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4627]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sdp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4633]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.search-ms\\(Default)":[{"type":"call","value":[1200,1248,1860,4640]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.searchConnector-ms\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4648]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4654]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\(Default)":[{"type":"call","value":[1200,1248,1860,4659]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sfcache\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4664]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.shtm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4670]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sit\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4689]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.slupkg-ms\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4695]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.snd\\(Default)":[{"type":"call","value":[1200,1248,1860,4703]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sol\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4711]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sor\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4717]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4723]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4729]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4735]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\(Default)":[{"type":"call","value":[1200,1248,1860,4740]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.srf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4745]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sr_\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4751]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sst\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4757]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4763]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4769]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.svg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4775]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.swf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4781]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sym\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4787]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.symlink\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4793]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sys\\(Default)":[{"type":"call","value":[1200,1248,1860,4800]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sy_\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4808]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tab\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4814]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tar\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4820]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.taz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4826]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tbz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4832]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tbz2\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4838]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tdl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4844]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.text\\(Default)":[{"type":"call","value":[1200,1248,1860,4851]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tgz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4856]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.theme\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4862]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.themepack\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4868]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.thp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4874]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tif\\(Default)":[{"type":"call","value":[1200,1248,1860,4881]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tiff\\(Default)":[{"type":"call","value":[1200,1248,1860,4890]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4898]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlh\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4904]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tli\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4910]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4916]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tod\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4922]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4928]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.trg\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4934]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TS\\(Default)":[{"type":"call","value":[1200,1248,1860,4941]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4949]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4955]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\(Default)":[{"type":"call","value":[1200,1248,1860,4960]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tta\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4965]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttc\\(Default)":[{"type":"call","value":[1200,1248,1860,4972]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttf\\(Default)":[{"type":"call","value":[1200,1248,1860,4981]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TTS\\(Default)":[{"type":"call","value":[1200,1248,1860,4990]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)":[{"type":"call","value":[1200,1248,1860,4999]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5007]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5013]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.UDL\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5019]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5025]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.URL\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5031]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.user\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5037]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.usr\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5043]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.uu\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5049]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.uue\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5055]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.VBE\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5061]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbproj\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5067]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbs\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5073]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5079]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5085]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcproj\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5091]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.viw\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5097]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vlc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5103]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vob\\(Default)":[{"type":"call","value":[1200,1248,1860,5110]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.voc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5118]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vqf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5124]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vro\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5130]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vspscc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5136]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vsscc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5142]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vssscc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5148]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vxd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5154]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.w64\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5159]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wab\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5165]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wav\\(Default)":[{"type":"call","value":[1200,1248,1860,5172]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wax\\(Default)":[{"type":"call","value":[1200,1248,1860,5182]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wbcat\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5190]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wcx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5196]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wdp\\(Default)":[{"type":"call","value":[1200,1248,1860,5203]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5211]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5217]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webpnp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5223]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wll\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5229]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wlt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5235]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wm\\(Default)":[{"type":"call","value":[1200,1248,1860,5243]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wma\\(Default)":[{"type":"call","value":[1200,1248,1860,5252]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMD\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5260]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmdb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5266]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmf\\(Default)":[{"type":"call","value":[1200,1248,1860,5274]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmp\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5282]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMS\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5288]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmv\\(Default)":[{"type":"call","value":[1200,1248,1860,5295]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmx\\(Default)":[{"type":"call","value":[1200,1248,1860,5305]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5313]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5319]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\(Default)":[{"type":"call","value":[1200,1248,1860,5324]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wri\\(Default)":[{"type":"call","value":[1200,1248,1860,5333]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5338]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSF\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5344]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSH\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5350]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5356]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WTV\\(Default)":[{"type":"call","value":[1200,1248,1860,5363]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wtx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5371]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wv\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5377]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wvx\\(Default)":[{"type":"call","value":[1200,1248,1860,5385]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5393]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\(Default)":[{"type":"call","value":[1200,1248,1860,5398]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xa\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5403]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xaml\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5409]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xbap\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5415]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xesc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5421]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xix\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5439]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlb\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5445]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlc\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5451]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xls\\(Default)":[{"type":"call","value":[1200,1248,1860,5458]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlt\\(Default)":[{"type":"call","value":[1200,1248,1860,5464]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xm\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5469]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\(Default)":[{"type":"call","value":[1200,1248,1860,5476]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xps\\(Default)":[{"type":"call","value":[1200,1248,1860,5485]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xrm-ms\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5493]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsd\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5499]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5505]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\(Default)":[{"type":"call","value":[1200,1248,1860,5510]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xslt\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5518]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xspf\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5524]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xxe\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5530]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xz\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5536]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5542]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z96\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5548]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zfsendtotarget\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5554]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zip\\(Default)":[{"type":"call","value":[1200,1248,1860,5561]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zipx\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5569]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zpl\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5575]}],"HKEY_LOCAL_MACHINE\\Control Panel\\Personalization\\Desktop Slideshow":[{"type":"call","value":[1200,1248,2304,6029]},{"type":"call","value":[1200,1248,2304,6025]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs":[{"type":"call","value":[1200,1248,2324,6181]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid":[{"type":"call","value":[1200,1248,2324,6188]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid":[{"type":"call","value":[1200,1248,2324,6195]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)":[{"type":"call","value":[1200,1248,2324,6198]},{"type":"call","value":[1200,1248,2324,6197]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32":[{"type":"call","value":[1200,1248,2324,6199]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32":[{"type":"call","value":[1200,1248,2324,6200]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)":[{"type":"call","value":[1200,1248,2324,6201]},{"type":"call","value":[1200,1248,2324,6202]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel":[{"type":"call","value":[1200,1248,2324,6203]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32":[{"type":"call","value":[1200,1248,2324,6210]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler":[{"type":"call","value":[1200,1248,2324,6216]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)":[{"type":"call","value":[1200,1248,1560,6287]},{"type":"call","value":[1200,1248,1560,6221]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM":[{"type":"call","value":[1200,1248,1560,6222]},{"type":"call","value":[1200,1248,1560,6288]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}":[{"type":"call","value":[1200,1248,1560,6291]},{"type":"call","value":[1200,1248,1560,6225]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex":[{"type":"call","value":[1200,1248,1560,6227]},{"type":"call","value":[1200,1248,1560,6293]}],"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}":[{"type":"call","value":[1200,1248,1560,6295]},{"type":"call","value":[1200,1248,1560,6229]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex":[{"type":"call","value":[1200,1248,1560,6298]},{"type":"call","value":[1200,1248,1560,6232]}],"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}":[{"type":"call","value":[1200,1248,1560,6234]},{"type":"call","value":[1200,1248,1560,6300]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay":[{"type":"call","value":[1200,1248,1560,6237]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10":[{"type":"call","value":[1200,1248,1560,6240]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString":[{"type":"call","value":[1200,1248,1560,6250]}],"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings":[{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,1560,6276]}],"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration":[{"type":"call","value":[1200,1248,1560,6252]},{"type":"call","value":[1200,1248,1560,6277]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay":[{"type":"call","value":[1200,1248,1560,6262]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10":[{"type":"call","value":[1200,1248,1560,6265]}],"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString":[{"type":"call","value":[1200,1248,1560,6275]}]}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/hkcu/i"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/HKEY_CURRENT_USER/i"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1860,4884]},{"type":"call","value":[1200,1248,1860,2123]},{"type":"call","value":[1200,1248,1860,2962]},{"type":"call","value":[1200,1248,1860,4893]},{"type":"call","value":[1200,1248,1860,2971]},{"type":"call","value":[1200,1248,1860,3810]},{"type":"call","value":[1200,1248,1860,2315]},{"type":"call","value":[1200,1248,1860,2806]},{"type":"call","value":[1200,1248,1860,5387]},{"type":"call","value":[1200,1248,1860,1851]},{"type":"call","value":[1200,1248,1860,5277]},{"type":"call","value":[1200,1248,1860,4676]},{"type":"call","value":[1200,1248,1860,1915]},{"type":"call","value":[1200,1248,1560,6235]},{"type":"call","value":[1200,1248,1860,1860]},{"type":"call","value":[1200,1248,2324,6179]},{"type":"call","value":[1200,1248,1860,3245]},{"type":"call","value":[1200,1248,1860,3483]},{"type":"call","value":[1200,1248,1860,3611]},{"type":"call","value":[1200,1248,1860,5478]},{"type":"call","value":[1200,1248,1860,3565]},{"type":"call","value":[1200,1248,1860,2964]},{"type":"call","value":[1200,1248,1860,4523]},{"type":"call","value":[1200,1248,2304,6026]},{"type":"call","value":[1200,1248,1860,3455]},{"type":"call","value":[1200,1248,1860,3574]},{"type":"call","value":[1200,1248,1860,2973]},{"type":"call","value":[1200,1248,1860,5307]},{"type":"call","value":[1200,1248,1860,3583]},{"type":"call","value":[1200,1248,1860,2381]},{"type":"call","value":[1200,1248,1860,5206]},{"type":"call","value":[1200,1248,1560,6283]},{"type":"call","value":[1200,1248,1860,2628]},{"type":"call","value":[1200,1248,1860,2637]},{"type":"call","value":[1200,1248,1560,6301]},{"type":"call","value":[1200,1248,1860,2646]},{"type":"call","value":[1200,1248,1860,4086]},{"type":"call","value":[1200,1248,1560,6246]},{"type":"call","value":[1200,1248,1860,2173]},{"type":"call","value":[1200,1248,1860,1944]},{"type":"call","value":[1200,1248,1860,3677]},{"type":"call","value":[1200,1248,1860,4943]},{"type":"call","value":[1200,1248,2324,6193]},{"type":"call","value":[1200,1248,1860,5245]},{"type":"call","value":[1200,1248,1860,5254]},{"type":"call","value":[1200,1248,1860,2493]},{"type":"call","value":[1200,1248,1560,6267]},{"type":"call","value":[1200,1248,1860,3341]},{"type":"call","value":[1200,1248,1860,4607]},{"type":"call","value":[1200,1248,1860,5327]},{"type":"call","value":[1200,1248,1860,1965]},{"type":"call","value":[1200,1248,1860,3112]},{"type":"call","value":[1200,1248,1860,3350]},{"type":"call","value":[1200,1248,1560,6230]},{"type":"call","value":[1200,1248,1860,3359]},{"type":"call","value":[1200,1248,1860,3185]},{"type":"call","value":[1200,1248,1860,1928]},{"type":"call","value":[1200,1248,1860,3368]},{"type":"call","value":[1200,1248,1860,4152]},{"type":"call","value":[1200,1248,2304,6012]},{"type":"call","value":[1200,1248,1860,2657]},{"type":"call","value":[1200,1248,1860,3377]},{"type":"call","value":[1200,1248,1860,5174]},{"type":"call","value":[1200,1248,2304,6021]},{"type":"call","value":[1200,1248,1860,2785]},{"type":"call","value":[1200,1248,1860,3206]},{"type":"call","value":[1200,1248,1860,5366]},{"type":"call","value":[1200,1248,1860,3215]},{"type":"call","value":[1200,1248,1860,3041]},{"type":"call","value":[1200,1248,1860,3224]},{"type":"call","value":[1200,1248,1860,3407]},{"type":"call","value":[1200,1248,1860,5512]},{"type":"call","value":[1200,1248,1860,3297]},{"type":"call","value":[1200,1248,1860,3416]},{"type":"call","value":[1200,1248,1860,3535]},{"type":"call","value":[1200,1248,1860,4975]},{"type":"call","value":[1200,1248,1560,6296]},{"type":"call","value":[1200,1248,1860,2705]},{"type":"call","value":[1200,1248,1860,2104]},{"type":"call","value":[1200,1248,1860,3544]},{"type":"call","value":[1200,1248,1860,4984]},{"type":"call","value":[1200,1248,1860,2113]},{"type":"call","value":[1200,1248,1860,4993]},{"type":"call","value":[1200,1248,1860,2058]},{"type":"call","value":[1200,1248,1860,5112]},{"type":"call","value":[1200,1248,1860,2122]},{"type":"call","value":[1200,1248,1860,5002]},{"type":"call","value":[1200,1248,2304,6023]},{"type":"call","value":[1200,1248,1860,3626]},{"type":"call","value":[1200,1248,1860,5185]},{"type":"call","value":[1200,1248,1860,3809]},{"type":"call","value":[1200,1248,1860,3635]},{"type":"call","value":[1200,1248,1860,2314]},{"type":"call","value":[1200,1248,1860,5487]},{"type":"call","value":[1200,1248,1560,6271]},{"type":"call","value":[1200,1248,1860,1896]},{"type":"call","value":[1200,1248,1860,1841]},{"type":"call","value":[1200,1248,1560,6280]},{"type":"call","value":[1200,1248,1860,3464]},{"type":"call","value":[1200,1248,1860,1850]},{"type":"call","value":[1200,1248,1860,3473]},{"type":"call","value":[1200,1248,1860,1859]},{"type":"call","value":[1200,1248,1860,3592]},{"type":"call","value":[1200,1248,1860,2216]},{"type":"call","value":[1200,1248,1860,4803]},{"type":"call","value":[1200,1248,1860,3601]},{"type":"call","value":[1200,1248,1860,3610]},{"type":"call","value":[1200,1248,1860,3564]},{"type":"call","value":[1200,1248,1860,5297]},{"type":"call","value":[1200,1248,1860,4522]},{"type":"call","value":[1200,1248,1560,6255]},{"type":"call","value":[1200,1248,1860,5276]},{"type":"call","value":[1200,1248,1860,2545]},{"type":"call","value":[1200,1248,1860,4705]},{"type":"call","value":[1200,1248,2324,6208]},{"type":"call","value":[1200,1248,1860,3393]},{"type":"call","value":[1200,1248,1560,6273]},{"type":"call","value":[1200,1248,1860,5388]},{"type":"call","value":[1200,1248,1560,6282]},{"type":"call","value":[1200,1248,1860,1916]},{"type":"call","value":[1200,1248,1860,4085]},{"type":"call","value":[1200,1248,1860,3484]},{"type":"call","value":[1200,1248,1860,3731]},{"type":"call","value":[1200,1248,1860,3676]},{"type":"call","value":[1200,1248,1560,6248]},{"type":"call","value":[1200,1248,1860,2965]},{"type":"call","value":[1200,1248,1860,4643]},{"type":"call","value":[1200,1248,1560,6257]},{"type":"call","value":[1200,1248,1860,5308]},{"type":"call","value":[1200,1248,1860,1827]},{"type":"call","value":[1200,1248,1860,2666]},{"type":"call","value":[1200,1248,1860,2492]},{"type":"call","value":[1200,1248,1860,2611]},{"type":"call","value":[1200,1248,1860,5427]},{"type":"call","value":[1200,1248,1860,1955]},{"type":"call","value":[1200,1248,1860,2382]},{"type":"call","value":[1200,1248,1860,2620]},{"type":"call","value":[1200,1248,1860,3340]},{"type":"call","value":[1200,1248,1860,1964]},{"type":"call","value":[1200,1248,1860,5564]},{"type":"call","value":[1200,1248,1860,2629]},{"type":"call","value":[1200,1248,1860,3349]},{"type":"call","value":[1200,1248,1860,2638]},{"type":"call","value":[1200,1248,1860,3358]},{"type":"call","value":[1200,1248,1860,3843]},{"type":"call","value":[1200,1248,1860,2174]},{"type":"call","value":[1200,1248,1860,5246]},{"type":"call","value":[1200,1248,1860,5365]},{"type":"call","value":[1200,1248,1860,4883]},{"type":"call","value":[1200,1248,1860,4892]},{"type":"call","value":[1200,1248,1860,3534]},{"type":"call","value":[1200,1248,1860,4974]},{"type":"call","value":[1200,1248,1860,2103]},{"type":"call","value":[1200,1248,1860,3543]},{"type":"call","value":[1200,1248,1860,3662]},{"type":"call","value":[1200,1248,1860,3900]},{"type":"call","value":[1200,1248,1860,4501]},{"type":"call","value":[1200,1248,1860,4556]},{"type":"call","value":[1200,1248,1860,2524]},{"type":"call","value":[1200,1248,1860,4684]},{"type":"call","value":[1200,1248,1860,4983]},{"type":"call","value":[1200,1248,1860,5175]},{"type":"call","value":[1200,1248,1860,5184]},{"type":"call","value":[1200,1248,1860,3207]},{"type":"call","value":[1200,1248,1860,3216]},{"type":"call","value":[1200,1248,1560,6270]},{"type":"call","value":[1200,1248,1860,3454]},{"type":"call","value":[1200,1248,1860,3573]},{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1860,3463]},{"type":"call","value":[1200,1248,1860,3582]},{"type":"call","value":[1200,1248,1860,3408]},{"type":"call","value":[1200,1248,1860,2807]},{"type":"call","value":[1200,1248,1860,5205]},{"type":"call","value":[1200,1248,1860,3591]},{"type":"call","value":[1200,1248,1860,3600]},{"type":"call","value":[1200,1248,1860,3246]},{"type":"call","value":[1200,1248,1860,5113]},{"type":"call","value":[1200,1248,1560,6245]},{"type":"call","value":[1200,1248,2324,6189]},{"type":"call","value":[1200,1248,1560,6254]},{"type":"call","value":[1200,1248,1860,5479]},{"type":"call","value":[1200,1248,1860,2544]},{"type":"call","value":[1200,1248,1860,5488]},{"type":"call","value":[1200,1248,1860,5433]},{"type":"call","value":[1200,1248,1860,3392]},{"type":"call","value":[1200,1248,2304,6027]},{"type":"call","value":[1200,1248,1860,1897]},{"type":"call","value":[1200,1248,1860,1842]},{"type":"call","value":[1200,1248,1860,2974]},{"type":"call","value":[1200,1248,1860,3474]},{"type":"call","value":[1200,1248,1860,4606]},{"type":"call","value":[1200,1248,1860,5326]},{"type":"call","value":[1200,1248,1860,3111]},{"type":"call","value":[1200,1248,1860,2217]},{"type":"call","value":[1200,1248,1860,3730]},{"type":"call","value":[1200,1248,1860,2647]},{"type":"call","value":[1200,1248,1860,3367]},{"type":"call","value":[1200,1248,1860,5298]},{"type":"call","value":[1200,1248,1860,2656]},{"type":"call","value":[1200,1248,1860,4642]},{"type":"call","value":[1200,1248,1860,1826]},{"type":"call","value":[1200,1248,1860,1945]},{"type":"call","value":[1200,1248,1860,2665]},{"type":"call","value":[1200,1248,1860,2610]},{"type":"call","value":[1200,1248,1860,4706]},{"type":"call","value":[1200,1248,1860,4944]},{"type":"call","value":[1200,1248,1860,1954]},{"type":"call","value":[1200,1248,2304,6020]},{"type":"call","value":[1200,1248,1860,2619]},{"type":"call","value":[1200,1248,1860,5563]},{"type":"call","value":[1200,1248,1860,5255]},{"type":"call","value":[1200,1248,1860,3040]},{"type":"call","value":[1200,1248,1860,3296]},{"type":"call","value":[1200,1248,1860,3842]},{"type":"call","value":[1200,1248,1860,4681]},{"type":"call","value":[1200,1248,2324,6175]},{"type":"call","value":[1200,1248,1860,3186]},{"type":"call","value":[1200,1248,1860,2704]},{"type":"call","value":[1200,1248,1860,1929]},{"type":"call","value":[1200,1248,1860,4153]},{"type":"call","value":[1200,1248,1860,4992]},{"type":"call","value":[1200,1248,1860,3378]},{"type":"call","value":[1200,1248,1860,2057]},{"type":"call","value":[1200,1248,1560,6258]},{"type":"call","value":[1200,1248,1860,5001]},{"type":"call","value":[1200,1248,2304,6022]},{"type":"call","value":[1200,1248,1860,2786]},{"type":"call","value":[1200,1248,1860,3625]},{"type":"call","value":[1200,1248,1860,3634]},{"type":"call","value":[1200,1248,2324,6214]},{"type":"call","value":[1200,1248,1860,3225]},{"type":"call","value":[1200,1248,1860,4555]},{"type":"call","value":[1200,1248,1860,3661]},{"type":"call","value":[1200,1248,1860,4500]},{"type":"call","value":[1200,1248,1860,3899]},{"type":"call","value":[1200,1248,1860,5513]},{"type":"call","value":[1200,1248,1860,3417]},{"type":"call","value":[1200,1248,1860,2523]},{"type":"call","value":[1200,1248,1860,4683]},{"type":"call","value":[1200,1248,1860,4802]},{"type":"call","value":[1200,1248,1560,6242]},{"type":"call","value":[1200,1248,2324,6186]},{"type":"call","value":[1200,1248,1860,2114]}],"captures":{"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3g2\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1826]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3g2\\OpenWithProgids\\VLC.3g2":[{"type":"call","value":[1200,1248,1860,1827]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1841]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp\\OpenWithProgids\\VLC.3gp":[{"type":"call","value":[1200,1248,1860,1842]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp2\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1850]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gp2\\OpenWithProgids\\VLC.3gp2":[{"type":"call","value":[1200,1248,1860,1851]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gpp\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1859]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.3gpp\\OpenWithProgids\\VLC.3gpp":[{"type":"call","value":[1200,1248,1860,1860]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.AAC\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1896]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.AAC\\OpenWithProgids\\VLC.aac":[{"type":"call","value":[1200,1248,1860,1897]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADT\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1915]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADT\\OpenWithProgids\\VLC.adt":[{"type":"call","value":[1200,1248,1860,1916]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADTS\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1928]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ADTS\\OpenWithProgids\\VLC.adts":[{"type":"call","value":[1200,1248,1860,1929]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aif\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1944]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aif\\OpenWithProgids\\VLC.aif":[{"type":"call","value":[1200,1248,1860,1945]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aifc\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1954]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aifc\\OpenWithProgids\\VLC.aifc":[{"type":"call","value":[1200,1248,1860,1955]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aiff\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,1964]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aiff\\OpenWithProgids\\VLC.aiff":[{"type":"call","value":[1200,1248,1860,1965]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2057]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asf\\OpenWithProgids\\VLC.asf":[{"type":"call","value":[1200,1248,1860,2058]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2103]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.asx\\OpenWithProgids\\VLC.asx":[{"type":"call","value":[1200,1248,1860,2104]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.au\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2113]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.au\\OpenWithProgids\\VLC.au":[{"type":"call","value":[1200,1248,1860,2114]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.avi\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2122]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.avi\\OpenWithProgids\\VLC.avi":[{"type":"call","value":[1200,1248,1860,2123]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.bmp\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2173]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.bmp\\OpenWithProgids\\Paint.Picture":[{"type":"call","value":[1200,1248,1860,2174]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.cab\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2216]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.cab\\OpenWithProgids\\WinRAR":[{"type":"call","value":[1200,1248,1860,2217]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.contact\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2314]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.contact\\OpenWithProgids\\contact_wab_auto_file":[{"type":"call","value":[1200,1248,1860,2315]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.css\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2381]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.css\\OpenWithProgids\\CSSfile":[{"type":"call","value":[1200,1248,1860,2382]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dib\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2492]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dib\\OpenWithProgids\\Paint.Picture":[{"type":"call","value":[1200,1248,1860,2493]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dll\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2523]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dll\\OpenWithProgids\\dllfile":[{"type":"call","value":[1200,1248,1860,2524]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.docx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2544]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.docx\\OpenWithProgids\\docxfile":[{"type":"call","value":[1200,1248,1860,2545]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2610]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR\\OpenWithProgids\\MediaCenter.DVR":[{"type":"call","value":[1200,1248,1860,2611]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR-MS\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2619]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.DVR-MS\\OpenWithProgids\\VLC.dvr-ms":[{"type":"call","value":[1200,1248,1860,2620]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dwfx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2628]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.dwfx\\OpenWithProgids\\Windows.XPSReachViewer":[{"type":"call","value":[1200,1248,1860,2629]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.easmx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2637]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.easmx\\OpenWithProgids\\Windows.XPSReachViewer":[{"type":"call","value":[1200,1248,1860,2638]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.edrwx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2646]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.edrwx\\OpenWithProgids\\Windows.XPSReachViewer":[{"type":"call","value":[1200,1248,1860,2647]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.emf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2656]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.emf\\OpenWithProgids\\emffile":[{"type":"call","value":[1200,1248,1860,2657]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.eprtx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2665]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.eprtx\\OpenWithProgids\\Windows.XPSReachViewer":[{"type":"call","value":[1200,1248,1860,2666]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2704]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids\\exefile":[{"type":"call","value":[1200,1248,1860,2705]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.fon\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2785]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.fon\\OpenWithProgids\\fonfile":[{"type":"call","value":[1200,1248,1860,2786]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2806]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\OpenWithProgids\\giffile":[{"type":"call","value":[1200,1248,1860,2807]}],"HKEY_CURRENT_USER\\Software\\Classes\\.htm\\(Default)":[{"type":"call","value":[1200,1248,1860,2962]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2964]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\OpenWithProgids\\ChromeHTML":[{"type":"call","value":[1200,1248,1860,2965]}],"HKEY_CURRENT_USER\\Software\\Classes\\.html\\(Default)":[{"type":"call","value":[1200,1248,1860,2971]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,2973]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\OpenWithProgids\\ChromeHTML":[{"type":"call","value":[1200,1248,1860,2974]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ico\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3040]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ico\\OpenWithProgids\\icofile":[{"type":"call","value":[1200,1248,1860,3041]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3111]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids\\inifile":[{"type":"call","value":[1200,1248,1860,3112]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jfif\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3185]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jfif\\OpenWithProgids\\pjpegfile":[{"type":"call","value":[1200,1248,1860,3186]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpe\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3206]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpe\\OpenWithProgids\\jpegfile":[{"type":"call","value":[1200,1248,1860,3207]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpeg\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3215]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpeg\\OpenWithProgids\\jpegfile":[{"type":"call","value":[1200,1248,1860,3216]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpg\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3224]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jpg\\OpenWithProgids\\jpegfile":[{"type":"call","value":[1200,1248,1860,3225]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jtx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3245]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.jtx\\OpenWithProgids\\Windows.XPSReachViewer":[{"type":"call","value":[1200,1248,1860,3246]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.lnk\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3296]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.lnk\\OpenWithProgids\\lnkfile":[{"type":"call","value":[1200,1248,1860,3297]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m1v\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3340]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m1v\\OpenWithProgids\\VLC.m1v":[{"type":"call","value":[1200,1248,1860,3341]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2T\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3349]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2T\\OpenWithProgids\\VLC.m2t":[{"type":"call","value":[1200,1248,1860,3350]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2TS\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3358]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2TS\\OpenWithProgids\\VLC.m2ts":[{"type":"call","value":[1200,1248,1860,3359]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2V\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3367]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.M2V\\OpenWithProgids\\VLC.m2v":[{"type":"call","value":[1200,1248,1860,3368]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m3u\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3377]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m3u\\OpenWithProgids\\VLC.m3u":[{"type":"call","value":[1200,1248,1860,3378]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4a\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3392]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4a\\OpenWithProgids\\VLC.m4a":[{"type":"call","value":[1200,1248,1860,3393]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4p\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3407]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4p\\OpenWithProgids\\VLC.m4p":[{"type":"call","value":[1200,1248,1860,3408]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4v\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3416]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.m4v\\OpenWithProgids\\VLC.m4v":[{"type":"call","value":[1200,1248,1860,3417]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mht\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3454]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mht\\OpenWithProgids\\mhtmlfile":[{"type":"call","value":[1200,1248,1860,3455]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mhtml\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3463]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mhtml\\OpenWithProgids\\mhtmlfile":[{"type":"call","value":[1200,1248,1860,3464]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mid\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3473]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mid\\OpenWithProgids\\VLC.mid":[{"type":"call","value":[1200,1248,1860,3474]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.midi\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3483]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.midi\\OpenWithProgids\\WMP11.AssocFile.MIDI":[{"type":"call","value":[1200,1248,1860,3484]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MOD\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3534]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MOD\\OpenWithProgids\\VLC.mod":[{"type":"call","value":[1200,1248,1860,3535]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mov\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3543]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mov\\OpenWithProgids\\VLC.mov":[{"type":"call","value":[1200,1248,1860,3544]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3564]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2\\OpenWithProgids\\VLC.mp2":[{"type":"call","value":[1200,1248,1860,3565]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2v\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3573]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp2v\\OpenWithProgids\\VLC.mp2v":[{"type":"call","value":[1200,1248,1860,3574]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp3\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3582]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp3\\OpenWithProgids\\VLC.mp3":[{"type":"call","value":[1200,1248,1860,3583]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3591]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4\\OpenWithProgids\\VLC.mp4":[{"type":"call","value":[1200,1248,1860,3592]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4v\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3600]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mp4v\\OpenWithProgids\\VLC.mp4v":[{"type":"call","value":[1200,1248,1860,3601]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpa\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3610]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpa\\OpenWithProgids\\VLC.mpa":[{"type":"call","value":[1200,1248,1860,3611]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpe\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3625]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpe\\OpenWithProgids\\VLC.mpe":[{"type":"call","value":[1200,1248,1860,3626]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpeg\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3634]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpeg\\OpenWithProgids\\VLC.mpeg":[{"type":"call","value":[1200,1248,1860,3635]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpg\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3661]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpg\\OpenWithProgids\\VLC.mpg":[{"type":"call","value":[1200,1248,1860,3662]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpv2\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3676]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.mpv2\\OpenWithProgids\\VLC.mpv2":[{"type":"call","value":[1200,1248,1860,3677]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MTS\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3730]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.MTS\\OpenWithProgids\\VLC.mts":[{"type":"call","value":[1200,1248,1860,3731]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ocx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3809]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ocx\\OpenWithProgids\\ocxfile":[{"type":"call","value":[1200,1248,1860,3810]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.odt\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3842]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.odt\\OpenWithProgids\\odtfile":[{"type":"call","value":[1200,1248,1860,3843]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.otf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,3899]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.otf\\OpenWithProgids\\otffile":[{"type":"call","value":[1200,1248,1860,3900]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4085]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\OpenWithProgids\\pngfile":[{"type":"call","value":[1200,1248,1860,4086]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ps1xml\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4152]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ps1xml\\OpenWithProgids\\Microsoft.PowerShellXMLData.1":[{"type":"call","value":[1200,1248,1860,4153]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rle\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4500]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rle\\OpenWithProgids\\rlefile":[{"type":"call","value":[1200,1248,1860,4501]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rmi\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4522]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rmi\\OpenWithProgids\\VLC.rmi":[{"type":"call","value":[1200,1248,1860,4523]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rtf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4555]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.rtf\\OpenWithProgids\\rtffile":[{"type":"call","value":[1200,1248,1860,4556]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.scf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4606]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.scf\\OpenWithProgids\\SHCmdFile":[{"type":"call","value":[1200,1248,1860,4607]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.search-ms\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4642]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.search-ms\\OpenWithProgids\\SearchFolder":[{"type":"call","value":[1200,1248,1860,4643]}],"HKEY_CURRENT_USER\\Software\\Classes\\.shtml\\PerceivedType":[{"type":"call","value":[1200,1248,1860,4676]}],"HKEY_CURRENT_USER\\Software\\Classes\\.shtml\\(Default)":[{"type":"call","value":[1200,1248,1860,4681]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.shtml\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4683]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.shtml\\OpenWithProgids\\ChromeHTML":[{"type":"call","value":[1200,1248,1860,4684]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.snd\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4705]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.snd\\OpenWithProgids\\VLC.snd":[{"type":"call","value":[1200,1248,1860,4706]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sys\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4802]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sys\\OpenWithProgids\\sysfile":[{"type":"call","value":[1200,1248,1860,4803]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tif\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4883]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tif\\OpenWithProgids\\TIFImage.Document":[{"type":"call","value":[1200,1248,1860,4884]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tiff\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4892]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.tiff\\OpenWithProgids\\TIFImage.Document":[{"type":"call","value":[1200,1248,1860,4893]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TS\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4943]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TS\\OpenWithProgids\\VLC.ts":[{"type":"call","value":[1200,1248,1860,4944]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttc\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4974]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttc\\OpenWithProgids\\ttcfile":[{"type":"call","value":[1200,1248,1860,4975]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4983]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ttf\\OpenWithProgids\\ttffile":[{"type":"call","value":[1200,1248,1860,4984]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TTS\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,4992]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.TTS\\OpenWithProgids\\VLC.tts":[{"type":"call","value":[1200,1248,1860,4993]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5001]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\OpenWithProgids\\txtfile":[{"type":"call","value":[1200,1248,1860,5002]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.vob\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5112]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.vob\\OpenWithProgids\\VLC.vob":[{"type":"call","value":[1200,1248,1860,5113]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wav\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5174]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wav\\OpenWithProgids\\VLC.wav":[{"type":"call","value":[1200,1248,1860,5175]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wax\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5184]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wax\\OpenWithProgids\\WMP11.AssocFile.WAX":[{"type":"call","value":[1200,1248,1860,5185]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wdp\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5205]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wdp\\OpenWithProgids\\wdpfile":[{"type":"call","value":[1200,1248,1860,5206]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wm\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5245]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wm\\OpenWithProgids\\WMP11.AssocFile.ASF":[{"type":"call","value":[1200,1248,1860,5246]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wma\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5254]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wma\\OpenWithProgids\\VLC.wma":[{"type":"call","value":[1200,1248,1860,5255]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmf\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5276]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmf\\OpenWithProgids\\wmffile":[{"type":"call","value":[1200,1248,1860,5277]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmv\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5297]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmv\\OpenWithProgids\\VLC.wmv":[{"type":"call","value":[1200,1248,1860,5298]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5307]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wmx\\OpenWithProgids\\WMP11.AssocFile.ASX":[{"type":"call","value":[1200,1248,1860,5308]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wpl\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5326]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wpl\\OpenWithProgids\\VLC.wpl":[{"type":"call","value":[1200,1248,1860,5327]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.WTV\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5365]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.WTV\\OpenWithProgids\\VLC.wtv":[{"type":"call","value":[1200,1248,1860,5366]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wvx\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5387]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wvx\\OpenWithProgids\\VLC.wvx":[{"type":"call","value":[1200,1248,1860,5388]}],"HKEY_CURRENT_USER\\Software\\Classes\\.xht\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5427]}],"HKEY_CURRENT_USER\\Software\\Classes\\.xhtml\\PerceivedType":[{"type":"call","value":[1200,1248,1860,5433]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xml\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5478]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xml\\OpenWithProgids\\xmlfile":[{"type":"call","value":[1200,1248,1860,5479]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xps\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5487]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xps\\OpenWithProgids\\Windows.XPSReachViewer":[{"type":"call","value":[1200,1248,1860,5488]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xsl\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5512]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xsl\\OpenWithProgids\\xslfile":[{"type":"call","value":[1200,1248,1860,5513]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.zip\\OpenWithProgids":[{"type":"call","value":[1200,1248,1860,5563]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.zip\\OpenWithProgids\\WinRAR.ZIP":[{"type":"call","value":[1200,1248,1860,5564]}],"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow":[{"type":"call","value":[1200,1248,2304,6012]},{"type":"call","value":[1200,1248,2304,6026]},{"type":"call","value":[1200,1248,2304,6022]}],"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Interval":[{"type":"call","value":[1200,1248,2304,6020]}],"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Shuffle":[{"type":"call","value":[1200,1248,2304,6021]}],"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\AnimationDuration":[{"type":"call","value":[1200,1248,2304,6023]}],"HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Flags":[{"type":"call","value":[1200,1248,2304,6027]}],"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}":[{"type":"call","value":[1200,1248,2324,6189]},{"type":"call","value":[1200,1248,2324,6175]}],"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs":[{"type":"call","value":[1200,1248,2324,6179]}],"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid":[{"type":"call","value":[1200,1248,2324,6186]}],"HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid":[{"type":"call","value":[1200,1248,2324,6193]}],"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32":[{"type":"call","value":[1200,1248,2324,6208]}],"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler":[{"type":"call","value":[1200,1248,2324,6214]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{21EC2020-3AEA-1069-A2DD-08002B30309D}":[{"type":"call","value":[1200,1248,1560,6296]},{"type":"call","value":[1200,1248,1560,6230]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}":[{"type":"call","value":[1200,1248,1560,6301]},{"type":"call","value":[1200,1248,1560,6235]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}":[{"type":"call","value":[1200,1248,1560,6248]},{"type":"call","value":[1200,1248,1560,6242]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1":[{"type":"call","value":[1200,1248,1560,6245]},{"type":"call","value":[1200,1248,1560,6270]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ControlPanel\\NameSpace\\NameCustomizations":[{"type":"call","value":[1200,1248,1560,6246]},{"type":"call","value":[1200,1248,1560,6271]}],"HKEY_CURRENT_USER":[{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1560,6254]}],"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E":[{"type":"call","value":[1200,1248,1560,6280]},{"type":"call","value":[1200,1248,1560,6255]}],"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\LanguageList":[{"type":"call","value":[1200,1248,1560,6257]},{"type":"call","value":[1200,1248,1560,6282]}],"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036":[{"type":"call","value":[1200,1248,1560,6258]}],"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}":[{"type":"call","value":[1200,1248,1560,6267]},{"type":"call","value":[1200,1248,1560,6273]}],"HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\7\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200":[{"type":"call","value":[1200,1248,1560,6283]}]}}],"locations":[],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"optional"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"match","match":"create or open registry key"}},"children":[{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenCurrentUser"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegOpenUserClassesRoot"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwOpenKeyTransactedEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwCreateKeyTransacted"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtOpenKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6279]},{"type":"call","value":[1200,1248,1560,6276]},{"type":"call","value":[1200,1248,1560,6255]},{"type":"call","value":[1200,1248,1560,6251]},{"type":"call","value":[1200,1248,1560,6280]},{"type":"call","value":[1200,1248,1560,6254]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtCreateKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegOpenUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegCreateUSKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlCreateRegistryKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenSubKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::OpenRemoteBaseKey"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::CreateSubKey"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[{"type":"thread","value":[1200,1248,1560]}],"captures":{}}],"locations":[],"captures":{}},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegSetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegSetValueEx"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"advapi32.RegSetKeyValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetValueKey"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"NtSetValueKey"}},"children":[],"locations":[{"type":"call","value":[1200,1248,1560,6257]},{"type":"call","value":[1200,1248,1560,6282]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"RtlWriteRegistryValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHSetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegSetPath"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegSetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegSetUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"SHRegWriteUSValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.RegistryKey::SetValue"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"Microsoft.Win32.Registry::SetValue"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"interact with driver via control codes":{"meta":{"name":"interact with driver via control codes","namespace":"host-interaction/driver","authors":["moritz.raabe@mandiant.com"],"scopes":{"static":"function","dynamic":"process"},"attack":[{"parts":["Execution","System Services","Service Execution"],"tactic":"Execution","technique":"System Services","subtechnique":"Service Execution","id":"T1569.002"}],"mbc":[],"references":[],"examples":["Practical Malware Analysis Lab 10-03.exe_:0x401000","9412A66BC81F51A1FA916AC47C77E02AC1A7C9DFF543233ED70AA265EF6A1E76:0x10002DE0"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: interact with driver via control codes\n namespace: host-interaction/driver\n authors:\n - moritz.raabe@mandiant.com\n scopes:\n static: function\n dynamic: process\n att&ck:\n - Execution::System Services::Service Execution [T1569.002]\n examples:\n - Practical Malware Analysis Lab 10-03.exe_:0x401000\n - 9412A66BC81F51A1FA916AC47C77E02AC1A7C9DFF543233ED70AA265EF6A1E76:0x10002DE0\n features:\n - or:\n - api: DeviceIoControl\n - api: NtUnloadDriver\n - api: ZwUnloadDriver\n - and:\n - number: 38 = SystemLoadAndCallImage\n - api: ZwSetSystemInformation\n","matches":[[{"type":"process","value":[1852,2724]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"DeviceIoControl"}},"children":[],"locations":[{"type":"call","value":[1852,2724,1816,66]},{"type":"call","value":[1852,2724,1816,55]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtUnloadDriver"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwUnloadDriver"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"number","number":38,"description":"SystemLoadAndCallImage"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetSystemInformation"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}],[{"type":"process","value":[1852,2800]},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":true,"node":{"type":"feature","feature":{"type":"api","api":"DeviceIoControl"}},"children":[],"locations":[{"type":"call","value":[1852,2800,640,47]},{"type":"call","value":[1852,2800,640,58]}],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"NtUnloadDriver"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwUnloadDriver"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"statement","statement":{"type":"and"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"number","number":38,"description":"SystemLoadAndCallImage"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"api","api":"ZwSetSystemInformation"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]},"reference analysis tools strings":{"meta":{"name":"reference analysis tools strings","namespace":"anti-analysis","authors":["michael.hunhoff@mandiant.com"],"scopes":{"static":"file","dynamic":"file"},"attack":[],"mbc":[{"parts":["Discovery","Analysis Tool Discovery","Process detection"],"objective":"Discovery","behavior":"Analysis Tool Discovery","method":"Process detection","id":"B0013.001"}],"references":["https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp"],"examples":["al-khaser_x86.exe_"],"description":"","lib":false,"is_subscope_rule":false,"maec":{}},"source":"rule:\n meta:\n name: reference analysis tools strings\n namespace: anti-analysis\n authors:\n - michael.hunhoff@mandiant.com\n scopes:\n static: file\n dynamic: file\n mbc:\n - Discovery::Analysis Tool Discovery::Process detection [B0013.001]\n references:\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp\n examples:\n - al-khaser_x86.exe_\n features:\n - or:\n - string: /ollydbg(\\.exe)?/i\n - string: /ProcessHacker(\\.exe)?/i\n - string: /tcpview(\\.exe)?/i\n - string: /autoruns(\\.exe)?/i\n - string: /autorunsc(\\.exe)?/i\n - string: /filemon(\\.exe)?/i\n - string: /procmon(\\.exe)?/i\n - string: /regmon(\\.exe)?/i\n - string: /procexp(\\.exe)?/i\n - string: /ida[gqtuw]?(\\.exe)?$/i\n - string: /ida[gqtuw]64(\\.exe)?$/i\n - string: /ImmunityDebugger(\\.exe)?/i\n - string: /Wireshark(\\.exe)?/i\n - string: /dumpcap(\\.exe)?/i\n - string: /HookExplorer(\\.exe)?/i\n - string: /ImportREC(\\.exe)?/i\n - string: /PETools(\\.exe)?/i\n - string: /LordPE(\\.exe)?/i\n - string: /SysInspector(\\.exe)?/i\n - string: /proc_analyzer(\\.exe)?/i\n - string: /sysAnalyzer(\\.exe)?/i\n - string: /sniff_hit(\\.exe)?/i\n - string: /windbg(\\.exe)?/i\n - string: /joeboxcontrol(\\.exe)?/i\n - string: /joeboxserver(\\.exe)?/i\n - string: /ResourceHacker(\\.exe)?/i\n - string: /x32dbg(\\.exe)?/i\n - string: /x64dbg(\\.exe)?/i\n - string: /Fiddler(\\.exe)?/i\n - string: /httpdebugger(\\.exe)?/i\n - string: /fakenet(\\.exe)?/i\n - string: /netmon(\\.exe)?/i\n - string: /WPE PRO(\\.exe)?/i\n - string: /decompile(\\.exe)?/i\n - string: /scylla/i\n - string: /megadumper/i\n","matches":[[{"type":"no address"},{"success":true,"node":{"type":"statement","statement":{"type":"or"}},"children":[{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/ollydbg(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/ProcessHacker(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/tcpview(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/autoruns(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/autorunsc(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/filemon(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/procmon(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/regmon(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/procexp(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":true,"node":{"type":"feature","feature":{"type":"regex","regex":"/ida[gqtuw]?(\\.exe)?$/i"}},"children":[],"locations":[{"type":"no address"}],"captures":{"LookupAccountSidA":[{"type":"no address"}],"advapi32.dll.ConvertSidToStringSidA":[{"type":"no address"}],"advapi32.dll.LookupAccountSidA":[{"type":"no address"}]}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/ida[gqtuw]64(\\.exe)?$/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/ImmunityDebugger(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Wireshark(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/dumpcap(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/HookExplorer(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/ImportREC(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/PETools(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/LordPE(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/SysInspector(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/proc_analyzer(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/sysAnalyzer(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/sniff_hit(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/windbg(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/joeboxcontrol(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/joeboxserver(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/ResourceHacker(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/x32dbg(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/x64dbg(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/Fiddler(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/httpdebugger(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/fakenet(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/netmon(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/WPE PRO(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/decompile(\\.exe)?/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/scylla/i"}},"children":[],"locations":[],"captures":{}},{"success":false,"node":{"type":"feature","feature":{"type":"regex","regex":"/megadumper/i"}},"children":[],"locations":[],"captures":{}}],"locations":[],"captures":{}}]]}}} diff --git a/webui/src/assets/data/demo-rdoc.json b/webui/src/assets/data/demo-rdoc.json deleted file mode 100644 index f0663e934..000000000 --- a/webui/src/assets/data/demo-rdoc.json +++ /dev/null @@ -1,43830 +0,0 @@ -{ - "meta": { - "timestamp": "2024-03-02T04:10:24.252437", - "version": "7.0.1", - "argv": ["./tests/data/al-khaser_x64.exe_", "-j"], - "sample": { - "md5": "3cb21ae76ff3da4b7e02d77ff76e82be", - "sha1": "7156270661549f75c253f169fe8988690f6fc700", - "sha256": "c2c49f2592f78b7a70fd984dbbb25f7251dd1c851caa884f39ff1c8075f0b228", - "path": "C:/Users/HP/Documents/GitHub/capa/tests/data/al-khaser_x64.exe_" - }, - "flavor": "static", - "analysis": { - "format": "pe", - "arch": "amd64", - "os": "windows", - "extractor": "VivisectFeatureExtractor", - "rules": ["C:/Users/HP/Documents/GitHub/capa/rules"], - "base_address": { "type": "absolute", "value": 5368709120 }, - "layout": { - "functions": [ - { - "address": { "type": "absolute", "value": 5368811525 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368840006 } }] - }, - { - "address": { "type": "absolute", "value": 5368811530 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013168 } }] - }, - { - "address": { "type": "absolute", "value": 5368811540 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369005200 } }, - { "address": { "type": "absolute", "value": 5369005266 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811565 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368959552 } }, - { "address": { "type": "absolute", "value": 5368959622 } }, - { "address": { "type": "absolute", "value": 5368959757 } }, - { "address": { "type": "absolute", "value": 5368960000 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811570 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368846160 } }] - }, - { - "address": { "type": "absolute", "value": 5368811655 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368924448 } }] - }, - { - "address": { "type": "absolute", "value": 5368811660 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368890800 } }] - }, - { - "address": { "type": "absolute", "value": 5368811670 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368942720 } }] - }, - { - "address": { "type": "absolute", "value": 5368811675 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368931152 } }, - { "address": { "type": "absolute", "value": 5368931316 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811680 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368872240 } }] - }, - { - "address": { "type": "absolute", "value": 5368811690 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369010288 } }] - }, - { - "address": { "type": "absolute", "value": 5368811695 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368940992 } }] - }, - { - "address": { "type": "absolute", "value": 5368811715 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368951744 } }, - { "address": { "type": "absolute", "value": 5368951918 } }, - { "address": { "type": "absolute", "value": 5368952263 } }, - { "address": { "type": "absolute", "value": 5368952779 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811720 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368861728 } }] - }, - { - "address": { "type": "absolute", "value": 5368811740 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368935773 } }] - }, - { - "address": { "type": "absolute", "value": 5368811755 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368915808 } }] - }, - { - "address": { "type": "absolute", "value": 5368811765 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368854880 } }, - { "address": { "type": "absolute", "value": 5368854976 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811785 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013600 } }] - }, - { - "address": { "type": "absolute", "value": 5368811805 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368851327 } }, - { "address": { "type": "absolute", "value": 5368851370 } }, - { "address": { "type": "absolute", "value": 5368851795 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811810 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368939152 } }] - }, - { - "address": { "type": "absolute", "value": 5368811820 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368917392 } }] - }, - { - "address": { "type": "absolute", "value": 5368811825 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013504 } }] - }, - { - "address": { "type": "absolute", "value": 5368811865 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368997328 } }, - { "address": { "type": "absolute", "value": 5368997449 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368811870 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368858960 } }] - }, - { - "address": { "type": "absolute", "value": 5368811875 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368922416 } }] - }, - { - "address": { "type": "absolute", "value": 5368811905 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368869472 } }] - }, - { - "address": { "type": "absolute", "value": 5368811925 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368984512 } }] - }, - { - "address": { "type": "absolute", "value": 5368811990 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368844166 } }] - }, - { - "address": { "type": "absolute", "value": 5368812010 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368893712 } }, - { "address": { "type": "absolute", "value": 5368893848 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812015 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368839769 } }] - }, - { - "address": { "type": "absolute", "value": 5368812020 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369019328 } }, - { "address": { "type": "absolute", "value": 5369019343 } }, - { "address": { "type": "absolute", "value": 5369019390 } }, - { "address": { "type": "absolute", "value": 5369019817 } }, - { "address": { "type": "absolute", "value": 5369019949 } }, - { "address": { "type": "absolute", "value": 5369020147 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812035 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368852559 } }, - { "address": { "type": "absolute", "value": 5368852602 } }, - { "address": { "type": "absolute", "value": 5368852710 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812055 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368962880 } }] - }, - { - "address": { "type": "absolute", "value": 5368812100 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368855200 } }, - { "address": { "type": "absolute", "value": 5368855365 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812110 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368925360 } }] - }, - { - "address": { "type": "absolute", "value": 5368812115 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368938720 } }] - }, - { - "address": { "type": "absolute", "value": 5368812120 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368935952 } }] - }, - { - "address": { "type": "absolute", "value": 5368812150 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368863408 } }, - { "address": { "type": "absolute", "value": 5368863518 } }, - { "address": { "type": "absolute", "value": 5368863684 } }, - { "address": { "type": "absolute", "value": 5368863767 } }, - { "address": { "type": "absolute", "value": 5368863913 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812180 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368859792 } }, - { "address": { "type": "absolute", "value": 5368860125 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812185 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368920720 } }] - }, - { - "address": { "type": "absolute", "value": 5368812195 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013857 } }] - }, - { - "address": { "type": "absolute", "value": 5368812220 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369005424 } }] - }, - { - "address": { "type": "absolute", "value": 5368812230 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368999623 } }, - { "address": { "type": "absolute", "value": 5368999700 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812255 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368862720 } }] - }, - { - "address": { "type": "absolute", "value": 5368812270 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368977872 } }] - }, - { - "address": { "type": "absolute", "value": 5368812285 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368905856 } }, - { "address": { "type": "absolute", "value": 5368905952 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812290 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369004455 } }] - }, - { - "address": { "type": "absolute", "value": 5368812310 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368866464 } }] - }, - { - "address": { "type": "absolute", "value": 5368812315 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368957520 } }] - }, - { - "address": { "type": "absolute", "value": 5368812320 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369017312 } }, - { "address": { "type": "absolute", "value": 5369017341 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812325 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368831168 } }] - }, - { - "address": { "type": "absolute", "value": 5368812330 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368915696 } }] - }, - { - "address": { "type": "absolute", "value": 5368812340 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368993792 } }, - { "address": { "type": "absolute", "value": 5368994097 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812350 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369007888 } }] - }, - { - "address": { "type": "absolute", "value": 5368812360 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368953552 } }, - { "address": { "type": "absolute", "value": 5368953892 } }, - { "address": { "type": "absolute", "value": 5368953985 } }, - { "address": { "type": "absolute", "value": 5368954205 } }, - { "address": { "type": "absolute", "value": 5368954290 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812385 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368857936 } }] - }, - { - "address": { "type": "absolute", "value": 5368812395 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368911264 } }, - { "address": { "type": "absolute", "value": 5368911394 } }, - { "address": { "type": "absolute", "value": 5368911647 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812430 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368844868 } }] - }, - { - "address": { "type": "absolute", "value": 5368812455 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368992784 } }] - }, - { - "address": { "type": "absolute", "value": 5368812465 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013777 } }] - }, - { - "address": { "type": "absolute", "value": 5368812475 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368957232 } }] - }, - { - "address": { "type": "absolute", "value": 5368812485 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368925584 } }] - }, - { - "address": { "type": "absolute", "value": 5368812530 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369000672 } }] - }, - { - "address": { "type": "absolute", "value": 5368812550 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368986160 } }] - }, - { - "address": { "type": "absolute", "value": 5368812575 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368989264 } }] - }, - { - "address": { "type": "absolute", "value": 5368812590 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368945360 } }, - { "address": { "type": "absolute", "value": 5368945480 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812600 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368967072 } }] - }, - { - "address": { "type": "absolute", "value": 5368812615 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368928480 } }] - }, - { - "address": { "type": "absolute", "value": 5368812640 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368855536 } }] - }, - { - "address": { "type": "absolute", "value": 5368812670 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368925952 } }] - }, - { - "address": { "type": "absolute", "value": 5368812675 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368914304 } }] - }, - { - "address": { "type": "absolute", "value": 5368812680 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368997776 } }] - }, - { - "address": { "type": "absolute", "value": 5368812685 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369007991 } }, - { "address": { "type": "absolute", "value": 5369007998 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812700 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368865536 } }] - }, - { - "address": { "type": "absolute", "value": 5368812710 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368883600 } }] - }, - { - "address": { "type": "absolute", "value": 5368812715 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368968522 } }, - { "address": { "type": "absolute", "value": 5368968591 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812735 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368963792 } }] - }, - { - "address": { "type": "absolute", "value": 5368812780 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368859424 } }] - }, - { - "address": { "type": "absolute", "value": 5368812785 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368915584 } }] - }, - { - "address": { "type": "absolute", "value": 5368812845 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369002128 } }] - }, - { - "address": { "type": "absolute", "value": 5368812865 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013632 } }] - }, - { - "address": { "type": "absolute", "value": 5368812875 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368852912 } }, - { "address": { "type": "absolute", "value": 5368853061 } }, - { "address": { "type": "absolute", "value": 5368853126 } }, - { "address": { "type": "absolute", "value": 5368853235 } }, - { "address": { "type": "absolute", "value": 5368853300 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812895 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368988624 } }, - { "address": { "type": "absolute", "value": 5368988760 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812910 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368983248 } }, - { "address": { "type": "absolute", "value": 5368983445 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812925 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368907312 } }] - }, - { - "address": { "type": "absolute", "value": 5368812935 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369017488 } }, - { "address": { "type": "absolute", "value": 5369017534 } }, - { "address": { "type": "absolute", "value": 5369017543 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368812970 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368972656 } }] - }, - { - "address": { "type": "absolute", "value": 5368812990 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369001472 } }] - }, - { - "address": { "type": "absolute", "value": 5368812995 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013328 } }] - }, - { - "address": { "type": "absolute", "value": 5368813035 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368978288 } }, - { "address": { "type": "absolute", "value": 5368978428 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813040 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368914624 } }] - }, - { - "address": { "type": "absolute", "value": 5368813065 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368867136 } }] - }, - { - "address": { "type": "absolute", "value": 5368813080 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368908976 } }] - }, - { - "address": { "type": "absolute", "value": 5368813105 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368845952 } }] - }, - { - "address": { "type": "absolute", "value": 5368813120 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368869616 } }] - }, - { - "address": { "type": "absolute", "value": 5368813170 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369011040 } }, - { "address": { "type": "absolute", "value": 5369011098 } }, - { "address": { "type": "absolute", "value": 5369011194 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813175 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368959159 } }] - }, - { - "address": { "type": "absolute", "value": 5368813180 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368949696 } }] - }, - { - "address": { "type": "absolute", "value": 5368813190 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368876128 } }] - }, - { - "address": { "type": "absolute", "value": 5368813195 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368940096 } }] - }, - { - "address": { "type": "absolute", "value": 5368813200 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368946880 } }] - }, - { - "address": { "type": "absolute", "value": 5368813215 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369004272 } }, - { "address": { "type": "absolute", "value": 5369004285 } }, - { "address": { "type": "absolute", "value": 5369004330 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813260 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369010208 } }] - }, - { - "address": { "type": "absolute", "value": 5368813275 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368995360 } }, - { "address": { "type": "absolute", "value": 5368995656 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813280 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368858112 } }] - }, - { - "address": { "type": "absolute", "value": 5368813285 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369005387 } }] - }, - { - "address": { "type": "absolute", "value": 5368813315 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368996618 } }, - { "address": { "type": "absolute", "value": 5368996644 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813335 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368943320 } }] - }, - { - "address": { "type": "absolute", "value": 5368813350 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368894864 } }] - }, - { - "address": { "type": "absolute", "value": 5368813355 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368982784 } }] - }, - { - "address": { "type": "absolute", "value": 5368813380 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013664 } }] - }, - { - "address": { "type": "absolute", "value": 5368813395 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368941664 } }] - }, - { - "address": { "type": "absolute", "value": 5368813405 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369006893 } }] - }, - { - "address": { "type": "absolute", "value": 5368813420 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368965144 } }] - }, - { - "address": { "type": "absolute", "value": 5368813435 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368893968 } }, - { "address": { "type": "absolute", "value": 5368894104 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813440 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368840864 } }] - }, - { - "address": { "type": "absolute", "value": 5368813445 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368923680 } }] - }, - { - "address": { "type": "absolute", "value": 5368813465 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368929536 } }] - }, - { - "address": { "type": "absolute", "value": 5368813475 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368877280 } }] - }, - { - "address": { "type": "absolute", "value": 5368813500 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368967728 } }] - }, - { - "address": { "type": "absolute", "value": 5368813505 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368915472 } }] - }, - { - "address": { "type": "absolute", "value": 5368813515 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368844272 } }] - }, - { - "address": { "type": "absolute", "value": 5368813525 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368837088 } }] - }, - { - "address": { "type": "absolute", "value": 5368813540 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368898912 } }] - }, - { - "address": { "type": "absolute", "value": 5368813555 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013937 } }] - }, - { - "address": { "type": "absolute", "value": 5368813560 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368858352 } }] - }, - { - "address": { "type": "absolute", "value": 5368813565 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368914432 } }] - }, - { - "address": { "type": "absolute", "value": 5368813585 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368895248 } }, - { "address": { "type": "absolute", "value": 5368895480 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813590 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368928880 } }] - }, - { - "address": { "type": "absolute", "value": 5368813595 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368921760 } }] - }, - { - "address": { "type": "absolute", "value": 5368813610 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369007594 } }] - }, - { - "address": { "type": "absolute", "value": 5368813630 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369015968 } }] - }, - { - "address": { "type": "absolute", "value": 5368813635 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368839184 } }, - { "address": { "type": "absolute", "value": 5368839341 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813665 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368944560 } }] - }, - { - "address": { "type": "absolute", "value": 5368813670 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368905440 } }, - { "address": { "type": "absolute", "value": 5368905536 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813680 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368898240 } }, - { "address": { "type": "absolute", "value": 5368898405 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813685 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368848000 } }] - }, - { - "address": { "type": "absolute", "value": 5368813695 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368923568 } }] - }, - { - "address": { "type": "absolute", "value": 5368813700 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369002064 } }] - }, - { - "address": { "type": "absolute", "value": 5368813705 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368926928 } }] - }, - { - "address": { "type": "absolute", "value": 5368813745 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368986448 } }] - }, - { - "address": { "type": "absolute", "value": 5368813750 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368950592 } }, - { "address": { "type": "absolute", "value": 5368950804 } }, - { "address": { "type": "absolute", "value": 5368950968 } }, - { "address": { "type": "absolute", "value": 5368951220 } }, - { "address": { "type": "absolute", "value": 5368951296 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813760 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368910688 } }, - { "address": { "type": "absolute", "value": 5368910818 } }, - { "address": { "type": "absolute", "value": 5368910906 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813770 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368898576 } }, - { "address": { "type": "absolute", "value": 5368898741 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813815 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368923216 } }] - }, - { - "address": { "type": "absolute", "value": 5368813820 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368925472 } }] - }, - { - "address": { "type": "absolute", "value": 5368813825 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369016224 } }] - }, - { - "address": { "type": "absolute", "value": 5368813830 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368865680 } }] - }, - { - "address": { "type": "absolute", "value": 5368813840 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368958453 } }] - }, - { - "address": { "type": "absolute", "value": 5368813895 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368938016 } }] - }, - { - "address": { "type": "absolute", "value": 5368813910 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368866222 } }, - { "address": { "type": "absolute", "value": 5368866309 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368813925 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368848272 } }] - }, - { - "address": { "type": "absolute", "value": 5368813930 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368899264 } }] - }, - { - "address": { "type": "absolute", "value": 5368813935 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368926592 } }] - }, - { - "address": { "type": "absolute", "value": 5368813960 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368871664 } }] - }, - { - "address": { "type": "absolute", "value": 5368813975 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369014016 } }] - }, - { - "address": { "type": "absolute", "value": 5368813980 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369008240 } }] - }, - { - "address": { "type": "absolute", "value": 5368813990 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368890032 } }, - { "address": { "type": "absolute", "value": 5368890242 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814025 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368947424 } }] - }, - { - "address": { "type": "absolute", "value": 5368814035 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368907625 } }] - }, - { - "address": { "type": "absolute", "value": 5368814040 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368864464 } }, - { "address": { "type": "absolute", "value": 5368864594 } }, - { "address": { "type": "absolute", "value": 5368864642 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814065 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369017216 } }] - }, - { - "address": { "type": "absolute", "value": 5368814090 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368847824 } }] - }, - { - "address": { "type": "absolute", "value": 5368814100 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368862560 } }] - }, - { - "address": { "type": "absolute", "value": 5368814130 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368838128 } }] - }, - { - "address": { "type": "absolute", "value": 5368814135 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368935273 } }] - }, - { - "address": { "type": "absolute", "value": 5368814145 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368976496 } }] - }, - { - "address": { "type": "absolute", "value": 5368814200 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369002562 } }] - }, - { - "address": { "type": "absolute", "value": 5368814205 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368999904 } }, - { "address": { "type": "absolute", "value": 5369000118 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814210 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369001216 } }] - }, - { - "address": { "type": "absolute", "value": 5368814230 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368884334 } }] - }, - { - "address": { "type": "absolute", "value": 5368814240 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368918544 } }] - }, - { - "address": { "type": "absolute", "value": 5368814290 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368907088 } }, - { "address": { "type": "absolute", "value": 5368907176 } }, - { "address": { "type": "absolute", "value": 5368907213 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814300 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369006077 } }] - }, - { - "address": { "type": "absolute", "value": 5368814305 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368853616 } }, - { "address": { "type": "absolute", "value": 5368853752 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814335 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368996768 } }] - }, - { - "address": { "type": "absolute", "value": 5368814345 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368891040 } }, - { "address": { "type": "absolute", "value": 5368891218 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814390 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368870592 } }] - }, - { - "address": { "type": "absolute", "value": 5368814415 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369007856 } }] - }, - { - "address": { "type": "absolute", "value": 5368814425 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369000320 } }, - { "address": { "type": "absolute", "value": 5369000497 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814435 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368923456 } }] - }, - { - "address": { "type": "absolute", "value": 5368814450 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368842521 } }] - }, - { - "address": { "type": "absolute", "value": 5368814455 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368916256 } }] - }, - { - "address": { "type": "absolute", "value": 5368814490 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368925696 } }, - { "address": { "type": "absolute", "value": 5368925779 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814500 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368909568 } }, - { "address": { "type": "absolute", "value": 5368909711 } }, - { "address": { "type": "absolute", "value": 5368910144 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814540 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368842752 } }] - }, - { - "address": { "type": "absolute", "value": 5368814555 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368893136 } }] - }, - { - "address": { "type": "absolute", "value": 5368814590 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368931728 } }] - }, - { - "address": { "type": "absolute", "value": 5368814600 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368997120 } }] - }, - { - "address": { "type": "absolute", "value": 5368814605 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368986672 } }] - }, - { - "address": { "type": "absolute", "value": 5368814620 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369016272 } }, - { "address": { "type": "absolute", "value": 5369016379 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814630 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368853872 } }] - }, - { - "address": { "type": "absolute", "value": 5368814640 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368908237 } }] - }, - { - "address": { "type": "absolute", "value": 5368814690 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369015535 } }, - { "address": { "type": "absolute", "value": 5369015736 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814700 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368846752 } }] - }, - { - "address": { "type": "absolute", "value": 5368814705 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369007028 } }, - { "address": { "type": "absolute", "value": 5369007110 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814710 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368867760 } }] - }, - { - "address": { "type": "absolute", "value": 5368814735 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368869042 } }, - { "address": { "type": "absolute", "value": 5368869087 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814750 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369005760 } }] - }, - { - "address": { "type": "absolute", "value": 5368814775 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368858838 } }, - { "address": { "type": "absolute", "value": 5368858872 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814800 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368929888 } }] - }, - { - "address": { "type": "absolute", "value": 5368814810 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368874096 } }, - { "address": { "type": "absolute", "value": 5368874319 } }, - { "address": { "type": "absolute", "value": 5368874689 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814830 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369015264 } }, - { "address": { "type": "absolute", "value": 5369015293 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814850 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368871952 } }] - }, - { - "address": { "type": "absolute", "value": 5368814865 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368919549 } }, - { "address": { "type": "absolute", "value": 5368919737 } }, - { "address": { "type": "absolute", "value": 5368919951 } }, - { "address": { "type": "absolute", "value": 5368920014 } }, - { "address": { "type": "absolute", "value": 5368920079 } }, - { "address": { "type": "absolute", "value": 5368920205 } }, - { "address": { "type": "absolute", "value": 5368920268 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814870 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368841264 } }] - }, - { - "address": { "type": "absolute", "value": 5368814875 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368877056 } }] - }, - { - "address": { "type": "absolute", "value": 5368814880 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368993008 } }] - }, - { - "address": { "type": "absolute", "value": 5368814895 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368990848 } }, - { "address": { "type": "absolute", "value": 5368991013 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814900 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369014144 } }] - }, - { - "address": { "type": "absolute", "value": 5368814905 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368932480 } }, - { "address": { "type": "absolute", "value": 5368932788 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814935 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368908512 } }, - { "address": { "type": "absolute", "value": 5368908692 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814945 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368874928 } }] - }, - { - "address": { "type": "absolute", "value": 5368814970 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368915920 } }] - }, - { - "address": { "type": "absolute", "value": 5368814980 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368858534 } }, - { "address": { "type": "absolute", "value": 5368858568 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368814990 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368907712 } }, - { "address": { "type": "absolute", "value": 5368907842 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815005 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368892464 } }] - }, - { - "address": { "type": "absolute", "value": 5368815040 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368927760 } }, - { "address": { "type": "absolute", "value": 5368928040 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815050 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368881759 } }, - { "address": { "type": "absolute", "value": 5368882019 } }, - { "address": { "type": "absolute", "value": 5368882175 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815060 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368872528 } }] - }, - { - "address": { "type": "absolute", "value": 5368815070 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368859600 } }] - }, - { - "address": { "type": "absolute", "value": 5368815090 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368934160 } }] - }, - { - "address": { "type": "absolute", "value": 5368815100 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368973264 } }] - }, - { - "address": { "type": "absolute", "value": 5368815115 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368840336 } }] - }, - { - "address": { "type": "absolute", "value": 5368815130 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368815130 } }, - { "address": { "type": "absolute", "value": 5369002823 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815140 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369010256 } }] - }, - { - "address": { "type": "absolute", "value": 5368815150 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368899968 } }] - }, - { - "address": { "type": "absolute", "value": 5368815160 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368966608 } }] - }, - { - "address": { "type": "absolute", "value": 5368815165 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368984784 } }] - }, - { - "address": { "type": "absolute", "value": 5368815170 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368860320 } }, - { "address": { "type": "absolute", "value": 5368860417 } }, - { "address": { "type": "absolute", "value": 5368860540 } }, - { "address": { "type": "absolute", "value": 5368860552 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815175 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368914080 } }] - }, - { - "address": { "type": "absolute", "value": 5368815190 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368948908 } }] - }, - { - "address": { "type": "absolute", "value": 5368815200 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368985322 } }] - }, - { - "address": { "type": "absolute", "value": 5368815210 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368845568 } }, - { "address": { "type": "absolute", "value": 5368845680 } }, - { "address": { "type": "absolute", "value": 5368845793 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815215 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368962560 } }] - }, - { - "address": { "type": "absolute", "value": 5368815230 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368921024 } }] - }, - { - "address": { "type": "absolute", "value": 5368815245 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368944304 } }] - }, - { - "address": { "type": "absolute", "value": 5368815265 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368899616 } }] - }, - { - "address": { "type": "absolute", "value": 5368815300 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368969872 } }] - }, - { - "address": { "type": "absolute", "value": 5368815315 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368884640 } }, - { "address": { "type": "absolute", "value": 5368884960 } }, - { "address": { "type": "absolute", "value": 5368884998 } }, - { "address": { "type": "absolute", "value": 5368885084 } }, - { "address": { "type": "absolute", "value": 5368885421 } }, - { "address": { "type": "absolute", "value": 5368885459 } }, - { "address": { "type": "absolute", "value": 5368885632 } }, - { "address": { "type": "absolute", "value": 5368885693 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815325 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368837568 } }] - }, - { - "address": { "type": "absolute", "value": 5368815340 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368924704 } }, - { "address": { "type": "absolute", "value": 5368925052 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815350 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368916800 } }] - }, - { - "address": { "type": "absolute", "value": 5368815370 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368906656 } }] - }, - { - "address": { "type": "absolute", "value": 5368815385 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369020497 } }] - }, - { - "address": { "type": "absolute", "value": 5368815390 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368865840 } }] - }, - { - "address": { "type": "absolute", "value": 5368815480 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368897904 } }, - { "address": { "type": "absolute", "value": 5368898069 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815500 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368906928 } }, - { "address": { "type": "absolute", "value": 5368906998 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815515 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369017088 } }] - }, - { - "address": { "type": "absolute", "value": 5368815525 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368918304 } }] - }, - { - "address": { "type": "absolute", "value": 5368815530 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368957808 } }] - }, - { - "address": { "type": "absolute", "value": 5368815555 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368871008 } }] - }, - { - "address": { "type": "absolute", "value": 5368815575 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369016016 } }, - { "address": { "type": "absolute", "value": 5369016067 } }, - { "address": { "type": "absolute", "value": 5369016177 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815585 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369001792 } }, - { "address": { "type": "absolute", "value": 5369001893 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815590 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368971024 } }, - { "address": { "type": "absolute", "value": 5368971322 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815610 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368964656 } }] - }, - { - "address": { "type": "absolute", "value": 5368815625 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368998896 } }] - }, - { - "address": { "type": "absolute", "value": 5368815660 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369007252 } }, - { "address": { "type": "absolute", "value": 5369007274 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815670 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369007296 } }, - { "address": { "type": "absolute", "value": 5369007416 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815675 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368965504 } }, - { "address": { "type": "absolute", "value": 5368965587 } }, - { "address": { "type": "absolute", "value": 5368965631 } }, - { "address": { "type": "absolute", "value": 5368965660 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815680 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368849296 } }] - }, - { - "address": { "type": "absolute", "value": 5368815685 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369002571 } }] - }, - { - "address": { "type": "absolute", "value": 5368815690 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368970112 } }, - { "address": { "type": "absolute", "value": 5368970395 } }, - { "address": { "type": "absolute", "value": 5368970461 } }, - { "address": { "type": "absolute", "value": 5368970515 } }, - { "address": { "type": "absolute", "value": 5368970547 } }, - { "address": { "type": "absolute", "value": 5368970619 } }, - { "address": { "type": "absolute", "value": 5368970649 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815715 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368841536 } }, - { "address": { "type": "absolute", "value": 5368841775 } }, - { "address": { "type": "absolute", "value": 5368841964 } }, - { "address": { "type": "absolute", "value": 5368842047 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815725 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368894224 } }, - { "address": { "type": "absolute", "value": 5368894360 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815745 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013008 } }] - }, - { - "address": { "type": "absolute", "value": 5368815755 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368974336 } }] - }, - { - "address": { "type": "absolute", "value": 5368815765 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368930496 } }] - }, - { - "address": { "type": "absolute", "value": 5368815770 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368894480 } }] - }, - { - "address": { "type": "absolute", "value": 5368815780 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368847040 } }] - }, - { - "address": { "type": "absolute", "value": 5368815785 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369007824 } }] - }, - { - "address": { "type": "absolute", "value": 5368815805 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369014192 } }, - { "address": { "type": "absolute", "value": 5369014382 } }, - { "address": { "type": "absolute", "value": 5369014472 } }, - { "address": { "type": "absolute", "value": 5369014657 } }, - { "address": { "type": "absolute", "value": 5369014716 } }, - { "address": { "type": "absolute", "value": 5369014793 } }, - { "address": { "type": "absolute", "value": 5369014834 } }, - { "address": { "type": "absolute", "value": 5369014938 } }, - { "address": { "type": "absolute", "value": 5369015008 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815865 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368890480 } }] - }, - { - "address": { "type": "absolute", "value": 5368815870 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368916144 } }] - }, - { - "address": { "type": "absolute", "value": 5368815890 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368999336 } }] - }, - { - "address": { "type": "absolute", "value": 5368815895 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369006544 } }, - { "address": { "type": "absolute", "value": 5369006612 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815905 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368877504 } }] - }, - { - "address": { "type": "absolute", "value": 5368815910 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368840608 } }] - }, - { - "address": { "type": "absolute", "value": 5368815925 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368842992 } }] - }, - { - "address": { "type": "absolute", "value": 5368815930 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368913856 } }] - }, - { - "address": { "type": "absolute", "value": 5368815955 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368920912 } }] - }, - { - "address": { "type": "absolute", "value": 5368815960 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368953248 } }] - }, - { - "address": { "type": "absolute", "value": 5368815965 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369013968 } }] - }, - { - "address": { "type": "absolute", "value": 5368815970 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368886745 } }, - { "address": { "type": "absolute", "value": 5368886781 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368815980 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369008302 } }] - }, - { - "address": { "type": "absolute", "value": 5368816000 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368858656 } }] - }, - { - "address": { "type": "absolute", "value": 5368816010 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368887327 } }, - { "address": { "type": "absolute", "value": 5368887482 } }, - { "address": { "type": "absolute", "value": 5368887733 } }, - { "address": { "type": "absolute", "value": 5368887794 } }, - { "address": { "type": "absolute", "value": 5368887937 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816025 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368997936 } }] - }, - { - "address": { "type": "absolute", "value": 5368816045 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368996944 } }] - }, - { - "address": { "type": "absolute", "value": 5368816060 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368994400 } }, - { "address": { "type": "absolute", "value": 5368994791 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816065 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368873312 } }] - }, - { - "address": { "type": "absolute", "value": 5368816080 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368882496 } }] - }, - { - "address": { "type": "absolute", "value": 5368816085 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369016848 } }, - { "address": { "type": "absolute", "value": 5369016959 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816100 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368869250 } }, - { "address": { "type": "absolute", "value": 5368869313 } }, - { "address": { "type": "absolute", "value": 5368869337 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816105 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369003728 } }, - { "address": { "type": "absolute", "value": 5369003794 } }, - { "address": { "type": "absolute", "value": 5369003826 } }, - { "address": { "type": "absolute", "value": 5369003841 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816135 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369004352 } }] - }, - { - "address": { "type": "absolute", "value": 5368816155 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368912320 } }, - { "address": { "type": "absolute", "value": 5368912450 } }, - { "address": { "type": "absolute", "value": 5368912538 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816160 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368978884 } }, - { "address": { "type": "absolute", "value": 5368979231 } }, - { "address": { "type": "absolute", "value": 5368979385 } }, - { "address": { "type": "absolute", "value": 5368979938 } }, - { "address": { "type": "absolute", "value": 5368980220 } }, - { "address": { "type": "absolute", "value": 5368980317 } }, - { "address": { "type": "absolute", "value": 5368980473 } }, - { "address": { "type": "absolute", "value": 5368980815 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816165 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368888611 } }, - { "address": { "type": "absolute", "value": 5368888766 } }, - { "address": { "type": "absolute", "value": 5368889163 } }, - { "address": { "type": "absolute", "value": 5368889407 } }, - { "address": { "type": "absolute", "value": 5368889461 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816185 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369005472 } }] - }, - { - "address": { "type": "absolute", "value": 5368816205 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368965328 } }] - }, - { - "address": { "type": "absolute", "value": 5368816215 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368933200 } }] - }, - { - "address": { "type": "absolute", "value": 5368816225 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368928768 } }] - }, - { - "address": { "type": "absolute", "value": 5368816245 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368954848 } }, - { "address": { "type": "absolute", "value": 5368955014 } }, - { "address": { "type": "absolute", "value": 5368955356 } }, - { "address": { "type": "absolute", "value": 5368955764 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816265 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369014064 } }, - { "address": { "type": "absolute", "value": 5369014111 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816310 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368945965 } }] - }, - { - "address": { "type": "absolute", "value": 5368816320 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368966232 } }, - { "address": { "type": "absolute", "value": 5368966375 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816360 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368870800 } }] - }, - { - "address": { "type": "absolute", "value": 5368816365 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369010176 } }] - }, - { - "address": { "type": "absolute", "value": 5368816400 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368845408 } }] - }, - { - "address": { "type": "absolute", "value": 5368816445 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369017392 } }, - { "address": { "type": "absolute", "value": 5369017438 } }, - { "address": { "type": "absolute", "value": 5369017447 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816450 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5369007194 } }] - }, - { - "address": { "type": "absolute", "value": 5368816460 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368956192 } }, - { "address": { "type": "absolute", "value": 5368956528 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816465 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5369002562 } }, - { "address": { "type": "absolute", "value": 5369002568 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368816515 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368916032 } }] - }, - { - "address": { "type": "absolute", "value": 5368821728 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368821728 } }] - }, - { - "address": { "type": "absolute", "value": 5368822176 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368822176 } }] - }, - { - "address": { "type": "absolute", "value": 5368824096 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368824096 } }] - }, - { - "address": { "type": "absolute", "value": 5368838672 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368838672 } }] - }, - { - "address": { "type": "absolute", "value": 5368882832 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368882832 } }, - { "address": { "type": "absolute", "value": 5368882955 } }, - { "address": { "type": "absolute", "value": 5368883110 } }, - { "address": { "type": "absolute", "value": 5368883232 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368891376 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368891498 } }, - { "address": { "type": "absolute", "value": 5368891614 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368891792 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368891898 } }] - }, - { - "address": { "type": "absolute", "value": 5368892096 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368892096 } }] - }, - { - "address": { "type": "absolute", "value": 5368892304 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368892304 } }] - }, - { - "address": { "type": "absolute", "value": 5368909136 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368909136 } }] - }, - { - "address": { "type": "absolute", "value": 5368960864 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368961024 } }, - { "address": { "type": "absolute", "value": 5368961046 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368964112 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368964112 } }] - }, - { - "address": { "type": "absolute", "value": 5368964496 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368964496 } }] - }, - { - "address": { "type": "absolute", "value": 5368986896 }, - "matched_basic_blocks": [ - { "address": { "type": "absolute", "value": 5368987018 } }, - { "address": { "type": "absolute", "value": 5368987134 } } - ] - }, - { - "address": { "type": "absolute", "value": 5368987312 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368987418 } }] - }, - { - "address": { "type": "absolute", "value": 5368988000 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368988000 } }] - }, - { - "address": { "type": "absolute", "value": 5368988208 }, - "matched_basic_blocks": [{ "address": { "type": "absolute", "value": 5368988208 } }] - } - ] - }, - "feature_counts": { - "file": 2217, - "functions": [ - { "address": { "type": "absolute", "value": 5368811525 }, "count": 58 }, - { "address": { "type": "absolute", "value": 5368811530 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368811535 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368811540 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368811550 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368811555 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368811560 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368811565 }, "count": 78 }, - { "address": { "type": "absolute", "value": 5368811570 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368811585 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368811590 }, "count": 49 }, - { "address": { "type": "absolute", "value": 5368811605 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368811620 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368811625 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368811630 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368811655 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368811660 }, "count": 56 }, - { "address": { "type": "absolute", "value": 5368811670 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368811675 }, "count": 72 }, - { "address": { "type": "absolute", "value": 5368811680 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368811685 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368811690 }, "count": 14 }, - { "address": { "type": "absolute", "value": 5368811695 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368811705 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368811715 }, "count": 130 }, - { "address": { "type": "absolute", "value": 5368811720 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368811740 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368811745 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368811750 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368811755 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368811760 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368811765 }, "count": 58 }, - { "address": { "type": "absolute", "value": 5368811770 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368811775 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368811780 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368811785 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368811790 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368811795 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368811800 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368811805 }, "count": 95 }, - { "address": { "type": "absolute", "value": 5368811810 }, "count": 63 }, - { "address": { "type": "absolute", "value": 5368811820 }, "count": 64 }, - { "address": { "type": "absolute", "value": 5368811825 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368811830 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368811835 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368811850 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368811855 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368811865 }, "count": 59 }, - { "address": { "type": "absolute", "value": 5368811870 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368811875 }, "count": 67 }, - { "address": { "type": "absolute", "value": 5368811880 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368811885 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368811890 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368811895 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368811905 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368811910 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368811915 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368811920 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368811925 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368811930 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368811955 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368811960 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368811965 }, "count": 48 }, - { "address": { "type": "absolute", "value": 5368811970 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368811975 }, "count": 11 }, - { "address": { "type": "absolute", "value": 5368811980 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368811985 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368811990 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368812010 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368812015 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368812020 }, "count": 112 }, - { "address": { "type": "absolute", "value": 5368812030 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368812035 }, "count": 63 }, - { "address": { "type": "absolute", "value": 5368812040 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812050 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368812055 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368812065 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368812070 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812075 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812080 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368812085 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812095 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812100 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368812105 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368812110 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812115 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368812120 }, "count": 82 }, - { "address": { "type": "absolute", "value": 5368812130 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812140 }, "count": 78 }, - { "address": { "type": "absolute", "value": 5368812145 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812150 }, "count": 84 }, - { "address": { "type": "absolute", "value": 5368812155 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812165 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812170 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368812175 }, "count": 17 }, - { "address": { "type": "absolute", "value": 5368812180 }, "count": 47 }, - { "address": { "type": "absolute", "value": 5368812185 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368812190 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812195 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368812205 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368812210 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812220 }, "count": 21 }, - { "address": { "type": "absolute", "value": 5368812230 }, "count": 68 }, - { "address": { "type": "absolute", "value": 5368812235 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812240 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812250 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812255 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368812265 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368812270 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368812275 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812285 }, "count": 70 }, - { "address": { "type": "absolute", "value": 5368812290 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812295 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812300 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368812305 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812310 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368812315 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368812320 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368812325 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368812330 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812335 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368812340 }, "count": 70 }, - { "address": { "type": "absolute", "value": 5368812350 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368812360 }, "count": 108 }, - { "address": { "type": "absolute", "value": 5368812380 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368812385 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812390 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368812395 }, "count": 104 }, - { "address": { "type": "absolute", "value": 5368812405 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812415 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812425 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812430 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368812445 }, "count": 23 }, - { "address": { "type": "absolute", "value": 5368812455 }, "count": 49 }, - { "address": { "type": "absolute", "value": 5368812465 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368812475 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368812480 }, "count": 68 }, - { "address": { "type": "absolute", "value": 5368812485 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812495 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368812500 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368812505 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812530 }, "count": 78 }, - { "address": { "type": "absolute", "value": 5368812550 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368812565 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812575 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368812580 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812585 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368812590 }, "count": 72 }, - { "address": { "type": "absolute", "value": 5368812600 }, "count": 55 }, - { "address": { "type": "absolute", "value": 5368812615 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812640 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368812645 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812650 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368812660 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368812665 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812670 }, "count": 57 }, - { "address": { "type": "absolute", "value": 5368812675 }, "count": 47 }, - { "address": { "type": "absolute", "value": 5368812680 }, "count": 49 }, - { "address": { "type": "absolute", "value": 5368812685 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368812690 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812695 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368812700 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368812710 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368812715 }, "count": 77 }, - { "address": { "type": "absolute", "value": 5368812725 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368812730 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812735 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368812740 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368812745 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368812750 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368812770 }, "count": 11 }, - { "address": { "type": "absolute", "value": 5368812775 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368812780 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368812785 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812805 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368812810 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812830 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812840 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812845 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368812855 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812860 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368812865 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368812870 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368812875 }, "count": 89 }, - { "address": { "type": "absolute", "value": 5368812880 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368812890 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368812895 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368812900 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368812910 }, "count": 81 }, - { "address": { "type": "absolute", "value": 5368812920 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368812925 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368812935 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368812950 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368812955 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368812960 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368812970 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368812975 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368812980 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368812985 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368812990 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368812995 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368813005 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813020 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368813025 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368813030 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368813035 }, "count": 64 }, - { "address": { "type": "absolute", "value": 5368813040 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368813050 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368813055 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368813060 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368813065 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368813070 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813075 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368813080 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368813085 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368813095 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368813100 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813105 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813115 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368813120 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368813125 }, "count": 25 }, - { "address": { "type": "absolute", "value": 5368813130 }, "count": 12 }, - { "address": { "type": "absolute", "value": 5368813135 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368813145 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813155 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368813170 }, "count": 65 }, - { "address": { "type": "absolute", "value": 5368813175 }, "count": 57 }, - { "address": { "type": "absolute", "value": 5368813180 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368813185 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813190 }, "count": 44 }, - { "address": { "type": "absolute", "value": 5368813195 }, "count": 70 }, - { "address": { "type": "absolute", "value": 5368813200 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368813205 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368813215 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368813220 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813225 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813235 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368813240 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368813245 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813250 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813255 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813260 }, "count": 22 }, - { "address": { "type": "absolute", "value": 5368813265 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813275 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368813280 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368813285 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368813290 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368813305 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813310 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813315 }, "count": 48 }, - { "address": { "type": "absolute", "value": 5368813335 }, "count": 79 }, - { "address": { "type": "absolute", "value": 5368813345 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368813350 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368813355 }, "count": 58 }, - { "address": { "type": "absolute", "value": 5368813365 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368813380 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368813390 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813395 }, "count": 66 }, - { "address": { "type": "absolute", "value": 5368813400 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368813405 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368813415 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813420 }, "count": 59 }, - { "address": { "type": "absolute", "value": 5368813435 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368813440 }, "count": 51 }, - { "address": { "type": "absolute", "value": 5368813445 }, "count": 66 }, - { "address": { "type": "absolute", "value": 5368813460 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368813465 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368813470 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813475 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368813485 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368813490 }, "count": 299 }, - { "address": { "type": "absolute", "value": 5368813500 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368813505 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368813515 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368813525 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368813540 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368813545 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813550 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368813555 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368813560 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368813565 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368813575 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813580 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368813585 }, "count": 66 }, - { "address": { "type": "absolute", "value": 5368813590 }, "count": 57 }, - { "address": { "type": "absolute", "value": 5368813595 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813600 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368813610 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368813615 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813620 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368813625 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813630 }, "count": 14 }, - { "address": { "type": "absolute", "value": 5368813635 }, "count": 64 }, - { "address": { "type": "absolute", "value": 5368813650 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368813665 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368813670 }, "count": 70 }, - { "address": { "type": "absolute", "value": 5368813675 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813680 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368813685 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368813695 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368813700 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368813705 }, "count": 69 }, - { "address": { "type": "absolute", "value": 5368813710 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368813715 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368813720 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368813730 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368813735 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813745 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368813750 }, "count": 107 }, - { "address": { "type": "absolute", "value": 5368813755 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368813760 }, "count": 75 }, - { "address": { "type": "absolute", "value": 5368813770 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368813780 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813785 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368813795 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813800 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368813805 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368813810 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368813815 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368813820 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368813825 }, "count": 17 }, - { "address": { "type": "absolute", "value": 5368813830 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368813835 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368813840 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368813845 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368813860 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368813865 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813875 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368813890 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368813895 }, "count": 64 }, - { "address": { "type": "absolute", "value": 5368813900 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368813910 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368813915 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368813920 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368813925 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368813930 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368813935 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368813950 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368813960 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368813970 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368813975 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368813980 }, "count": 17 }, - { "address": { "type": "absolute", "value": 5368813990 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368814000 }, "count": 22 }, - { "address": { "type": "absolute", "value": 5368814015 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368814020 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814025 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368814030 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368814035 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368814040 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368814045 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368814050 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368814055 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368814060 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814065 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814075 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814090 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368814100 }, "count": 44 }, - { "address": { "type": "absolute", "value": 5368814110 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368814130 }, "count": 63 }, - { "address": { "type": "absolute", "value": 5368814135 }, "count": 75 }, - { "address": { "type": "absolute", "value": 5368814145 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368814160 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814165 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368814175 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814180 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368814195 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368814200 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814205 }, "count": 65 }, - { "address": { "type": "absolute", "value": 5368814210 }, "count": 44 }, - { "address": { "type": "absolute", "value": 5368814215 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814225 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814230 }, "count": 76 }, - { "address": { "type": "absolute", "value": 5368814235 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368814240 }, "count": 68 }, - { "address": { "type": "absolute", "value": 5368814250 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814255 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368814260 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814270 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368814275 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368814290 }, "count": 49 }, - { "address": { "type": "absolute", "value": 5368814295 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368814300 }, "count": 44 }, - { "address": { "type": "absolute", "value": 5368814305 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368814310 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368814315 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368814325 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814330 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368814335 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368814340 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368814345 }, "count": 65 }, - { "address": { "type": "absolute", "value": 5368814355 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814360 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368814365 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368814375 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368814390 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814400 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814405 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814410 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814415 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368814425 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368814435 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368814440 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368814445 }, "count": 46 }, - { "address": { "type": "absolute", "value": 5368814450 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368814455 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368814460 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368814465 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814470 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814485 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814490 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368814495 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368814500 }, "count": 94 }, - { "address": { "type": "absolute", "value": 5368814520 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814530 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368814540 }, "count": 49 }, - { "address": { "type": "absolute", "value": 5368814545 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814550 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814555 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368814560 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368814585 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814590 }, "count": 81 }, - { "address": { "type": "absolute", "value": 5368814600 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368814605 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368814615 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368814620 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368814630 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368814640 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368814645 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814650 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368814665 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814680 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368814685 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814690 }, "count": 109 }, - { "address": { "type": "absolute", "value": 5368814695 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368814700 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368814705 }, "count": 55 }, - { "address": { "type": "absolute", "value": 5368814710 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368814715 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368814720 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368814725 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814730 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368814735 }, "count": 55 }, - { "address": { "type": "absolute", "value": 5368814740 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368814745 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814750 }, "count": 15 }, - { "address": { "type": "absolute", "value": 5368814755 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814760 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814765 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368814775 }, "count": 56 }, - { "address": { "type": "absolute", "value": 5368814780 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814790 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368814795 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368814800 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368814810 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368814815 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368814820 }, "count": 68 }, - { "address": { "type": "absolute", "value": 5368814830 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368814835 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814850 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368814855 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814865 }, "count": 118 }, - { "address": { "type": "absolute", "value": 5368814870 }, "count": 49 }, - { "address": { "type": "absolute", "value": 5368814875 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368814880 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368814890 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368814895 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368814900 }, "count": 22 }, - { "address": { "type": "absolute", "value": 5368814905 }, "count": 79 }, - { "address": { "type": "absolute", "value": 5368814910 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368814925 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368814935 }, "count": 73 }, - { "address": { "type": "absolute", "value": 5368814940 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814945 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368814955 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368814960 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368814965 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368814970 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368814980 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368814985 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368814990 }, "count": 55 }, - { "address": { "type": "absolute", "value": 5368814995 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815005 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368815010 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815025 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368815040 }, "count": 84 }, - { "address": { "type": "absolute", "value": 5368815045 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368815050 }, "count": 73 }, - { "address": { "type": "absolute", "value": 5368815055 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368815060 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368815070 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368815085 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368815090 }, "count": 69 }, - { "address": { "type": "absolute", "value": 5368815100 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368815105 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815115 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368815125 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815130 }, "count": 13 }, - { "address": { "type": "absolute", "value": 5368815135 }, "count": 12 }, - { "address": { "type": "absolute", "value": 5368815140 }, "count": 16 }, - { "address": { "type": "absolute", "value": 5368815145 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815150 }, "count": 64 }, - { "address": { "type": "absolute", "value": 5368815160 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368815165 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368815170 }, "count": 63 }, - { "address": { "type": "absolute", "value": 5368815175 }, "count": 56 }, - { "address": { "type": "absolute", "value": 5368815180 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368815185 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815190 }, "count": 76 }, - { "address": { "type": "absolute", "value": 5368815195 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815200 }, "count": 74 }, - { "address": { "type": "absolute", "value": 5368815205 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815210 }, "count": 84 }, - { "address": { "type": "absolute", "value": 5368815215 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368815225 }, "count": 12 }, - { "address": { "type": "absolute", "value": 5368815230 }, "count": 87 }, - { "address": { "type": "absolute", "value": 5368815240 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368815245 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368815250 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368815255 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815260 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815265 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368815270 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815280 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368815290 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815300 }, "count": 53 }, - { "address": { "type": "absolute", "value": 5368815305 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815310 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815315 }, "count": 89 }, - { "address": { "type": "absolute", "value": 5368815320 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368815325 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368815335 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368815340 }, "count": 63 }, - { "address": { "type": "absolute", "value": 5368815350 }, "count": 78 }, - { "address": { "type": "absolute", "value": 5368815360 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368815365 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368815370 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368815380 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368815385 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815390 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368815400 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368815415 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368815435 }, "count": 81 }, - { "address": { "type": "absolute", "value": 5368815440 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368815450 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368815460 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815470 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368815475 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815480 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368815490 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815495 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815500 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368815505 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815510 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815515 }, "count": 16 }, - { "address": { "type": "absolute", "value": 5368815520 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815525 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368815530 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815535 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815550 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368815555 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368815570 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368815575 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368815585 }, "count": 44 }, - { "address": { "type": "absolute", "value": 5368815590 }, "count": 65 }, - { "address": { "type": "absolute", "value": 5368815595 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815600 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368815610 }, "count": 56 }, - { "address": { "type": "absolute", "value": 5368815615 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368815625 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368815630 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368815635 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368815640 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368815645 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368815655 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368815660 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368815670 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368815675 }, "count": 72 }, - { "address": { "type": "absolute", "value": 5368815680 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368815685 }, "count": 22 }, - { "address": { "type": "absolute", "value": 5368815690 }, "count": 85 }, - { "address": { "type": "absolute", "value": 5368815700 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368815705 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815715 }, "count": 82 }, - { "address": { "type": "absolute", "value": 5368815720 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815725 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368815735 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368815745 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815755 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368815765 }, "count": 47 }, - { "address": { "type": "absolute", "value": 5368815770 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368815775 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368815780 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368815785 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368815795 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368815805 }, "count": 134 }, - { "address": { "type": "absolute", "value": 5368815820 }, "count": 25 }, - { "address": { "type": "absolute", "value": 5368815830 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368815835 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368815850 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368815855 }, "count": 6 }, - { "address": { "type": "absolute", "value": 5368815865 }, "count": 57 }, - { "address": { "type": "absolute", "value": 5368815870 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368815880 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368815890 }, "count": 46 }, - { "address": { "type": "absolute", "value": 5368815895 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368815900 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368815905 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368815910 }, "count": 48 }, - { "address": { "type": "absolute", "value": 5368815920 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368815925 }, "count": 62 }, - { "address": { "type": "absolute", "value": 5368815930 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368815940 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368815945 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368815955 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368815960 }, "count": 59 }, - { "address": { "type": "absolute", "value": 5368815965 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368815970 }, "count": 57 }, - { "address": { "type": "absolute", "value": 5368815975 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368815980 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368815985 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815990 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368815995 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368816000 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368816005 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816010 }, "count": 87 }, - { "address": { "type": "absolute", "value": 5368816015 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368816020 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368816025 }, "count": 50 }, - { "address": { "type": "absolute", "value": 5368816040 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368816045 }, "count": 42 }, - { "address": { "type": "absolute", "value": 5368816055 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368816060 }, "count": 84 }, - { "address": { "type": "absolute", "value": 5368816065 }, "count": 52 }, - { "address": { "type": "absolute", "value": 5368816070 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368816080 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368816085 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816095 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368816100 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368816105 }, "count": 55 }, - { "address": { "type": "absolute", "value": 5368816110 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816120 }, "count": 40 }, - { "address": { "type": "absolute", "value": 5368816125 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368816135 }, "count": 19 }, - { "address": { "type": "absolute", "value": 5368816145 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368816155 }, "count": 76 }, - { "address": { "type": "absolute", "value": 5368816160 }, "count": 164 }, - { "address": { "type": "absolute", "value": 5368816165 }, "count": 107 }, - { "address": { "type": "absolute", "value": 5368816170 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368816180 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368816185 }, "count": 16 }, - { "address": { "type": "absolute", "value": 5368816195 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368816205 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368816215 }, "count": 69 }, - { "address": { "type": "absolute", "value": 5368816220 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368816225 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368816230 }, "count": 74 }, - { "address": { "type": "absolute", "value": 5368816235 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368816240 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368816245 }, "count": 114 }, - { "address": { "type": "absolute", "value": 5368816250 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368816265 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368816270 }, "count": 27 }, - { "address": { "type": "absolute", "value": 5368816275 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368816280 }, "count": 34 }, - { "address": { "type": "absolute", "value": 5368816290 }, "count": 8 }, - { "address": { "type": "absolute", "value": 5368816295 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368816310 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368816320 }, "count": 65 }, - { "address": { "type": "absolute", "value": 5368816335 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368816340 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368816345 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816355 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368816360 }, "count": 35 }, - { "address": { "type": "absolute", "value": 5368816365 }, "count": 18 }, - { "address": { "type": "absolute", "value": 5368816375 }, "count": 24 }, - { "address": { "type": "absolute", "value": 5368816380 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368816385 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368816400 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368816405 }, "count": 33 }, - { "address": { "type": "absolute", "value": 5368816415 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368816420 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816425 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368816430 }, "count": 9 }, - { "address": { "type": "absolute", "value": 5368816445 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368816450 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368816455 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368816460 }, "count": 66 }, - { "address": { "type": "absolute", "value": 5368816465 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368816470 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816480 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368816485 }, "count": 32 }, - { "address": { "type": "absolute", "value": 5368816490 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368816495 }, "count": 26 }, - { "address": { "type": "absolute", "value": 5368816500 }, "count": 57 }, - { "address": { "type": "absolute", "value": 5368816505 }, "count": 29 }, - { "address": { "type": "absolute", "value": 5368816510 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368816515 }, "count": 36 }, - { "address": { "type": "absolute", "value": 5368816525 }, "count": 10 }, - { "address": { "type": "absolute", "value": 5368816530 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816540 }, "count": 31 }, - { "address": { "type": "absolute", "value": 5368816545 }, "count": 37 }, - { "address": { "type": "absolute", "value": 5368816550 }, "count": 39 }, - { "address": { "type": "absolute", "value": 5368816555 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368821600 }, "count": 25 }, - { "address": { "type": "absolute", "value": 5368821728 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368822176 }, "count": 116 }, - { "address": { "type": "absolute", "value": 5368824096 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368838672 }, "count": 41 }, - { "address": { "type": "absolute", "value": 5368882832 }, "count": 94 }, - { "address": { "type": "absolute", "value": 5368891376 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368891792 }, "count": 59 }, - { "address": { "type": "absolute", "value": 5368892096 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368892304 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368909136 }, "count": 46 }, - { "address": { "type": "absolute", "value": 5368960864 }, "count": 60 }, - { "address": { "type": "absolute", "value": 5368963056 }, "count": 38 }, - { "address": { "type": "absolute", "value": 5368964112 }, "count": 54 }, - { "address": { "type": "absolute", "value": 5368964496 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5368971776 }, "count": 30 }, - { "address": { "type": "absolute", "value": 5368971888 }, "count": 28 }, - { "address": { "type": "absolute", "value": 5368986896 }, "count": 61 }, - { "address": { "type": "absolute", "value": 5368987312 }, "count": 59 }, - { "address": { "type": "absolute", "value": 5368988000 }, "count": 45 }, - { "address": { "type": "absolute", "value": 5368988208 }, "count": 43 }, - { "address": { "type": "absolute", "value": 5369037280 }, "count": 21 } - ] - }, - "library_functions": [ - { - "address": { "type": "absolute", "value": 5369005504 }, - "name": "?find_pe_section@@YAPEAU_IMAGE_SECTION_HEADER@@QEAE_K@Z" - }, - { - "address": { "type": "absolute", "value": 5369005792 }, - "name": "?is_potentially_valid_image_base@@YA_NQEAX@Z" - }, - { "address": { "type": "absolute", "value": 5369008832 }, "name": "?" }, - { "address": { "type": "absolute", "value": 5369009024 }, "name": "?" }, - { - "address": { "type": "absolute", "value": 5369009248 }, - "name": "?pre_c_initialization@@YAHXZ" - }, - { - "address": { "type": "absolute", "value": 5369009472 }, - "name": "mbedtls_des_setkey_enc" - }, - { - "address": { "type": "absolute", "value": 5369009504 }, - "name": "?pre_cpp_initialization@@YAXXZ" - }, - { - "address": { "type": "absolute", "value": 5369009536 }, - "name": "?__scrt_common_main@@YAHXZ" - }, - { - "address": { "type": "absolute", "value": 5369009568 }, - "name": "?__scrt_common_main_seh@@YAHXZ" - }, - { "address": { "type": "absolute", "value": 5369010096 }, "name": "?invoke_main@@YAHXZ" }, - { - "address": { "type": "absolute", "value": 5369010320 }, - "name": "?DebuggerProbe@@YA_NK@Z" - }, - { - "address": { "type": "absolute", "value": 5369010400 }, - "name": "?DebuggerRuntime@@YA_NKHPEAXPEB_W@Z" - }, - { - "address": { "type": "absolute", "value": 5369011536 }, - "name": "?_strlen_priv@@YA_KPEBD@Z" - }, - { - "address": { "type": "absolute", "value": 5369011568 }, - "name": "?failwithmessage@@YAXPEAXHHPEBD@Z" - }, - { - "address": { "type": "absolute", "value": 5369012336 }, - "name": "?notify_debugger@@YAXAEBUtagEXCEPTION_VISUALCPP_DEBUG_INFO@@@Z" - }, - { "address": { "type": "absolute", "value": 5369016608 }, "name": "__get_entropy" }, - { - "address": { "type": "absolute", "value": 5369017584 }, - "name": "?GetPdbDll@@YAPEAUHINSTANCE__@@XZ" - }, - { - "address": { "type": "absolute", "value": 5369018000 }, - "name": "?GetPdbDllFromInstallPath@@YAPEAUHINSTANCE__@@XZ" - }, - { - "address": { "type": "absolute", "value": 5369018864 }, - "name": "?GetPdbDllPathFromFilePath@@YAHPEB_WPEA_W_K@Z" - } - ] - } - }, - "rules": { - "calculate modulo 256 via x86 assembly": { - "meta": { - "name": "calculate modulo 256 via x86 assembly", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "instruction" }, - "attack": [], - "mbc": [ - { - "parts": ["Data", "Modulo"], - "objective": "Data", - "behavior": "Modulo", - "method": "", - "id": "C0058" - } - ], - "references": [], - "examples": ["9324D1A8AE37A36AE560C37448C9705A:0x4049A9"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: calculate modulo 256 via x86 assembly\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n lib: true\r\n scopes:\r\n static: instruction\r\n dynamic: unsupported # requires mnemonic features\r\n mbc:\r\n - Data::Modulo [C0058]\r\n examples:\r\n - 9324D1A8AE37A36AE560C37448C9705A:0x4049A9\r\n features:\r\n # and ecx, 800000FFh\r\n # and ecx, 0FFh\r\n - and:\r\n - mnemonic: and\r\n - or:\r\n - number: 0x800000FF\r\n - number: 0xFF\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368911666 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "mnemonic", "mnemonic": "and" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911666 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 2147483903 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "number", "number": 255 } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911666 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "delay execution": { - "meta": { - "name": "delay execution", - "authors": ["michael.hunhoff@mandiant.com", "@ramen0x3f"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Dynamic Analysis Evasion", "Delayed Execution"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Dynamic Analysis Evasion", - "method": "Delayed Execution", - "id": "B0003.003" - } - ], - "references": [ - "https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions", - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x449770", "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: delay execution\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - \"@ramen0x3f\"\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003]\r\n references:\r\n - https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x449770\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6\r\n features:\r\n - or:\r\n - and:\r\n - os: windows\r\n - or:\r\n - api: kernel32.Sleep\r\n - api: kernel32.SleepEx\r\n - api: kernel32.WaitForSingleObject\r\n - api: kernel32.SignalObjectAndWait\r\n - api: kernel32.WaitForSingleObjectEx\r\n - api: kernel32.WaitForMultipleObjects\r\n - api: kernel32.WaitForMultipleObjectsEx\r\n - api: kernel32.RegisterWaitForSingleObject\r\n - api: WaitOnAddress\r\n - api: user32.MsgWaitForMultipleObjects\r\n - api: user32.MsgWaitForMultipleObjectsEx\r\n - api: NtDelayExecution\r\n - api: KeWaitForSingleObject\r\n - api: KeDelayExecutionThread\r\n - and:\r\n - os: linux\r\n - or:\r\n - api: sleep\r\n - api: usleep\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368924448 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368924554 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368952779 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368952803 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368844166 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368844171 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368914432 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914514 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5369002064 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369002067 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368951296 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951317 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5369000118 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369000134 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5369000497 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369000506 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368908237 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368908249 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368908692 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368908704 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5369001893 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369001903 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368955764 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "usleep" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Sleep" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SleepEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368955788 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SignalObjectAndWait" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForSingleObjectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegisterWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WaitOnAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjects" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MsgWaitForMultipleObjectsEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtDelayExecution" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeWaitForSingleObject" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "KeDelayExecutionThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "open process": { - "meta": { - "name": "open process", - "authors": ["0x534a@mailbox.org"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Process", "Open Process"], - "objective": "Process", - "behavior": "Open Process", - "method": "", - "id": "C0065" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 17-02.dll_:0x1000D10D"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: open process\r\n authors:\r\n - 0x534a@mailbox.org\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Process::Open Process [C0065]\r\n examples:\r\n - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D\r\n features:\r\n - or:\r\n - api: kernel32.OpenProcess\r\n - api: NtOpenProcess\r\n - api: ZwOpenProcess\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368951918 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951944 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368863684 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368863698 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368953892 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953943 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368950804 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950815 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368993008 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368993126 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368906656 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368906713 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368955014 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenProcess" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368955040 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenProcess" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "allocate memory": { - "meta": { - "name": "allocate memory", - "authors": ["0x534a@mailbox.org", "@mr-tz"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Memory", "Allocate Memory"], - "objective": "Memory", - "behavior": "Allocate Memory", - "method": "", - "id": "C0007" - } - ], - "references": [], - "examples": [ - "Practical Malware Analysis Lab 03-03.exe_:0x4010EA", - "563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA" - ], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: allocate memory\r\n authors:\r\n - 0x534a@mailbox.org\r\n - \"@mr-tz\"\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Memory::Allocate Memory [C0007]\r\n examples:\r\n - Practical Malware Analysis Lab 03-03.exe_:0x4010EA\r\n - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA # ntdll.NtAllocateVirtualMemory\r\n features:\r\n - or:\r\n - api: kernel32.VirtualAlloc\r\n - api: kernel32.VirtualAllocEx\r\n - api: kernel32.VirtualAllocExNuma\r\n - api: NtAllocateVirtualMemory\r\n - api: ZwAllocateVirtualMemory\r\n - api: NtMapViewOfSection\r\n - api: ZwMapViewOfSection\r\n - and:\r\n - match: link function at runtime on Windows\r\n - or:\r\n - string: \"VirtualAlloc\"\r\n - string: \"VirtualAllocEx\"\r\n - string: \"VirtualAllocExNuma\"\r\n - string: \"NtAllocateVirtualMemory\"\r\n - string: \"ZwAllocateVirtualMemory\"\r\n - string: \"NtMapViewOfSection\"\r\n - string: \"ZwMapViewOfSection\"\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368952263 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368952388 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368953985 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954085 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368911264 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911349 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368911394 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911413 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368839184 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839314 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368950968 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951096 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368910688 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910773 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368910818 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910837 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368838128 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368838196 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368909568 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909660 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368909711 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909730 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368841536 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368841679 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368912320 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912405 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368912450 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912469 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368955356 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "VirtualAlloc" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368955481 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "allocate or change RW memory": { - "meta": { - "name": "allocate or change RW memory", - "authors": ["0x534a@mailbox.org", "@mr-tz"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Memory", "Allocate Memory"], - "objective": "Memory", - "behavior": "Allocate Memory", - "method": "", - "id": "C0007" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 17-02.dll_:0x1000D10D"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: allocate or change RW memory\r\n authors:\r\n - 0x534a@mailbox.org\r\n - \"@mr-tz\"\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Memory::Allocate Memory [C0007]\r\n examples:\r\n - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D\r\n features:\r\n - and:\r\n - or:\r\n - match: allocate memory\r\n - match: change memory protection\r\n - or:\r\n - number: 0x4 = PAGE_READWRITE\r\n # lea r9d, [rcx+4] ; flProtect\r\n # call cs:VirtualAlloc\r\n - instruction:\r\n - mnemonic: lea\r\n - offset: 0x4 = PAGE_READWRITE\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368952263 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368952388 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368952263 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368952361 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368953985 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954085 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368953985 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954055 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368911264 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911349 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368911264 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911330 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368950968 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951096 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950968 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951069 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368910688 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910773 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368910688 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910754 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368910818 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910837 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368910818 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910818 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368838128 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368838196 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368838128 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368838177 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368909568 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909660 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368909568 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909641 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368909711 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909730 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368909711 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909711 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368841536 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368841679 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368841536 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368841634 }, - { "type": "absolute", "value": 5368841663 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368913856 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualProtect" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368913965 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualProtectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualProtect" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualProtectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtProtectVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwProtectVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368913856 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368913950 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368912320 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912405 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368912320 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912386 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368912450 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912469 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368912450 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912450 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368955356 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368955481 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368955356 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 4, "description": "PAGE_READWRITE" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368955454 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get Program Files directory": { - "meta": { - "name": "get Program Files directory", - "namespace": "host-interaction/file-system", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "File and Directory Discovery"], - "tactic": "Discovery", - "technique": "File and Directory Discovery", - "subtechnique": "", - "id": "T1083" - } - ], - "mbc": [], - "references": [], - "examples": ["BC452CC1128CCF7FA9F76D83CDA79132740414973600FED14509749FE946816E:0x407880"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get Program Files directory\r\n namespace: host-interaction/file-system\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n att&ck:\r\n - Discovery::File and Directory Discovery [T1083]\r\n examples:\r\n - BC452CC1128CCF7FA9F76D83CDA79132740414973600FED14509749FE946816E:0x407880\r\n features:\r\n - and:\r\n - or:\r\n - number: 0x26 = CSIDL_PROGRAM_FILES\r\n - number: 0x2A = CSIDL_PROGRAM_FILESX86\r\n - or:\r\n - api: shell32.SHGetFolderPath\r\n - api: shell32.SHGetFolderLocation\r\n - api: shell32.SHGetSpecialFolderPath\r\n - api: shell32.SHGetSpecialFolderLocation\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368935773 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 38, - "description": "CSIDL_PROGRAM_FILES" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368935776 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 42, - "description": "CSIDL_PROGRAM_FILESX86" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368935788 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368945965 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 38, - "description": "CSIDL_PROGRAM_FILES" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368945968 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 42, - "description": "CSIDL_PROGRAM_FILESX86" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368945980 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "create or open registry key": { - "meta": { - "name": "create or open registry key", - "authors": ["michael.hunhoff@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Operating System", "Registry", "Create Registry Key"], - "objective": "Operating System", - "behavior": "Registry", - "method": "Create Registry Key", - "id": "C0036.004" - }, - { - "parts": ["Operating System", "Registry", "Open Registry Key"], - "objective": "Operating System", - "behavior": "Registry", - "method": "Open Registry Key", - "id": "C0036.003" - } - ], - "references": [], - "examples": [ - "Practical Malware Analysis Lab 03-02.dll_:0x10004706", - "Practical Malware Analysis Lab 11-01.exe_:0x401000", - "493167E85E45363D09495D0841C30648:0x404D60", - "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2", - "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E", - "692f7fd6d198e804d6af98eb9e390d61:0x6000003" - ], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: create or open registry key\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Operating System::Registry::Create Registry Key [C0036.004]\r\n - Operating System::Registry::Open Registry Key [C0036.003]\r\n examples:\r\n - Practical Malware Analysis Lab 03-02.dll_:0x10004706\r\n - Practical Malware Analysis Lab 11-01.exe_:0x401000\r\n - 493167E85E45363D09495D0841C30648:0x404D60\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E\r\n - 692f7fd6d198e804d6af98eb9e390d61:0x6000003\r\n features:\r\n - or:\r\n - api: advapi32.RegOpenKey\r\n - api: advapi32.RegOpenKeyEx\r\n - api: advapi32.RegCreateKey\r\n - api: advapi32.RegCreateKeyEx\r\n - api: advapi32.RegOpenCurrentUser\r\n - api: advapi32.RegOpenKeyTransacted\r\n - api: advapi32.RegOpenUserClassesRoot\r\n - api: advapi32.RegCreateKeyTransacted\r\n - api: ZwOpenKey\r\n - api: ZwOpenKeyEx\r\n - api: ZwCreateKey\r\n - api: ZwOpenKeyTransacted\r\n - api: ZwOpenKeyTransactedEx\r\n - api: ZwCreateKeyTransacted\r\n - api: NtOpenKey\r\n - api: NtCreateKey\r\n - api: SHRegOpenUSKey\r\n - api: SHRegCreateUSKey\r\n - api: RtlCreateRegistryKey\r\n - api: Microsoft.Win32.RegistryKey::OpenSubKey\r\n - api: Microsoft.Win32.RegistryKey::OpenBaseKey\r\n - api: Microsoft.Win32.RegistryKey::OpenRemoteBaseKey\r\n - api: Microsoft.Win32.RegistryKey::CreateSubKey\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368984512 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "RegOpenKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "RegOpenKeyEx" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368984654 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "RegCreateKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKeyEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenCurrentUser" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenUserClassesRoot" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenKeyEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyTransactedEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegOpenUSKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegCreateUSKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateRegistryKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::OpenSubKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::OpenBaseKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::OpenRemoteBaseKey" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::CreateSubKey" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368984784 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "RegOpenKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "RegOpenKeyEx" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368984936 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "RegCreateKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKeyEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenCurrentUser" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenUserClassesRoot" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenKeyEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyTransactedEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateKey" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegOpenUSKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegCreateUSKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateRegistryKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::OpenSubKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::OpenBaseKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::OpenRemoteBaseKey" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::CreateSubKey" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get process image filename": { - "meta": { - "name": "get process image filename", - "namespace": "host-interaction/process", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [], - "mbc": [], - "references": [], - "examples": [], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "# generated using capa explorer for IDA Pro\r\nrule:\r\n meta:\r\n name: get process image filename\r\n namespace: host-interaction/process\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n features:\r\n - or:\r\n - and:\r\n - os: windows\r\n - or:\r\n - api: kernel32.K32GetProcessImageFileName\r\n - api: kernel32.GetProcessImageFileName\r\n - and:\r\n - api: System.Diagnostics.Process::GetCurrentProcess\r\n - property/read: System.Diagnostics.Process::MainModule\r\n - property/read: System.Diagnostics.ProcessModule::FileName\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368863767 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32GetProcessImageFileName" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368863804 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcessImageFileName" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::GetCurrentProcess" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Process::MainModule" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.ProcessModule::FileName" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368881759 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32GetProcessImageFileName" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368881799 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcessImageFileName" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::GetCurrentProcess" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Process::MainModule" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.ProcessModule::FileName" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815130 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32GetProcessImageFileName" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815130 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcessImageFileName" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::GetCurrentProcess" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Process::MainModule" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.ProcessModule::FileName" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5369002823 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32GetProcessImageFileName" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369002823 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcessImageFileName" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::GetCurrentProcess" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Process::MainModule" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.ProcessModule::FileName" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "open thread": { - "meta": { - "name": "open thread", - "authors": ["0x534a@mailbox.org"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Process", "Open Thread"], - "objective": "Process", - "behavior": "Open Thread", - "method": "", - "id": "C0066" - } - ], - "references": [], - "examples": ["787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: open thread\r\n authors:\r\n - 0x534a@mailbox.org\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Process::Open Thread [C0066]\r\n examples:\r\n - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C\r\n features:\r\n - or:\r\n - api: kernel32.OpenThread\r\n - api: NtOpenThread\r\n - api: ZwOpenThread\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368954290 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenThread" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954304 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenThread" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenThread" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368978428 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "OpenThread" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368978439 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenThread" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenThread" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get Explorer PID": { - "meta": { - "name": "get Explorer PID", - "namespace": "host-interaction/process/list", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "Process Discovery"], - "tactic": "Discovery", - "technique": "Process Discovery", - "subtechnique": "", - "id": "T1057" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ParentProcess.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x425210"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get Explorer PID\r\n namespace: host-interaction/process/list\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::Process Discovery [T1057]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ParentProcess.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x425210\r\n features:\r\n - and:\r\n - api: GetShellWindow\r\n - api: GetWindowThreadProcessId\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368857936 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetShellWindow" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858002 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetWindowThreadProcessId" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858015 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "allocate or change RWX memory": { - "meta": { - "name": "allocate or change RWX memory", - "namespace": "host-interaction/process/inject", - "authors": ["@mr-tz"], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Memory", "Allocate Memory"], - "objective": "Memory", - "behavior": "Allocate Memory", - "method": "", - "id": "C0007" - } - ], - "references": [], - "examples": [ - "Practical Malware Analysis Lab 03-03.exe_:0x4010EA", - "563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: allocate or change RWX memory\r\n namespace: host-interaction/process/inject\r\n authors:\r\n - \"@mr-tz\"\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n mbc:\r\n - Memory::Allocate Memory [C0007]\r\n examples:\r\n - Practical Malware Analysis Lab 03-03.exe_:0x4010EA\r\n # ntdll\r\n - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA\r\n features:\r\n - and:\r\n - or:\r\n - match: allocate memory\r\n - match: change memory protection\r\n - or:\r\n - number: 0x40 = PAGE_EXECUTE_READWRITE\r\n # lea r9d, [rcx+40h] ; flProtect\r\n # call cs:VirtualAlloc\r\n - instruction:\r\n - mnemonic: lea\r\n - offset: 0x40 = PAGE_EXECUTE_READWRITE\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368911394 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911413 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368911394 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 64, - "description": "PAGE_EXECUTE_READWRITE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911394 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RWX memory/62333f7427bc4563bf67b6dee8a5a79c" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368839184 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839314 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368839184 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 64, - "description": "PAGE_EXECUTE_READWRITE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839298 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RWX memory/62333f7427bc4563bf67b6dee8a5a79c" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for OutputDebugString error": { - "meta": { - "name": "check for OutputDebugString error", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection", "OutputDebugString"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "OutputDebugString", - "id": "B0001.016" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 16-02.exe_:0x401020"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for OutputDebugString error\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]\r\n examples:\r\n - Practical Malware Analysis Lab 16-02.exe_:0x401020\r\n features:\r\n - and:\r\n - api: kernel32.SetLastError\r\n - api: kernel32.GetLastError\r\n - api: kernel32.OutputDebugString\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368844868 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "SetLastError" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368844871 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetLastError" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368844890 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368844884 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "create or open file": { - "meta": { - "name": "create or open file", - "authors": ["michael.hunhoff@mandiant.com", "joakim@intezer.com"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["File System", "Create File"], - "objective": "File System", - "behavior": "Create File", - "method": "", - "id": "C0016" - } - ], - "references": [], - "examples": ["B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: create or open file\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - joakim@intezer.com\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - File System::Create File [C0016]\r\n examples:\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E\r\n features:\r\n - or:\r\n - api: CreateFile\r\n - api: CreateFileEx\r\n - api: IoCreateFile\r\n - api: IoCreateFileEx\r\n - api: ZwOpenFile\r\n - api: ZwCreateFile\r\n - api: NtOpenFile\r\n - api: NtCreateFile\r\n - api: LZCreateFile\r\n - api: LZOpenFile\r\n - api: fopen\r\n - api: fopen64\r\n - api: fdopen\r\n - api: freopen\r\n - api: open\r\n - api: openat\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368945480 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFile" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368945528 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFileEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "IoCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IoCreateFileEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen64" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fdopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "freopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "open" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "openat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368935273 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFile" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368935321 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFileEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "IoCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IoCreateFileEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen64" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fdopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "freopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "open" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "openat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368919549 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFile" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368919649 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFileEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "IoCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IoCreateFileEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen64" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fdopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "freopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "open" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "openat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368919951 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFile" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368919997 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFileEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "IoCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IoCreateFileEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen64" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fdopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "freopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "open" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "openat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368920205 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFile" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920251 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateFileEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "IoCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IoCreateFileEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "ZwCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "NtCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZCreateFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "LZOpenFile" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fopen64" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fdopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "freopen" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "open" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "openat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "PEB access": { - "meta": { - "name": "PEB access", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [], - "mbc": [ - { - "parts": [ - "Anti-Behavioral Analysis", - "Debugger Detection", - "Process Environment Block" - ], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Process Environment Block", - "id": "B0001.019" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x420D20"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: PEB access\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported # requires characteristic, offset, mnemonic features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block [B0001.019]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x420D20\r\n features:\r\n - or:\r\n - characteristic: peb access\r\n - and:\r\n # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L41\r\n - arch: i386\r\n - characteristic: fs access\r\n - or:\r\n # in 0f5d5d07c6533bc6d991836ce79daaa1\r\n # then we have:\r\n #\r\n # xor edx, edx\r\n # mov edx, fs:[edx+30h]\r\n - offset: 0x30\r\n - instruction:\r\n # in the case of CallObfuscator, gs:[rax]\r\n - mnemonic: add\r\n - number: 0x30\r\n - and:\r\n - arch: amd64\r\n - characteristic: gs access\r\n - or:\r\n - offset: 0x60\r\n - instruction:\r\n - mnemonic: add\r\n - number: 0x60\r\n - and:\r\n # WoW64 PEB address is fetched via the WoW64 Thread Environment Block (TEB) at FS:[0x18]-0x2000\r\n # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L45\r\n - characteristic: fs access\r\n - instruction:\r\n - mnemonic: sub\r\n - number: 0x2000\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368914304 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914346 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914346 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368858838 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858838 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858838 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368858872 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368858534 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858534 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858534 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368858568 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858568 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858568 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368840336 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840394 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840394 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368914080 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914227 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368921024 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368921171 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368921171 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368837568 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368837610 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368837610 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get file attributes": { - "meta": { - "name": "get file attributes", - "namespace": "host-interaction/file-system/meta", - "authors": ["michael.hunhoff@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["File System", "Get File Attributes"], - "objective": "File System", - "behavior": "Get File Attributes", - "method": "", - "id": "C0049" - } - ], - "references": [], - "examples": [ - "03B236B23B1EC37C663527C1F53AF3FE:0x180019824", - "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6", - "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4029E0" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get file attributes\r\n namespace: host-interaction/file-system/meta\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - File System::Get File Attributes [C0049]\r\n examples:\r\n - 03B236B23B1EC37C663527C1F53AF3FE:0x180019824\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4029E0\r\n features:\r\n - or:\r\n - api: kernel32.GetFileAttributes\r\n - api: ZwQueryDirectoryFile\r\n - api: ZwQueryInformationFile\r\n - api: NtQueryDirectoryFile\r\n - api: NtQueryInformationFile\r\n - api: System.IO.File::GetAttributes\r\n - api: System.IO.File::GetCreationTime\r\n - api: System.IO.File::GetCreationTimeUtc\r\n - api: System.IO.File::GetLastAccessTime\r\n - api: System.IO.File::GetLastAccessTimeUtc\r\n - api: System.IO.File::GetLastWriteTime\r\n - api: System.IO.File::GetLastWriteTimeUtc\r\n - property/read: System.IO.FileSystemInfo::Attributes\r\n - api: stat\r\n - api: fstat\r\n - api: lstat\r\n - api: fstatat\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368997776 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetFileAttributes" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368997837 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQueryDirectoryFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQueryInformationFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQueryDirectoryFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQueryInformationFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetAttributes" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetCreationTime" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetCreationTimeUtc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastAccessTime" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastAccessTimeUtc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastWriteTime" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastWriteTimeUtc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.FileSystemInfo::Attributes" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "stat" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fstat" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "lstat" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fstatat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368997936 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetFileAttributes" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368997997 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQueryDirectoryFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQueryInformationFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQueryDirectoryFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQueryInformationFile" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetAttributes" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetCreationTime" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetCreationTimeUtc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastAccessTime" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastAccessTimeUtc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastWriteTime" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::GetLastWriteTimeUtc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.FileSystemInfo::Attributes" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "stat" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fstat" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "lstat" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "fstatat" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for trap flag exception": { - "meta": { - "name": "check for trap flag exception", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "", - "id": "B0001" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x431680", "al-khaser_x64.exe_:0x140030CB0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for trap flag exception\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported # requires mnemonic features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection [B0001]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x431680\r\n - al-khaser_x64.exe_:0x140030CB0\r\n features:\r\n - and:\r\n - or:\r\n - description: read/write EFLAGS register\r\n - and:\r\n - mnemonic: pushf\r\n - mnemonic: popf\r\n - and:\r\n - mnemonic: pushfd\r\n - mnemonic: popfd\r\n - and:\r\n - mnemonic: pushfq\r\n - mnemonic: popfq\r\n - or:\r\n - description: set trap flag\r\n - instruction:\r\n - mnemonic: or\r\n - number: 0x100\r\n - instruction:\r\n - mnemonic: bts\r\n - number: 0x8\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368908976 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "set trap flag" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check for trap flag exception/9ab3bbf6e8a8413499c9b03fa20f8cac" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "bts" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909061 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 8 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909061 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368909061 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "read/write EFLAGS register" } - }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "pushf" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "popf" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "pushfd" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909050 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "popfd" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909075 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "pushfq" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "popfq" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "change memory protection": { - "meta": { - "name": "change memory protection", - "authors": ["@mr-tz"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Memory", "Change Memory Protection"], - "objective": "Memory", - "behavior": "Change Memory Protection", - "method": "", - "id": "C0008" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 11-02.dll_:0x10001203"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: change memory protection\r\n authors:\r\n - \"@mr-tz\"\r\n lib: true\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Memory::Change Memory Protection [C0008]\r\n examples:\r\n - Practical Malware Analysis Lab 11-02.dll_:0x10001203\r\n features:\r\n - or:\r\n - api: kernel32.VirtualProtect\r\n - api: kernel32.VirtualProtectEx\r\n - api: NtProtectVirtualMemory\r\n - api: ZwProtectVirtualMemory\r\n - and:\r\n - match: link function at runtime on Windows\r\n - or:\r\n - string: \"VirtualProtect\"\r\n - string: \"VirtualProtectEx\"\r\n - string: \"NtProtectVirtualMemory\"\r\n - string: \"ZwProtectVirtualMemory\"\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368839341 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualProtect" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839386 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualProtectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualProtect" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualProtectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368913856 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualProtect" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368913965 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualProtectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "link function at runtime on Windows" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualProtect" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "VirtualProtectEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NtProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ZwProtectVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "create thread": { - "meta": { - "name": "create thread", - "namespace": "host-interaction/thread/create", - "authors": [ - "moritz.raabe@mandiant.com", - "michael.hunhoff@mandiant.com", - "joakim@intezer.com", - "anushka.virgaonkar@mandiant.com" - ], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Process", "Create Thread"], - "objective": "Process", - "behavior": "Create Thread", - "method": "", - "id": "C0038" - } - ], - "references": [], - "examples": [ - "946A99F36A46D335DEC080D9A4371940:0x10001DA0", - "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x408020" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: create thread\r\n namespace: host-interaction/thread/create\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n - joakim@intezer.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n mbc:\r\n - Process::Create Thread [C0038]\r\n examples:\r\n - 946A99F36A46D335DEC080D9A4371940:0x10001DA0\r\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x408020\r\n features:\r\n - or:\r\n - and:\r\n - os: windows\r\n - or:\r\n - api: kernel32.CreateThread\r\n - api: _beginthread\r\n - api: _beginthreadex\r\n - api: PsCreateSystemThread\r\n - api: SHCreateThread\r\n - api: SHCreateThreadWithHandle\r\n - api: kernel32.CreateRemoteThread\r\n - api: kernel32.CreateRemoteThreadEx\r\n - api: RtlCreateUserThread\r\n - api: ntdll.NtCreateThread\r\n - api: ntdll.NtCreateThreadEx\r\n - api: ntdll.ZwCreateThread\r\n - api: ntdll.ZwCreateThreadEx\r\n - and:\r\n - os: linux\r\n - api: pthread_create\r\n - and:\r\n - api: System.Threading.Thread::Start\r\n - optional:\r\n - api: System.Threading.Thread::ctor\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368951220 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "pthread_create" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Thread::Start" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Thread::ctor" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthreadex" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "PsCreateSystemThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThreadWithHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThread" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951265 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateUserThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368908512 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "os", "os": "linux" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "pthread_create" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Thread::Start" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Thread::ctor" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateThread" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368908592 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthreadex" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "PsCreateSystemThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThreadWithHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateUserThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for unexpected memory writes": { - "meta": { - "name": "check for unexpected memory writes", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection", "Memory Write Watching"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Memory Write Watching", - "id": "B0001.010" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/WriteWatch.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x431EBC"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for unexpected memory writes\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: call\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/WriteWatch.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x431EBC\r\n features:\r\n - and:\r\n - api: kernel32.GetWriteWatch\r\n - number: 0x0\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368910906 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetWriteWatch" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910974 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "number", "number": 0 } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910911 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368910144 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetWriteWatch" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910180 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "number", "number": 0 } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368910156 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368912538 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetWriteWatch" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912608 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "number", "number": 0 } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368912549 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get process heap force flags": { - "meta": { - "name": "get process heap force flags", - "namespace": "host-interaction/process", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [ - { - "parts": ["Discovery", "Process Discovery"], - "tactic": "Discovery", - "technique": "Process Discovery", - "subtechnique": "", - "id": "T1057" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c68f8d5905bd204d0cb3f593/al-khaser/AntiDebug/ProcessHeap_ForceFlags.cpp#L14" - ], - "examples": ["al-khaser_x86.exe_:0x425470"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get process heap force flags\r\n namespace: host-interaction/process\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported\r\n att&ck:\r\n - Discovery::Process Discovery [T1057]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c68f8d5905bd204d0cb3f593/al-khaser/AntiDebug/ProcessHeap_ForceFlags.cpp#L14\r\n examples:\r\n - al-khaser_x86.exe_:0x425470\r\n features:\r\n - and:\r\n - match: PEB access\r\n - or:\r\n - and:\r\n - arch: i386\r\n - number: 0x18 = PEB->ProcessHeap\r\n - or:\r\n - number: 0x44 = ProcessHeap->ForceFlags >= Vista\r\n - number: 0x10 = ProcessHeap->ForceFlags < Vista\r\n - and:\r\n - arch: amd64\r\n - number: 0x30 = PEB->ProcessHeap\r\n - or:\r\n - number: 0x74 = ProcessHeap->ForceFlags >= Vista\r\n - number: 0x18 = ProcessHeap->ForceFlags < Vista\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368858838 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858838 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858838 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858838 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 68, - "description": "ProcessHeap->ForceFlags >= Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 16, - "description": "ProcessHeap->ForceFlags < Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 48, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858847 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 116, - "description": "ProcessHeap->ForceFlags >= Vista" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858862 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "ProcessHeap->ForceFlags < Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368858872 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858896 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 68, - "description": "ProcessHeap->ForceFlags >= Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 16, - "description": "ProcessHeap->ForceFlags < Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 48, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 116, - "description": "ProcessHeap->ForceFlags >= Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "ProcessHeap->ForceFlags < Vista" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858896 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "access PEB ldr_data": { - "meta": { - "name": "access PEB ldr_data", - "namespace": "linking/runtime-linking", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [ - { - "parts": ["Execution", "Shared Modules"], - "tactic": "Execution", - "technique": "Shared Modules", - "subtechnique": "", - "id": "T1129" - } - ], - "mbc": [], - "references": [ - "https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm", - "https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4ce80b79737af4ae77b/ShellCode/shell_x64.asm#L8" - ], - "examples": ["3FDFB2D522E7DEECAAAF2F87420F7E75:0x4117B7"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: access PEB ldr_data\r\n namespace: linking/runtime-linking\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported # requires offset features\r\n att&ck:\r\n - Execution::Shared Modules [T1129]\r\n references:\r\n - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm\r\n - https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4ce80b79737af4ae77b/ShellCode/shell_x64.asm#L8\r\n examples:\r\n - 3FDFB2D522E7DEECAAAF2F87420F7E75:0x4117B7\r\n features:\r\n - or:\r\n - and:\r\n - arch: i386\r\n - description: x32\r\n\r\n - match: PEB access\r\n\r\n # x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0\r\n # checking for fs:0 and a (possibly unrelated) number or offset often results in false positives\r\n\r\n - offset: 0x0C = PEB.LDR_DATA\r\n\r\n - or:\r\n - description: resolve a module list\r\n - offset: 0x0C = PEB.LDR_DATA.InLoadOrderModuleList\r\n - offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList\r\n - offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList\r\n\r\n - and:\r\n - arch: amd64\r\n - description: x64\r\n\r\n - match: PEB access\r\n\r\n - offset: 0x18 = PEB.LDR_DATA\r\n\r\n - or:\r\n - description: resolve a module list\r\n - offset: 0x10 = PEB.LDR_DATA.InLoadOrderModuleList\r\n - offset: 0x20 = PEB.LDR_DATA.InMemoryOrderModuleList\r\n - offset: 0x30 = PEB.LDR_DATA.InInitializationOrderModuleList\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368858872 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x32" } - }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 12, "description": "PEB.LDR_DATA" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 20, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 28, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x64" } - }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 24, "description": "PEB.LDR_DATA" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858896 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 16, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 32, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 48, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368914080 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x32" } - }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "i386" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914227 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914080 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 12, "description": "PEB.LDR_DATA" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 20, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 28, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x64" } - }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "arch", "arch": "amd64" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914227 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914080 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 24, "description": "PEB.LDR_DATA" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914151 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 16, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 32, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914090 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 48, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914227 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get kernel32 base address": { - "meta": { - "name": "get kernel32 base address", - "namespace": "linking/runtime-linking", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [ - { - "parts": ["Execution", "Shared Modules"], - "tactic": "Execution", - "technique": "Shared Modules", - "subtechnique": "", - "id": "T1129" - } - ], - "mbc": [], - "references": [ - "https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html", - "https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm" - ], - "examples": ["67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d:0x406936"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get kernel32 base address\r\n namespace: linking/runtime-linking\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported # requires offset features\r\n att&ck:\r\n - Execution::Shared Modules [T1129]\r\n references:\r\n - https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html\r\n - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm\r\n examples:\r\n - 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d:0x406936\r\n features:\r\n - and:\r\n # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink\r\n - match: access PEB ldr_data\r\n # -> current module -> ntdll\r\n - count(offset(0)): 2\r\n # -> kernel32 -> LDR_DATA_TABLE_ENTRY.DllBase\r\n - or:\r\n - and:\r\n - arch: i386\r\n - offset: 0x18 = LDR_DATA_TABLE_ENTRY.DllBase\r\n - and:\r\n - arch: amd64\r\n - offset: 0x30 = LDR_DATA_TABLE_ENTRY.DllBase\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368858872 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "access PEB ldr_data" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x32" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "subscope", - "scope": "instruction" - } - }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "mnemonic", - "mnemonic": "add" - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "PEB.LDR_DATA" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 20, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 28, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x64" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "subscope", - "scope": "instruction" - } - }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "mnemonic", - "mnemonic": "add" - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [ - { "type": "absolute", "value": 5368858881 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 24, - "description": "PEB.LDR_DATA" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858896 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 16, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 32, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 48, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858872 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 2, - "child": { "type": "offset", "offset": 0 } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368858872 }, - { "type": "absolute", "value": 5368858893 } - ], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 24, - "description": "LDR_DATA_TABLE_ENTRY.DllBase" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858896 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 48, - "description": "LDR_DATA_TABLE_ENTRY.DllBase" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858881 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368914080 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "access PEB ldr_data" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x32" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368914227 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914080 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "PEB.LDR_DATA" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 20, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 28, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "x64" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368914227 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914122 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914080 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 24, - "description": "PEB.LDR_DATA" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914151 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "or", "description": "resolve a module list" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 16, - "description": "PEB.LDR_DATA.InLoadOrderModuleList" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 32, - "description": "PEB.LDR_DATA.InMemoryOrderModuleList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914090 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 48, - "description": "PEB.LDR_DATA.InInitializationOrderModuleList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914227 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914080 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 2, - "child": { "type": "offset", "offset": 0 } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368914241 }, - { "type": "absolute", "value": 5368914122 } - ], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 24, - "description": "LDR_DATA_TABLE_ENTRY.DllBase" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914151 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 48, - "description": "LDR_DATA_TABLE_ENTRY.DllBase" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914227 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "interact with driver via IOCTL": { - "meta": { - "name": "interact with driver via IOCTL", - "namespace": "host-interaction/driver", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [], - "mbc": [], - "references": [], - "examples": ["Practical Malware Analysis Lab 10-03.exe_:0x40108c"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: interact with driver via IOCTL\r\n namespace: host-interaction/driver\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n examples:\r\n - Practical Malware Analysis Lab 10-03.exe_:0x40108c\r\n features:\r\n - or:\r\n - api: DeviceIoControl\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368919737 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "DeviceIoControl" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368919808 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368920014 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "DeviceIoControl" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920064 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368920268 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "DeviceIoControl" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920318 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get process heap flags": { - "meta": { - "name": "get process heap flags", - "namespace": "host-interaction/process", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [ - { - "parts": ["Discovery", "Process Discovery"], - "tactic": "Discovery", - "technique": "Process Discovery", - "subtechnique": "", - "id": "T1057" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c68f8d5905bd204d0cb3f593/al-khaser/AntiDebug/ProcessHeap_Flags.cpp#L13" - ], - "examples": ["al-khaser_x86.exe_:0x425470"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get process heap flags\r\n namespace: host-interaction/process\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported\r\n att&ck:\r\n - Discovery::Process Discovery [T1057]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c68f8d5905bd204d0cb3f593/al-khaser/AntiDebug/ProcessHeap_Flags.cpp#L13\r\n examples:\r\n - al-khaser_x86.exe_:0x425470\r\n features:\r\n - and:\r\n - match: PEB access\r\n - or:\r\n - and:\r\n - arch: i386\r\n - number: 0x18 = PEB->ProcessHeap\r\n - or:\r\n - number: 0x40 = ProcessHeap->HeapFlags >= Vista\r\n - number: 0xC = ProcessHeap->HeapFlags < Vista\r\n - and:\r\n - arch: amd64\r\n - number: 0x30 = PEB->ProcessHeap\r\n - or:\r\n - number: 0x70 = ProcessHeap->HeapFlags >= Vista\r\n - number: 0x14 = ProcessHeap->HeapFlags < Vista\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368858534 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858534 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858534 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858534 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 64, - "description": "ProcessHeap->HeapFlags >= Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 12, - "description": "ProcessHeap->HeapFlags < Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 48, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858543 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 112, - "description": "ProcessHeap->HeapFlags >= Vista" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858558 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 20, - "description": "ProcessHeap->HeapFlags < Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368858568 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858568 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 48 } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858568 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368858568 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 64, - "description": "ProcessHeap->HeapFlags >= Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 12, - "description": "ProcessHeap->HeapFlags < Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 48, - "description": "PEB->ProcessHeap" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858577 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 112, - "description": "ProcessHeap->HeapFlags >= Vista" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 20, - "description": "ProcessHeap->HeapFlags < Vista" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368858592 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "acquire debug privileges": { - "meta": { - "name": "acquire debug privileges", - "namespace": "host-interaction/process/modify", - "authors": ["william.ballenthin@mandiant.com"], - "scopes": { "static": "basic block", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Privilege Escalation", "Access Token Manipulation"], - "tactic": "Privilege Escalation", - "technique": "Access Token Manipulation", - "subtechnique": "", - "id": "T1134" - } - ], - "mbc": [], - "references": [], - "examples": ["Practical Malware Analysis Lab 01-04.exe_:0x401174"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: acquire debug privileges\r\n namespace: host-interaction/process/modify\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: thread\r\n att&ck:\r\n - Privilege Escalation::Access Token Manipulation [T1134]\r\n examples:\r\n - Practical Malware Analysis Lab 01-04.exe_:0x401174\r\n features:\r\n - and:\r\n - string: \"SeDebugPrivilege\"\r\n - optional:\r\n - match: modify access privileges\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368985322 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "SeDebugPrivilege" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368985363 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "modify access privileges" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for PEB BeingDebugged flag": { - "meta": { - "name": "check for PEB BeingDebugged flag", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "basic block" }, - "attack": [], - "mbc": [ - { - "parts": [ - "Anti-Behavioral Analysis", - "Debugger Detection", - "Process Environment Block BeingDebugged" - ], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Process Environment Block BeingDebugged", - "id": "B0001.035" - } - ], - "references": ["Practical Malware Analysis, Chapter 16, p. 353"], - "examples": ["Practical Malware Analysis Lab 16-01.exe_:0x403530"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for PEB BeingDebugged flag\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: basic block\r\n dynamic: unsupported # requires offset features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]\r\n references:\r\n - Practical Malware Analysis, Chapter 16, p. 353\r\n examples:\r\n - Practical Malware Analysis Lab 16-01.exe_:0x403530\r\n features:\r\n - and:\r\n - match: PEB access\r\n - offset: 2 = PEB.BeingDebugged\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368837568 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "peb access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368837610 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "fs access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "gs access" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368837610 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368837568 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 2, "description": "PEB.BeingDebugged" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368837627 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "contain loop": { - "meta": { - "name": "contain loop", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [], - "mbc": [], - "references": [], - "examples": ["08AC667C65D36D6542917655571E61C8:0x406EAA"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: contain loop\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n lib: true\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires characteristic features\r\n examples:\r\n - 08AC667C65D36D6542917655571E61C8:0x406EAA\r\n features:\r\n - or:\r\n - characteristic: loop\r\n - characteristic: tight loop\r\n - characteristic: recursive call\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811525 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811525 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811540 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369005249 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811565 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811565 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811670 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811670 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811675 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811675 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811695 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811695 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811765 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811765 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811770 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811770 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811805 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811805 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811810 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811810 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811875 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811875 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811990 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368811990 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812020 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812020 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812035 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812035 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812100 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812100 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812120 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812120 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812140 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812140 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812150 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812150 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812230 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812230 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812285 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812285 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812340 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812340 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812360 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812360 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812395 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812395 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812480 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812480 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812590 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812590 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812670 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812670 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812845 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812845 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812875 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812875 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812935 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812935 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812990 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812990 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813035 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813035 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813155 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813155 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813175 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813175 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813195 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813195 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813200 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813200 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813235 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813235 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813275 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813275 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813285 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813285 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813315 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813315 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813335 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813335 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813355 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813355 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813395 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813395 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813420 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813420 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813445 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813445 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813465 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813465 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813590 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813590 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813600 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813600 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813665 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813665 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813670 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813670 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813680 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813680 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813700 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813700 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813705 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813705 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813710 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813710 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813770 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813770 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813840 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813840 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813895 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813895 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813990 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368813990 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814035 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814035 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814135 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814135 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814180 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814180 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814230 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814230 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814240 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814240 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814300 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814300 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814315 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814315 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814455 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814455 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814555 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814555 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814590 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814590 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814640 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814640 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814735 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814735 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814800 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814800 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814820 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814820 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814865 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814865 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814895 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814895 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814935 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814935 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815005 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815005 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815040 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815040 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815090 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815090 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815170 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815170 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815190 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815190 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815210 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815210 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815230 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815230 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815315 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815315 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815340 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815340 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815350 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815350 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815435 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815435 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815440 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815440 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815480 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815480 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815655 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815655 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815675 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815675 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815690 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815690 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815715 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815715 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815890 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815890 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815960 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815960 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815970 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368815970 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816010 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816010 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816060 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816060 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816100 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816100 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816105 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816105 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816165 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816165 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816215 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816215 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816230 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816230 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816320 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816320 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816445 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816445 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816500 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368816500 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368882832 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368882832 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368891376 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368891376 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368891792 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368891792 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368960864 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368960864 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368986896 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368986896 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368987312 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368987312 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "recursive call" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "link function at runtime on Windows": { - "meta": { - "name": "link function at runtime on Windows", - "namespace": "linking/runtime-linking", - "authors": ["moritz.raabe@mandiant.com", "michael.hunhoff@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [ - { - "parts": ["Execution", "Shared Modules"], - "tactic": "Execution", - "technique": "Shared Modules", - "subtechnique": "", - "id": "T1129" - } - ], - "mbc": [], - "references": [], - "examples": [ - "9324D1A8AE37A36AE560C37448C9705A:0x404130", - "Practical Malware Analysis Lab 01-04.exe_:0x401350" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: link function at runtime on Windows\r\n namespace: linking/runtime-linking\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires characteristic features\r\n att&ck:\r\n - Execution::Shared Modules [T1129]\r\n examples:\r\n - 9324D1A8AE37A36AE560C37448C9705A:0x404130\r\n - Practical Malware Analysis Lab 01-04.exe_:0x401350\r\n features:\r\n - and:\r\n - os: windows\r\n - or:\r\n - api: kernel32.GetProcAddress\r\n - api: ntdll.LdrGetProcedureAddress\r\n - optional:\r\n - characteristic: indirect call\r\n - api: kernel32.LoadLibrary\r\n - api: kernel32.GetModuleHandle\r\n - api: kernel32.GetModuleHandleEx\r\n - api: ntdll.LdrLoadDll\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811525 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840106 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811715 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368952128 }, - { "type": "absolute", "value": 5368952218 }, - { "type": "absolute", "value": 5368952092 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368952738 }, - { "type": "absolute", "value": 5368952701 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368952036 }, - { "type": "absolute", "value": 5368951990 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812020 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369019487 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812360 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953850 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953782 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813155 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368958816 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368958750 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813180 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949789 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949745 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813750 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950923 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950861 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816245 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368955221 }, - { "type": "absolute", "value": 5368955133 }, - { "type": "absolute", "value": 5368955311 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368955723 }, - { "type": "absolute", "value": 5368955686 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368955153 }, - { "type": "absolute", "value": 5368955083 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816460 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368956489 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrGetProcedureAddress" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LoadLibrary" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368956421 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LdrLoadDll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for unmoving mouse cursor": { - "meta": { - "name": "check for unmoving mouse cursor", - "namespace": "anti-analysis/anti-vm/vm-detection", - "authors": ["BitsOfBinary"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": [ - "Defense Evasion", - "Virtualization/Sandbox Evasion", - "User Activity Based Checks" - ], - "tactic": "Defense Evasion", - "technique": "Virtualization/Sandbox Evasion", - "subtechnique": "User Activity Based Checks", - "id": "T1497.002" - } - ], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Virtual Machine Detection", "Human User Check"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Virtual Machine Detection", - "method": "Human User Check", - "id": "B0009.012" - } - ], - "references": ["https://www.joesecurity.org/blog/5852460122427342172"], - "examples": ["d7ff81ff775d4ab50d31ac1e962c8c4dea7ff9f280aa2b42ddd06760a5665002:0x401118"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for unmoving mouse cursor\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n authors:\r\n - BitsOfBinary\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]\r\n references:\r\n - https://www.joesecurity.org/blog/5852460122427342172\r\n examples:\r\n - d7ff81ff775d4ab50d31ac1e962c8c4dea7ff9f280aa2b42ddd06760a5665002:0x401118\r\n features:\r\n - and:\r\n - count(api(user32.GetCursorPos)): 2 or more\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811655 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 9223372036854775808, - "child": { "type": "api", "api": "GetCursorPos" } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368924564 }, - { "type": "absolute", "value": 5368924543 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "reference WMI statements": { - "meta": { - "name": "reference WMI statements", - "namespace": "collection/database/wmi", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Collection", "Data from Information Repositories"], - "tactic": "Collection", - "technique": "Data from Information Repositories", - "subtechnique": "", - "id": "T1213" - } - ], - "mbc": [], - "references": [], - "examples": ["al-khaser_x86.exe_:0x433490"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: reference WMI statements\r\n namespace: collection/database/wmi\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Collection::Data from Information Repositories [T1213]\r\n examples:\r\n - al-khaser_x86.exe_:0x433490\r\n features:\r\n - or:\r\n - string: /SELECT\\s+\\*\\s+FROM\\s+CIM_./\r\n - string: /SELECT\\s+\\*\\s+FROM\\s+Win32_./\r\n - string: /SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811695 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368941125 }], - "captures": { - "SELECT * FROM Win32_PnPEntity": [{ "type": "absolute", "value": 5368941125 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811755 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368915850 }], - "captures": { - "SELECT * FROM CIM_Sensor": [{ "type": "absolute", "value": 5368915850 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811810 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368939285 }], - "captures": { - "SELECT * FROM Win32_NetworkAdapterConfiguration": [ - { "type": "absolute", "value": 5368939285 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368811875 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368922549 }], - "captures": { - "SELECT * FROM Win32_ComputerSystem": [ - { "type": "absolute", "value": 5368922549 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812110 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368925402 }], - "captures": { - "SELECT * FROM Win32_PerfFormattedData_Counters_ThermalZoneInformation": [ - { "type": "absolute", "value": 5368925402 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812120 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368936139 }], - "captures": { - "SELECT * FROM Win32_NTEventlogFile": [ - { "type": "absolute", "value": 5368936139 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812330 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368915738 }], - "captures": { - "SELECT * FROM CIM_PhysicalConnector": [ - { "type": "absolute", "value": 5368915738 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812485 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368925626 }], - "captures": { - "SELECT * FROM Win32_PortConnector": [{ "type": "absolute", "value": 5368925626 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812615 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368928522 }], - "captures": { - "SELECT * FROM Win32_SMBIOSMemory": [{ "type": "absolute", "value": 5368928522 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812670 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368926085 }], - "captures": { - "SELECT * FROM Win32_Processor": [{ "type": "absolute", "value": 5368926085 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812785 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368915626 }], - "captures": { - "SELECT * FROM CIM_NumericSensor": [{ "type": "absolute", "value": 5368915626 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813040 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914666 }], - "captures": { - "SELECT * FROM Win32_CacheMemory": [{ "type": "absolute", "value": 5368914666 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813195 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368940229 }], - "captures": { - "SELECT * FROM Win32_PnPEntity": [{ "type": "absolute", "value": 5368940229 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813395 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368941797 }], - "captures": { - "SELECT * FROM Win32_PnPDevice": [{ "type": "absolute", "value": 5368941797 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813445 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368923813 }], - "captures": { - "SELECT * FROM Win32_ComputerSystem": [ - { "type": "absolute", "value": 5368923813 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813505 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368915514 }], - "captures": { - "SELECT * FROM CIM_Memory": [{ "type": "absolute", "value": 5368915514 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813695 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368923610 }], - "captures": { - "SELECT * FROM Win32_MemoryDevice": [{ "type": "absolute", "value": 5368923610 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813705 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368927061 }], - "captures": { - "SELECT * FROM Win32_BIOS": [{ "type": "absolute", "value": 5368927061 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813820 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368925514 }], - "captures": { - "SELECT * FROM Win32_PhysicalMemory": [ - { "type": "absolute", "value": 5368925514 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814240 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368918694 }], - "captures": { - "SELECT * FROM Win32_LogicalDisk": [{ "type": "absolute", "value": 5368918694 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814435 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368923498 }], - "captures": { - "SELECT * FROM Win32_MemoryArray": [{ "type": "absolute", "value": 5368923498 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814455 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368916399 }], - "captures": { - "SELECT * FROM Win32_Fan": [{ "type": "absolute", "value": 5368916399 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814970 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368915962 }], - "captures": { - "SELECT * FROM CIM_Slot": [{ "type": "absolute", "value": 5368915962 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815090 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368934293 }], - "captures": { - "SELECT * FROM Win32_Bus": [{ "type": "absolute", "value": 5368934293 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815340 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368924837 }], - "captures": { - "SELECT * FROM Win32_Processor": [{ "type": "absolute", "value": 5368924837 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815870 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368916186 }], - "captures": { - "SELECT * FROM CIM_VoltageSensor": [{ "type": "absolute", "value": 5368916186 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816215 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368933334 }], - "captures": { - "SELECT * FROM Win32_BaseBoard": [{ "type": "absolute", "value": 5368933334 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816225 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368928810 }], - "captures": { - "SELECT * FROM Win32_VoltageProbe": [{ "type": "absolute", "value": 5368928810 }] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816500 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368917781 }], - "captures": { - "SELECT * FROM MSAcpi_ThermalZoneTemperature": [ - { "type": "absolute", "value": 5368917781 } - ] - } - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816515 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+CIM_./" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368916074 }], - "captures": { - "SELECT * FROM CIM_TemperatureSensor": [ - { "type": "absolute", "value": 5368916074 } - ] - } - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_./" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SELECT\\s+\\*\\s+FROM\\s+MSAcpi_./" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "write process memory": { - "meta": { - "name": "write process memory", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Defense Evasion", "Process Injection"], - "tactic": "Defense Evasion", - "technique": "Process Injection", - "subtechnique": "", - "id": "T1055" - } - ], - "mbc": [], - "references": [], - "examples": ["2D3EDC218A90F03089CC01715A9F047F:0x4027CF"], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: write process memory\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n lib: true\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Defense Evasion::Process Injection [T1055]\r\n examples:\r\n - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF\r\n features:\r\n - or:\r\n - api: kernel32.WriteProcessMemory\r\n - api: ntdll.NtWriteVirtualMemory\r\n - api: ntdll.ZwWriteVirtualMemory\r\n - api: NtWow64WriteVirtualMemory64\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811715 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368952486 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812360 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954178 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813750 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951194 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816245 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368955579 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get common file path": { - "meta": { - "name": "get common file path", - "namespace": "host-interaction/file-system", - "authors": [ - "moritz.raabe@mandiant.com", - "michael.hunhoff@mandiant.com", - "anushka.virgaonkar@mandiant.com" - ], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "File and Directory Discovery"], - "tactic": "Discovery", - "technique": "File and Directory Discovery", - "subtechnique": "", - "id": "T1083" - } - ], - "mbc": [ - { - "parts": ["Discovery", "File and Directory Discovery"], - "objective": "Discovery", - "behavior": "File and Directory Discovery", - "method": "", - "id": "E1083" - } - ], - "references": [], - "examples": [ - "Practical Malware Analysis Lab 03-02.dll_:0x10003415", - "972B219F18379907A045431303F4DA7D:0x404887" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get common file path\r\n namespace: host-interaction/file-system\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::File and Directory Discovery [T1083]\r\n mbc:\r\n - Discovery::File and Directory Discovery [E1083]\r\n examples:\r\n - Practical Malware Analysis Lab 03-02.dll_:0x10003415\r\n - 972B219F18379907A045431303F4DA7D:0x404887\r\n features:\r\n - or:\r\n - api: kernel32.GetTempPath\r\n - api: kernel32.GetTempFileName\r\n - api: kernel32.GetSystemDirectory\r\n - api: kernel32.GetWindowsDirectory\r\n - api: kernel32.GetSystemWow64Directory\r\n - api: GetAllUsersProfileDirectory\r\n - api: GetAppContainerFolderPath\r\n - api: GetCurrentDirectory\r\n - api: GetDefaultUserProfileDirectory\r\n - api: GetProfilesDirectory\r\n - api: GetUserProfileDirectory\r\n - api: SHGetFolderPathAndSubDir\r\n - api: shell32.SHGetFolderPath\r\n - api: shell32.SHGetFolderLocation\r\n - api: shell32.SHGetKnownFolderPath\r\n - api: shell32.SHGetSpecialFolderPath\r\n - api: shell32.SHGetSpecialFolderLocation\r\n - api: System.IO.Directory::GetCurrentDirectory\r\n - api: System.Environment::GetFolderPath\r\n - property/read: System.Environment::SystemDirectory\r\n - property/read: System.Environment::CurrentDirectory\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811740 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetTempPath" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetTempFileName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetWindowsDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemWow64Directory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAllUsersProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAppContainerFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDefaultUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProfilesDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPathAndSubDir" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetKnownFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368935788 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.Directory::GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::SystemDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::CurrentDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812140 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetTempPath" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetTempFileName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetWindowsDirectory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368937556 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemWow64Directory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAllUsersProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAppContainerFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDefaultUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProfilesDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPathAndSubDir" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetKnownFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.Directory::GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::SystemDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::CurrentDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815050 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetTempPath" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetTempFileName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemDirectory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368881771 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetWindowsDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemWow64Directory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAllUsersProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAppContainerFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDefaultUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProfilesDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPathAndSubDir" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetKnownFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.Directory::GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::SystemDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::CurrentDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816230 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetTempPath" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetTempFileName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetWindowsDirectory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368946447 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemWow64Directory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAllUsersProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAppContainerFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDefaultUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProfilesDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPathAndSubDir" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetKnownFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.Directory::GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::SystemDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::CurrentDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816310 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetTempPath" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetTempFileName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetWindowsDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemWow64Directory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAllUsersProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAppContainerFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDefaultUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProfilesDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetUserProfileDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPathAndSubDir" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetKnownFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderPath" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368945980 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetSpecialFolderLocation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.Directory::GetCurrentDirectory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetFolderPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::SystemDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::CurrentDirectory" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "query environment variable": { - "meta": { - "name": "query environment variable", - "namespace": "host-interaction/environment-variable", - "authors": ["michael.hunhoff@mandiant.com", "@_re_fox"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [ - { - "parts": ["Discovery", "System Information Discovery"], - "objective": "Discovery", - "behavior": "System Information Discovery", - "method": "", - "id": "E1082" - } - ], - "references": [], - "examples": [ - "Practical Malware Analysis Lab 14-02.exe_:0x401880", - "0761142efbda6c4b1e801223de723578:0x65483490" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: query environment variable\r\n namespace: host-interaction/environment-variable\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - \"@_re_fox\"\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n mbc:\r\n - Discovery::System Information Discovery [E1082]\r\n examples:\r\n - Practical Malware Analysis Lab 14-02.exe_:0x401880\r\n - 0761142efbda6c4b1e801223de723578:0x65483490\r\n features:\r\n - or:\r\n - api: kernel32.GetEnvironmentVariable\r\n - api: kernel32.GetEnvironmentStrings\r\n - api: kernel32.ExpandEnvironmentStrings\r\n - api: msvcr90.getenv\r\n - api: msvcrt.getenv\r\n - api: System.Environment::GetEnvironmentVariable\r\n - api: System.Environment::GetEnvironmentVariables\r\n - api: System.Environment::ExpandEnvironmentVariables\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811740 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentVariable" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExpandEnvironmentStrings" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368935765 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariable" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariables" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Environment::ExpandEnvironmentVariables" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814500 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentVariable" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368909873 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExpandEnvironmentStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariable" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariables" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Environment::ExpandEnvironmentVariables" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815050 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentVariable" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368881871 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExpandEnvironmentStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariable" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariables" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Environment::ExpandEnvironmentVariables" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816310 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentVariable" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetEnvironmentStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExpandEnvironmentStrings" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368945957 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "getenv" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariable" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::GetEnvironmentVariables" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Environment::ExpandEnvironmentVariables" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get system information on Windows": { - "meta": { - "name": "get system information on Windows", - "namespace": "host-interaction/os/info", - "authors": ["moritz.raabe@mandiant.com", "joakim@intezer.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [], - "references": [], - "examples": [ - "563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140002280" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get system information on Windows\r\n namespace: host-interaction/os/info\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - joakim@intezer.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n examples:\r\n - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140002280\r\n features:\r\n - and:\r\n - os: windows\r\n - or:\r\n - api: kernel32.GetSystemInfo\r\n - api: kernel32.GetNativeSystemInfo\r\n - api: NtQuerySystemInformation\r\n - api: NtQuerySystemInformationEx\r\n - api: ntdll.RtlGetNativeSystemInformation\r\n - api: ZwQuerySystemInformation\r\n - api: ZwQuerySystemInformationEx\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811805 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368851199 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetNativeSystemInfo" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlGetNativeSystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812035 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368852431 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetNativeSystemInfo" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlGetNativeSystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813635 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839289 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetNativeSystemInfo" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlGetNativeSystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816160 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetSystemInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368978878 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetNativeSystemInfo" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlGetNativeSystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQuerySystemInformationEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "print debug messages": { - "meta": { - "name": "print debug messages", - "namespace": "host-interaction/log/debug/write-event", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [], - "mbc": [], - "references": [], - "examples": ["493167E85E45363D09495D0841C30648:0x401000"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: print debug messages\r\n namespace: host-interaction/log/debug/write-event\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n examples:\r\n - 493167E85E45363D09495D0841C30648:0x401000\r\n features:\r\n - or:\r\n - api: DbgPrint\r\n - api: kernel32.OutputDebugString\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368811805 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "DbgPrint" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368851717 }, - { "type": "absolute", "value": 5368851655 }, - { "type": "absolute", "value": 5368851977 }, - { "type": "absolute", "value": 5368851692 }, - { "type": "absolute", "value": 5368851437 }, - { "type": "absolute", "value": 5368851533 }, - { "type": "absolute", "value": 5368852050 }, - { "type": "absolute", "value": 5368851955 }, - { "type": "absolute", "value": 5368851606 }, - { "type": "absolute", "value": 5368851511 }, - { "type": "absolute", "value": 5368851735 }, - { "type": "absolute", "value": 5368851901 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812430 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "DbgPrint" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368844884 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812840 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "DbgPrint" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368908061 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814640 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "DbgPrint" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368908349 }, - { "type": "absolute", "value": 5368908277 }, - { "type": "absolute", "value": 5368908316 }, - { "type": "absolute", "value": 5368908301 }, - { "type": "absolute", "value": 5368908364 }, - { "type": "absolute", "value": 5368908221 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814935 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "DbgPrint" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368908610 }, - { "type": "absolute", "value": 5368908771 }, - { "type": "absolute", "value": 5368908756 }, - { "type": "absolute", "value": 5368908676 }, - { "type": "absolute", "value": 5368908804 }, - { "type": "absolute", "value": 5368908819 }, - { "type": "absolute", "value": 5368908732 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368814990 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "DbgPrint" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OutputDebugString" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368907858 }, - { "type": "absolute", "value": 5368907903 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "parse PE header": { - "meta": { - "name": "parse PE header", - "namespace": "load-code/pe", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [ - { - "parts": ["Execution", "Shared Modules"], - "tactic": "Execution", - "technique": "Shared Modules", - "subtechnique": "", - "id": "T1129" - } - ], - "mbc": [], - "references": [], - "examples": ["9324D1A8AE37A36AE560C37448C9705A:0x403DD0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: parse PE header\r\n namespace: load-code/pe\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires mnemonic, operand[1].offset features\r\n att&ck:\r\n - Execution::Shared Modules [T1129]\r\n examples:\r\n - 9324D1A8AE37A36AE560C37448C9705A:0x403DD0\r\n features:\r\n - and:\r\n - os: windows\r\n - and:\r\n - mnemonic: cmp\r\n - or:\r\n - number: 0x4550 = IMAGE_NT_SIGNATURE (PE)\r\n - and:\r\n - number: 0x50\r\n - number: 0x45\r\n - or:\r\n - number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ)\r\n - and:\r\n - number: 0x4D\r\n - number: 0x5A\r\n - optional:\r\n - and:\r\n - operand[1].offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew\r\n - or:\r\n - and:\r\n - arch: i386\r\n - operand[1].offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage\r\n - operand[1].offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase\r\n - and:\r\n - arch: amd64\r\n - operand[1].offset: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage\r\n - operand[1].offset: 0x30 = IMAGE_NT_HEADERS64.OptionalHeader.ImageBase\r\n - basic block:\r\n - and:\r\n - operand[1].offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew\r\n - 3 or more:\r\n - operand[1].offset: 0x4 = IMAGE_NT_HEADERS.FileHeader.Machine\r\n - operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections\r\n - operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader\r\n - operand[1].offset: 0x16 = IMAGE_NT_HEADERS.FileHeader.Characteristics\r\n - operand[1].offset: 0x28 = IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint # for 32 and 64 bit\r\n - or:\r\n - and:\r\n - arch: i386\r\n - operand[1].offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase\r\n - operand[1].offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage\r\n - and:\r\n - arch: amd64\r\n - operand[1].offset: 0x30 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase\r\n - operand[1].offset: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812020 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "cmp" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5369019394 }, - { "type": "absolute", "value": 5369019331 }, - { "type": "absolute", "value": 5369019427 }, - { "type": "absolute", "value": 5369019386 }, - { "type": "absolute", "value": 5369019813 }, - { "type": "absolute", "value": 5369019972 }, - { "type": "absolute", "value": 5369019966 }, - { "type": "absolute", "value": 5369019402 }, - { "type": "absolute", "value": 5369019307 }, - { "type": "absolute", "value": 5369019820 }, - { "type": "absolute", "value": 5369019979 }, - { "type": "absolute", "value": 5369019407 }, - { "type": "absolute", "value": 5369019952 }, - { "type": "absolute", "value": 5369019572 }, - { "type": "absolute", "value": 5369019418 }, - { "type": "absolute", "value": 5369019806 } - ], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 17744, - "description": "IMAGE_NT_SIGNATURE (PE)" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369019331 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 80 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 69 } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 23117, - "description": "IMAGE_DOS_SIGNATURE (MZ)" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369019302 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 77 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 90 } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 60, - "description": "IMAGE_DOS_HEADER.e_lfanew" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369019316 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 80, - "description": "IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 52, - "description": "IMAGE_NT_HEADERS.OptionalHeader.ImageBase" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 80, - "description": "IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 48, - "description": "IMAGE_NT_HEADERS64.OptionalHeader.ImageBase" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369019254 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "parse PE header/b9b4ad7a16e14936bcf46acdb475b08d" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815575 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "cmp" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5369016033 }, - { "type": "absolute", "value": 5369016097 }, - { "type": "absolute", "value": 5369016161 }, - { "type": "absolute", "value": 5369016118 }, - { "type": "absolute", "value": 5369016134 }, - { "type": "absolute", "value": 5369016056 } - ], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 17744, - "description": "IMAGE_NT_SIGNATURE (PE)" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369016097 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 80 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 69 } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 23117, - "description": "IMAGE_DOS_SIGNATURE (MZ)" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369016056 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 77 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 90 } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 60, - "description": "IMAGE_DOS_HEADER.e_lfanew" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369016072 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 80, - "description": "IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 52, - "description": "IMAGE_NT_HEADERS.OptionalHeader.ImageBase" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 80, - "description": "IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "operand offset", - "index": 1, - "operand_offset": 48, - "description": "IMAGE_NT_HEADERS64.OptionalHeader.ImageBase" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "parse PE header/b9b4ad7a16e14936bcf46acdb475b08d" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for debugger via API": { - "meta": { - "name": "check for debugger via API", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": [ - "Anti-Behavioral Analysis", - "Debugger Detection", - "CheckRemoteDebuggerPresent" - ], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "CheckRemoteDebuggerPresent", - "id": "B0001.002" - }, - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection", "WudfIsAnyDebuggerPresent"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "WudfIsAnyDebuggerPresent", - "id": "B0001.031" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x420000"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for debugger via API\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]\r\n - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x420000\r\n features:\r\n - or:\r\n # We're not including kernel32.IsDebuggerPresent here because some exception handlers and other compiler-inserted\r\n # code may add calls to it, especially in debug builds. So, likely even with pretty good library code detection\r\n # this feature could result in many false positives.\r\n - api: kernel32.CheckRemoteDebuggerPresent\r\n - api: WUDFPlatform.WudfIsAnyDebuggerPresent\r\n - api: WUDFPlatform.WudfIsKernelDebuggerPresent\r\n - api: WUDFPlatform.WudfIsUserDebuggerPresent\r\n - property/read: System.Diagnostics.Debugger::IsAttached\r\n - api: System.Diagnostics.Debugger::IsLogging\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812145 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CheckRemoteDebuggerPresent" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368837791 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WudfIsAnyDebuggerPresent" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WudfIsKernelDebuggerPresent" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WudfIsUserDebuggerPresent" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Debugger::IsAttached" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Debugger::IsLogging" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check process job object": { - "meta": { - "name": "check process job object", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "", - "id": "B0001" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x426730"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check process job object\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection [B0001]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x426730\r\n features:\r\n - or:\r\n # static\r\n - and:\r\n - match: contain loop\r\n - basic block:\r\n - and:\r\n - api: kernel32.QueryInformationJobObject\r\n - number: 0x3 = JobObjectBasicProcessIdList\r\n - basic block:\r\n - and:\r\n - api: kernel32.OpenProcess\r\n - number: 0x400 = PROCESS_QUERY_INFORMATION\r\n # dynamic\r\n - and:\r\n - call:\r\n - and:\r\n - api: kernel32.QueryInformationJobObject\r\n - number: 0x3 = JobObjectBasicProcessIdList\r\n - call:\r\n - and:\r\n - api: kernel32.OpenProcess\r\n - number: 0x400 = PROCESS_QUERY_INFORMATION\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812150 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check process job object/32a83c80df664d7bae9319c33769c72d" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check process job object/2df68db0ccc148dbab4fe2eb86c952c5" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "contain loop" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368812150 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "tight loop" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "recursive call" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368812150 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "QueryInformationJobObject" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368863567 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 3, - "description": "JobObjectBasicProcessIdList" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368863560 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368863518 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OpenProcess" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368863698 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 1024, - "description": "PROCESS_QUERY_INFORMATION" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368863693 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368863684 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "execute anti-debugging instructions": { - "meta": { - "name": "execute anti-debugging instructions", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [], - "mbc": [ - { - "parts": [ - "Anti-Behavioral Analysis", - "Debugger Detection", - "Anti-debugging Instructions" - ], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Anti-debugging Instructions", - "id": "B0001.034" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 16-03.exe_:0x401300"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: execute anti-debugging instructions\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires mnemonic features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034]\r\n examples:\r\n - Practical Malware Analysis Lab 16-03.exe_:0x401300\r\n features:\r\n - or:\r\n - count(mnemonic(rdtsc)): 2 or more\r\n - mnemonic: icebp\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812230 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "icebp" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 9223372036854775808, - "child": { "type": "mnemonic", "mnemonic": "rdtsc" } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368999657 }, - { "type": "absolute", "value": 5368999623 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815890 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "icebp" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 9223372036854775808, - "child": { "type": "mnemonic", "mnemonic": "rdtsc" } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368999336 }, - { "type": "absolute", "value": 5368999355 }, - { "type": "absolute", "value": 5368999376 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "terminate process": { - "meta": { - "name": "terminate process", - "namespace": "host-interaction/process/terminate", - "authors": [ - "moritz.raabe@mandiant.com", - "michael.hunhoff@mandiant.com", - "anushka.virgaonkar@mandiant.com" - ], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Process", "Terminate Process"], - "objective": "Process", - "behavior": "Terminate Process", - "method": "", - "id": "C0018" - } - ], - "references": [], - "examples": [ - "C91887D861D9BD4A5872249B641BC9F9:0x401A77", - "9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: terminate process\r\n namespace: host-interaction/process/terminate\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n mbc:\r\n - Process::Terminate Process [C0018]\r\n examples:\r\n - C91887D861D9BD4A5872249B641BC9F9:0x401A77\r\n - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307\r\n features:\r\n - or:\r\n - api: System.Diagnostics.Process::Kill\r\n - api: System.Diagnostics.Process::WaitForExit\r\n - api: System.Diagnostics.Process::WaitForExitAsync\r\n - api: System.Environment::Exit\r\n - api: System.Windows.Forms.Application::Exit\r\n - api: exit\r\n - api: Exit\r\n - and:\r\n - optional:\r\n - match: open process\r\n - or:\r\n - api: kernel32.TerminateProcess\r\n - api: ntdll.NtTerminateProcess\r\n - api: kernel32.ExitProcess\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812350 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::Kill" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::WaitForExit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::WaitForExitAsync" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::Exit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Windows.Forms.Application::Exit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "exit" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Exit" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "open process" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "TerminateProcess" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369007930 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtTerminateProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExitProcess" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368812690 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::Kill" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::WaitForExit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::WaitForExitAsync" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::Exit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Windows.Forms.Application::Exit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "exit" } }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368812690 }, - { "type": "absolute", "value": 5369020774 } - ], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Exit" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "open process" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "TerminateProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtTerminateProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExitProcess" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815590 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::Kill" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::WaitForExit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Diagnostics.Process::WaitForExitAsync" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Environment::Exit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Windows.Forms.Application::Exit" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "exit" } }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368971169 }, - { "type": "absolute", "value": 5368971223 } - ], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "Exit" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "open process" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "TerminateProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtTerminateProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ExitProcess" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "inject APC": { - "meta": { - "name": "inject APC", - "namespace": "host-interaction/process/inject", - "authors": ["william.ballenthin@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Defense Evasion", "Process Injection", "Asynchronous Procedure Call"], - "tactic": "Defense Evasion", - "technique": "Process Injection", - "subtechnique": "Asynchronous Procedure Call", - "id": "T1055.004" - } - ], - "mbc": [], - "references": [], - "examples": ["al-khaser_x64.exe_:0x140019348"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: inject APC\r\n namespace: host-interaction/process/inject\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004]\r\n examples:\r\n - al-khaser_x64.exe_:0x140019348\r\n features:\r\n - and:\r\n - or:\r\n - match: write process memory\r\n - match: create or open section object\r\n - api: kernel32.MapViewOfFile\r\n - or:\r\n - api: kernel32.QueueUserAPC\r\n - api: ntdll.NtQueueApcThread\r\n - optional:\r\n - or:\r\n - number: 0x1fffff = THREAD_ALL_ACCESS\r\n - api: kernel32.CreateProcess\r\n - api: kernel32.OpenProcess\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812360 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "QueueUserAPC" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954348 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQueueApcThread" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "write process memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954178 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368812360 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "create or open section object" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "MapViewOfFile" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 2097151, - "description": "THREAD_ALL_ACCESS" - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368953938 }, - { "type": "absolute", "value": 5368954299 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OpenProcess" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953943 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "enumerate threads": { - "meta": { - "name": "enumerate threads", - "namespace": "host-interaction/thread/list", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "Process Discovery"], - "tactic": "Discovery", - "technique": "Process Discovery", - "subtechnique": "", - "id": "T1057" - } - ], - "mbc": [ - { - "parts": ["Process", "Enumerate Threads"], - "objective": "Process", - "behavior": "Enumerate Threads", - "method": "", - "id": "C0064" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 05-01.dll_:0x10006BD5"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: enumerate threads\r\n namespace: host-interaction/thread/list\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::Process Discovery [T1057]\r\n mbc:\r\n - Process::Enumerate Threads [C0064]\r\n examples:\r\n - Practical Malware Analysis Lab 05-01.dll_:0x10006BD5\r\n features:\r\n - and:\r\n - api: kernel32.Thread32First\r\n - api: kernel32.Thread32Next\r\n - optional:\r\n - basic block:\r\n - and:\r\n - or:\r\n - number: 0x4 = TH32CS_SNAPTHREAD\r\n # TH32CS_SNAPTHREAD includes all threads in the system in the snapshot\r\n - api: kernel32.CreateToolhelp32Snapshot\r\n - call:\r\n - and:\r\n - or:\r\n - number: 0x4 = TH32CS_SNAPTHREAD\r\n - api: kernel32.CreateToolhelp32Snapshot\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812360 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Thread32First" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954263 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Thread32Next" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954437 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateToolhelp32Snapshot" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954212 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 4, - "description": "TH32CS_SNAPTHREAD" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368954207 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368954205 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "enumerate threads/e918d7b548ab4219afd7b1e887aa7333" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813035 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Thread32First" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368978399 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "Thread32Next" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368978503 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateToolhelp32Snapshot" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368978364 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 4, - "description": "TH32CS_SNAPTHREAD" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368978359 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368978288 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "enumerate threads/e918d7b548ab4219afd7b1e887aa7333" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "execute shellcode via indirect call": { - "meta": { - "name": "execute shellcode via indirect call", - "namespace": "load-code/shellcode", - "authors": ["ronnie.salomonsen@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [], - "mbc": [ - { - "parts": ["Memory", "Allocate Memory"], - "objective": "Memory", - "behavior": "Allocate Memory", - "method": "", - "id": "C0007" - } - ], - "references": [], - "examples": [], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: execute shellcode via indirect call\r\n namespace: load-code/shellcode\r\n authors:\r\n - ronnie.salomonsen@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires characteristic features\r\n mbc:\r\n - Memory::Allocate Memory [C0007]\r\n features:\r\n - and:\r\n - match: allocate or change RWX memory\r\n - or:\r\n - characteristic: indirect call\r\n - characteristic: cross section flow\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812395 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate or change RWX memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911413 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAlloc" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocEx" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368911394 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 64, - "description": "PAGE_EXECUTE_READWRITE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911394 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RWX memory/62333f7427bc4563bf67b6dee8a5a79c" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368911394 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368911866 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "cross section flow" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368813635 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate or change RWX memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839314 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAlloc" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocEx" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368839184 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 64, - "description": "PAGE_EXECUTE_READWRITE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839298 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RWX memory/62333f7427bc4563bf67b6dee8a5a79c" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368839184 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "indirect call" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368839400 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "cross section flow" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "send ICMP echo request": { - "meta": { - "name": "send ICMP echo request", - "namespace": "communication/icmp", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Communication", "ICMP Communication", "Echo Request"], - "objective": "Communication", - "behavior": "ICMP Communication", - "method": "Echo Request", - "id": "C0014.002" - } - ], - "references": ["https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/"], - "examples": ["al-khaser_x86.exe_:0x449510"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: send ICMP echo request\r\n namespace: communication/icmp\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n mbc:\r\n - Communication::ICMP Communication::Echo Request [C0014.002]\r\n references:\r\n - https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/\r\n examples:\r\n - al-khaser_x86.exe_:0x449510\r\n features:\r\n - and:\r\n - or:\r\n - api: IcmpSendEcho\r\n - api: IcmpSendEcho2\r\n - api: IcmpSendEcho2Ex\r\n - api: Icmp6SendEcho2\r\n - optional:\r\n - or:\r\n - api: IcmpCreateFile\r\n - api: Icmp6CreateFile\r\n - api: IcmpCloseHandle\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812530 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IcmpSendEcho" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369001023 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IcmpSendEcho2" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IcmpSendEcho2Ex" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Icmp6SendEcho2" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IcmpCreateFile" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369000837 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Icmp6CreateFile" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "IcmpCloseHandle" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5369001033 }, - { "type": "absolute", "value": 5369000941 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get number of processors": { - "meta": { - "name": "get number of processors", - "namespace": "host-interaction/hardware/cpu", - "authors": ["michael.hunhoff@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c68f8d5905bd204d0cb3f593/al-khaser/AntiVM/Generic.cpp#L361" - ], - "examples": ["al-khaser_x86.exe_:0x432CB0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get number of processors\r\n namespace: host-interaction/hardware/cpu\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires property features\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c68f8d5905bd204d0cb3f593/al-khaser/AntiVM/Generic.cpp#L361\r\n examples:\r\n - al-khaser_x86.exe_:0x432CB0\r\n features:\r\n - or:\r\n - and:\r\n - match: PEB access\r\n - or:\r\n - and:\r\n - arch: i386\r\n - number: 0x64 = PEB->NumberOfProcessors\r\n - and:\r\n - arch: amd64\r\n - number: 0xB8 = PEB->NumberOfProcessors\r\n - property/read: System.Environment::ProcessorCount\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812675 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Environment::ProcessorCount" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914346 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914346 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914304 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 100, - "description": "PEB->NumberOfProcessors" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 184, - "description": "PEB->NumberOfProcessors" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914355 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check if file exists": { - "meta": { - "name": "check if file exists", - "namespace": "host-interaction/file-system/exists", - "authors": ["moritz.raabe@mandiant.com", "michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "File and Directory Discovery"], - "tactic": "Discovery", - "technique": "File and Directory Discovery", - "subtechnique": "", - "id": "T1083" - } - ], - "mbc": [ - { - "parts": ["Discovery", "File and Directory Discovery"], - "objective": "Discovery", - "behavior": "File and Directory Discovery", - "method": "", - "id": "E1083" - } - ], - "references": [], - "examples": ["31600AD0D1A7EA615690DF111AE36C73:0x401284"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check if file exists\r\n namespace: host-interaction/file-system/exists\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::File and Directory Discovery [T1083]\r\n mbc:\r\n - Discovery::File and Directory Discovery [E1083]\r\n examples:\r\n - 31600AD0D1A7EA615690DF111AE36C73:0x401284\r\n features:\r\n - or:\r\n - basic block:\r\n - and:\r\n - api: kernel32.GetFileAttributes\r\n - instruction:\r\n - mnemonic: cmp\r\n - number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES\r\n - basic block:\r\n - and:\r\n - api: kernel32.GetLastError\r\n - instruction:\r\n - mnemonic: cmp\r\n - number: 2 = ERROR_FILE_NOT_FOUND\r\n - api: shlwapi.PathFileExists\r\n - api: System.IO.File::Exists\r\n - property/read: System.IO.FileSystemInfo::Exists\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812680 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetFileAttributes" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368997837 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "cmp" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368997846 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 4294967295, - "description": "INVALID_FILE_ATTRIBUTES" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368997846 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368997846 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368997776 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check if file exists/a039fdffa08040fabf99312614f547a5" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "PathFileExists" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::Exists" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.FileSystemInfo::Exists" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368816025 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetFileAttributes" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368997997 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "cmp" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368998006 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 4294967295, - "description": "INVALID_FILE_ATTRIBUTES" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368998006 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368998006 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368997936 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check if file exists/a039fdffa08040fabf99312614f547a5" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "PathFileExists" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.IO.File::Exists" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.FileSystemInfo::Exists" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "connect to WMI namespace via WbemLocator": { - "meta": { - "name": "connect to WMI namespace via WbemLocator", - "namespace": "host-interaction/wmi", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [ - { - "parts": ["Execution", "Windows Management Instrumentation"], - "tactic": "Execution", - "technique": "Windows Management Instrumentation", - "subtechnique": "", - "id": "T1047" - } - ], - "mbc": [], - "references": [], - "examples": ["al-khaser_x64.exe_:0x14001956e", "al-khaser_x86.exe_:0x00445270"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "# generated using capa explorer for IDA Pro\r\nrule:\r\n meta:\r\n name: connect to WMI namespace via WbemLocator\r\n namespace: host-interaction/wmi\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires offset, bytes features\r\n att&ck:\r\n - Execution::Windows Management Instrumentation [T1047]\r\n examples:\r\n - al-khaser_x64.exe_:0x14001956e\r\n - al-khaser_x86.exe_:0x00445270\r\n features:\r\n - and:\r\n - basic block:\r\n - and:\r\n - api: ole32.CoCreateInstance\r\n - com/class: WbemLocator # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator\r\n - com/interface: IWbemLocator # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator\r\n - or:\r\n - and:\r\n - arch: i386\r\n - offset: 0xC = ppv->ConnectServer\r\n - and:\r\n - arch: amd64\r\n - offset: 0x18 = ppv->ConnectServer\r\n - optional:\r\n - string: /ROOT\\\\CIMV2/i\r\n - string: /ROOT\\\\DEFAULT/i\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368812910 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CoCreateInstance" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368983484 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "4590f811-1d3a-11d0-891f-00aa004b2e24", - "description": "CLSID_WbemLocator as GUID string" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "bytes", - "bytes": "11f890453a1dd011891f00aa004b2e24", - "description": "CLSID_WbemLocator as bytes" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368983477 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "dc12a687-737f-11cf-884d-00aa004b2e24", - "description": "IID_IWbemLocator as GUID string" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "bytes", - "bytes": "87a612dc7f73cf11884d00aa004b2e24", - "description": "IID_IWbemLocator as bytes" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368983462 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368983445 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 12, - "description": "ppv->ConnectServer" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 24, - "description": "ppv->ConnectServer" - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368983248 }, - { "type": "absolute", "value": 5368983632 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/ROOT\\\\CIMV2/i" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/ROOT\\\\DEFAULT/i" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check if process is running under wine": { - "meta": { - "name": "check if process is running under wine", - "namespace": "anti-analysis/anti-emulation/wine", - "authors": ["@_re_fox"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Defense Evasion", "Virtualization/Sandbox Evasion", "System Checks"], - "tactic": "Defense Evasion", - "technique": "Virtualization/Sandbox Evasion", - "subtechnique": "System Checks", - "id": "T1497.001" - } - ], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Emulator Detection"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Emulator Detection", - "method": "", - "id": "B0004" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Wine.cpp" - ], - "examples": ["ccbf7cba35bab56563c0fbe4237fdc41:0x40d750"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check if process is running under wine\r\n namespace: anti-analysis/anti-emulation/wine\r\n authors:\r\n - \"@_re_fox\"\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Emulator Detection [B0004]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Wine.cpp\r\n examples:\r\n - ccbf7cba35bab56563c0fbe4237fdc41:0x40d750\r\n features:\r\n - or:\r\n - string: /SOFTWARE\\\\Wine/i\r\n - and:\r\n - api: GetModuleHandle\r\n - api: GetProcAddress\r\n - string: \"wine_get_unix_file_name\"\r\n - or:\r\n - string: \"kernel32.dll\"\r\n - string: \"ntdll.dll\"\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813180 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SOFTWARE\\\\Wine/i" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949745 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949789 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "wine_get_unix_file_name" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949778 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "kernel32.dll" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949738 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ntdll.dll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815440 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/SOFTWARE\\\\Wine/i" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368949915 }], - "captures": { "SOFTWARE\\Wine": [{ "type": "absolute", "value": 5368949915 }] } - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProcAddress" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "wine_get_unix_file_name" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "kernel32.dll" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "ntdll.dll" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "enumerate processes": { - "meta": { - "name": "enumerate processes", - "namespace": "host-interaction/process/list", - "authors": ["moritz.raabe@mandiant.com", "michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "Process Discovery"], - "tactic": "Discovery", - "technique": "Process Discovery", - "subtechnique": "", - "id": "T1057" - }, - { - "parts": ["Discovery", "Software Discovery"], - "tactic": "Discovery", - "technique": "Software Discovery", - "subtechnique": "", - "id": "T1518" - } - ], - "mbc": [], - "references": [], - "examples": [ - "2D3EDC218A90F03089CC01715A9F047F:0x403DAB", - "35d04ecd797041eee796f4ddaa96cae8:0x10004F34" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: enumerate processes\r\n namespace: host-interaction/process/list\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::Process Discovery [T1057]\r\n - Discovery::Software Discovery [T1518]\r\n examples:\r\n - 2D3EDC218A90F03089CC01715A9F047F:0x403DAB\r\n - 35d04ecd797041eee796f4ddaa96cae8:0x10004F34\r\n features:\r\n - or:\r\n - api: System.Diagnostics.Process::GetProcesses\r\n - and:\r\n - api: kernel32.Process32First\r\n - api: kernel32.Process32Next\r\n - optional:\r\n - basic block:\r\n - and:\r\n - or:\r\n - number: 0xF = TH32CS_SNAPALL\r\n - number: 0x2 = TH32CS_SNAPPROCESS\r\n - api: kernel32.CreateToolhelp32Snapshot\r\n - call:\r\n - and:\r\n - or:\r\n - number: 0xF = TH32CS_SNAPALL\r\n - number: 0x2 = TH32CS_SNAPPROCESS\r\n - api: kernel32.CreateToolhelp32Snapshot\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813355 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Diagnostics.Process::GetProcesses" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Process32First" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368982946 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Process32Next" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368983034 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateToolhelp32Snapshot" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368982887 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 15, - "description": "TH32CS_SNAPALL" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 2, - "description": "TH32CS_SNAPPROCESS" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368982882 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368982784 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "enumerate processes/bc9a3c91e8f94c8ba66842d00377c5d0" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get OS version": { - "meta": { - "name": "get OS version", - "authors": ["@mr-tz"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [], - "mbc": [], - "references": [], - "examples": [ - "493167E85E45363D09495D0841C30648:0x401000", - "5f66b82558ca92e54e77f216ef4c066c:0x44580A" - ], - "description": "", - "lib": true, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get OS version\r\n authors:\r\n - \"@mr-tz\"\r\n lib: true\r\n scopes:\r\n static: function\r\n dynamic: call\r\n examples:\r\n - 493167E85E45363D09495D0841C30648:0x401000\r\n - 5f66b82558ca92e54e77f216ef4c066c:0x44580A\r\n features:\r\n - or:\r\n - api: RtlGetVersion\r\n - api: ntoskrnl.PsGetVersion\r\n - api: GetVersion\r\n - api: GetVersionEx\r\n - api: VerifyVersionInfo\r\n - api: VerSetConditionMask\r\n - api: RtlGetNtVersionNumbers\r\n - api: GetProductInfo\r\n - and:\r\n - match: PEB access\r\n - or:\r\n - and:\r\n - arch: i386\r\n - or:\r\n - offset: 0xA4 = PEB->OSMajorVersion\r\n - offset: 0xA8 = PEB->OSMinorVersion\r\n - offset: 0xAC = PEB->OSBuildNumber\r\n - and:\r\n - arch: amd64\r\n - or:\r\n - offset: 0x118 = PEB->OSMajorVersion\r\n - offset: 0x11C = PEB->OSMinorVersion\r\n - offset: 0x120 = PEB->OSBuildNumber\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813515 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "RtlGetVersion" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "PsGetVersion" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetVersion" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetVersionEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VerifyVersionInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368844532 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VerSetConditionMask" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368844452 }, - { "type": "absolute", "value": 5368844469 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlGetNtVersionNumbers" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProductInfo" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 164, - "description": "PEB->OSMajorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 168, - "description": "PEB->OSMinorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 172, - "description": "PEB->OSBuildNumber" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 280, - "description": "PEB->OSMajorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 284, - "description": "PEB->OSMinorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 288, - "description": "PEB->OSBuildNumber" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815925 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "RtlGetVersion" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "PsGetVersion" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetVersion" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetVersionEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VerifyVersionInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368843269 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VerSetConditionMask" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368843172 }, - { "type": "absolute", "value": 5368843189 }, - { "type": "absolute", "value": 5368843206 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlGetNtVersionNumbers" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetProductInfo" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 164, - "description": "PEB->OSMajorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 168, - "description": "PEB->OSMinorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 172, - "description": "PEB->OSBuildNumber" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 280, - "description": "PEB->OSMajorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 284, - "description": "PEB->OSMinorVersion" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 288, - "description": "PEB->OSBuildNumber" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for time delay via GetTickCount": { - "meta": { - "name": "check for time delay via GetTickCount", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [], - "mbc": [ - { - "parts": [ - "Anti-Behavioral Analysis", - "Debugger Detection", - "Timing/Delay Check GetTickCount" - ], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Timing/Delay Check GetTickCount", - "id": "B0001.032" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 16-03.exe_:0x4013d0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for time delay via GetTickCount\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires mnemonic features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032]\r\n examples:\r\n - Practical Malware Analysis Lab 16-03.exe_:0x4013d0\r\n features:\r\n - and:\r\n - count(api(kernel32.GetTickCount)): 2 or more\r\n - basic block:\r\n - and:\r\n - mnemonic: sub\r\n - mnemonic: cmp\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813565 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "sub" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368914545 }, - { "type": "absolute", "value": 5368914435 }, - { "type": "absolute", "value": 5368914535 } - ], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "cmp" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368914550 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368914432 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 9223372036854775808, - "child": { "type": "api", "api": "GetTickCount" } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368914520 }, - { "type": "absolute", "value": 5368914502 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "inject dll": { - "meta": { - "name": "inject dll", - "namespace": "host-interaction/process/inject", - "authors": ["0x534a@mailbox.org"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Defense Evasion", "Process Injection", "Dynamic-link Library Injection"], - "tactic": "Defense Evasion", - "technique": "Process Injection", - "subtechnique": "Dynamic-link Library Injection", - "id": "T1055.001" - } - ], - "mbc": [], - "references": [ - "Practical Malware Analysis, p. 676", - "https://www.researchgate.net/publication/279155742_A_Novel_Approach_to_Detect_Malware_Based_on_API_Call_Sequence_Analysis", - "https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", - "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", - "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", - "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" - ], - "examples": ["Practical Malware Analysis Lab 17-02.dll_:0x1000D10D"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: inject dll\r\n namespace: host-interaction/process/inject\r\n authors:\r\n - 0x534a@mailbox.org\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001]\r\n references:\r\n - Practical Malware Analysis, p. 676\r\n - https://www.researchgate.net/publication/279155742_A_Novel_Approach_to_Detect_Malware_Based_on_API_Call_Sequence_Analysis\r\n - https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf\r\n - https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf\r\n - https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/\r\n - https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf\r\n - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\n examples:\r\n - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D\r\n features:\r\n - and:\r\n - optional:\r\n - or:\r\n - match: open process\r\n - match: host-interaction/process/create\r\n - match: allocate or change RW memory\r\n - match: write process memory\r\n - and:\r\n - or:\r\n - api: kernel32.GetModuleHandle\r\n - api: kernel32.GetModuleHandleEx\r\n - string: \"/LoadLibrary[AW]/\"\r\n - match: create thread\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813750 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate or change RW memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951096 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwAllocateVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAlloc" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocEx" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950968 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "change memory protection" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 4, - "description": "PAGE_READWRITE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951069 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950968 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "write process memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951194 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368813750 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "create thread" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "os", "os": "linux" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "pthread_create" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Thread::Start" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Threading.Thread::ctor" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "os", "os": "windows" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthreadex" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "PsCreateSystemThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThreadWithHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThread" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951265 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateUserThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368951220 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "open process" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OpenProcess" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950815 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtOpenProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenProcess" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950804 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "host-interaction/process/create" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950861 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetModuleHandleEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "regex", "regex": "/LoadLibrary[AW]/" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950912 }], - "captures": { "LoadLibraryW": [{ "type": "absolute", "value": 5368950912 }] } - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "inject thread": { - "meta": { - "name": "inject thread", - "namespace": "host-interaction/process/inject", - "authors": ["anamaria.martinezgom@mandiant.com", "0x534a@mailbox.org"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Defense Evasion", "Process Injection", "Thread Execution Hijacking"], - "tactic": "Defense Evasion", - "technique": "Process Injection", - "subtechnique": "Thread Execution Hijacking", - "id": "T1055.003" - }, - { - "parts": ["Defense Evasion", "Reflective Code Loading"], - "tactic": "Defense Evasion", - "technique": "Reflective Code Loading", - "subtechnique": "", - "id": "T1620" - } - ], - "mbc": [], - "references": [], - "examples": [ - "Practical Malware Analysis Lab 12-01.exe_:0x4010D0", - "2D3EDC218A90F03089CC01715A9F047F:0x4027CF" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: inject thread\r\n namespace: host-interaction/process/inject\r\n authors:\r\n - anamaria.martinezgom@mandiant.com\r\n - 0x534a@mailbox.org\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003]\r\n - Defense Evasion::Reflective Code Loading [T1620]\r\n examples:\r\n - Practical Malware Analysis Lab 12-01.exe_:0x4010D0\r\n - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF\r\n features:\r\n - and:\r\n - or:\r\n - match: allocate or change RWX memory\r\n - match: allocate or change RW memory\r\n - match: write process memory\r\n - match: create thread\r\n - optional:\r\n - or:\r\n - match: host-interaction/process/create\r\n - match: open process\r\n - number: 0x3000 = MEM_COMMIT or MEM_RESERVE\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813750 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "write process memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "WriteProcessMemory" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951194 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwWriteVirtualMemory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtWow64WriteVirtualMemory64" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368813750 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "create thread" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "os", "os": "linux" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "pthread_create" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Thread::Start" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "System.Threading.Thread::ctor" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "os", "os": "windows" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "_beginthreadex" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "PsCreateSystemThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHCreateThreadWithHandle" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThread" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951265 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateRemoteThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateUserThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThread" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateThreadEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368951220 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate or change RWX memory" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate or change RW memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "allocate memory" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAlloc" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951096 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "VirtualAllocExNuma" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwMapViewOfSection" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "and" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "link function at runtime on Windows" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "or" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAlloc" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocEx" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "VirtualAllocExNuma" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwAllocateVirtualMemory" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "NtMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "ZwMapViewOfSection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950968 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "change memory protection" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 4, - "description": "PAGE_READWRITE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951069 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "allocate or change RW memory/ba49ad9b268c4b23bcc4fb6c4be58dec" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950968 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "host-interaction/process/create" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "open process" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OpenProcess" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368950815 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtOpenProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenProcess" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368950804 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 12288, - "description": "MEM_COMMIT or MEM_RESERVE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368951077 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get memory capacity": { - "meta": { - "name": "get memory capacity", - "namespace": "host-interaction/hardware/memory", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [], - "references": [], - "examples": ["9324D1A8AE37A36AE560C37448C9705A:0x4052A0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get memory capacity\r\n namespace: host-interaction/hardware/memory\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n examples:\r\n - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0\r\n features:\r\n - or:\r\n - api: kernel32.GlobalMemoryStatus\r\n - api: kernel32.GlobalMemoryStatusEx\r\n # TODO kernel32.GetSystemInfo with offset\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813815 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GlobalMemoryStatus" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GlobalMemoryStatusEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368923310 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "enumerate process modules": { - "meta": { - "name": "enumerate process modules", - "namespace": "host-interaction/process/modules/list", - "authors": ["michael.hunhoff@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "Process Discovery"], - "tactic": "Discovery", - "technique": "Process Discovery", - "subtechnique": "", - "id": "T1057" - } - ], - "mbc": [], - "references": [], - "examples": [ - "6F99A2C8944CB02FF28C6F9CED59B161:0x419FF8", - "9B2FD471274C41626B75DDBB5C897877:0x100046B0" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: enumerate process modules\r\n namespace: host-interaction/process/modules/list\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::Process Discovery [T1057]\r\n examples:\r\n - 6F99A2C8944CB02FF28C6F9CED59B161:0x419FF8\r\n - 9B2FD471274C41626B75DDBB5C897877:0x100046B0\r\n features:\r\n - or:\r\n - and:\r\n - optional:\r\n - or:\r\n - api: kernel32.OpenProcess\r\n - api: kernel32.CloseHandle\r\n - or:\r\n - api: kernel32.K32EnumProcessModules\r\n - api: kernel32.K32EnumProcessModulesEx\r\n - api: kernel32.K32EnumProcesses\r\n # depending on OS version in kernel32 or psapi\r\n - api: EnumProcessModules\r\n - api: EnumProcessModulesEx\r\n - api: EnumProcesses\r\n - and:\r\n - api: kernel32.Module32First\r\n - api: kernel32.Module32Next\r\n - optional:\r\n - basic block:\r\n - and:\r\n - or:\r\n - number: 0x8 = TH32CS_SNAPMODULE\r\n - number: 0x10 = TH32CS_SNAPMODULE32\r\n - number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32\r\n - api: kernel32.CreateToolhelp32Snapshot\r\n - call:\r\n - and:\r\n - or:\r\n - number: 0x8 = TH32CS_SNAPMODULE\r\n - number: 0x10 = TH32CS_SNAPMODULE32\r\n - number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32\r\n - api: kernel32.CreateToolhelp32Snapshot\r\n - and:\r\n - property/read: System.Diagnostics.Process::Modules\r\n - property/read: System.Diagnostics.ProcessModuleCollection::Item\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368813990 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Process::Modules" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.ProcessModuleCollection::Item" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Module32First" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368890180 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Module32Next" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368890266 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateToolhelp32Snapshot" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368890108 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 8, - "description": "TH32CS_SNAPMODULE" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 16, - "description": "TH32CS_SNAPMODULE32" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368890103 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368890032 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "enumerate process modules/8b331e58071546b195638f7dded0de86" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OpenProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CloseHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368890301 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32EnumProcessModules" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32EnumProcessModulesEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32EnumProcesses" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumProcessModules" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumProcessModulesEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumProcesses" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815960 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.Process::Modules" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.Diagnostics.ProcessModuleCollection::Item" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Module32First" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953371 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Module32Next" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953421 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CreateToolhelp32Snapshot" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953340 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 8, - "description": "TH32CS_SNAPMODULE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953335 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 16, - "description": "TH32CS_SNAPMODULE32" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 24, - "description": "TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368953248 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "enumerate process modules/8b331e58071546b195638f7dded0de86" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "OpenProcess" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "CloseHandle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368953434 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32EnumProcessModules" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32EnumProcessModulesEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "K32EnumProcesses" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumProcessModules" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumProcessModulesEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumProcesses" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for software breakpoints": { - "meta": { - "name": "check for software breakpoints", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection", "Software Breakpoints"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Software Breakpoints", - "id": "B0001.025" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp", - "https://anti-debug.checkpoint.com/techniques/assembly.html" - ], - "examples": ["al-khaser_x86.exe_:0x431020"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for software breakpoints\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires mnemonic features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp\r\n - https://anti-debug.checkpoint.com/techniques/assembly.html\r\n examples:\r\n - al-khaser_x86.exe_:0x431020\r\n features:\r\n - and:\r\n - or:\r\n - instruction:\r\n - mnemonic: cmp\r\n - number: 0xCC = INT3\r\n - and:\r\n - description: INT3 (long form)\r\n - instruction:\r\n - mnemonic: cmp\r\n - number: 0xCD = INT3 (long form byte 1)\r\n - instruction:\r\n - mnemonic: cmp\r\n - number: 0x03 = INT3 (long form byte 2)\r\n - match: contain loop\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368814035 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "contain loop" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "loop" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368814035 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "characteristic", "characteristic": "tight loop" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "recursive call" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368814035 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "cmp" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368907642 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 204, "description": "INT3" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368907642 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368907642 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "statement", - "statement": { "type": "and", "description": "INT3 (long form)" } - }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check for software breakpoints/6ad668bfa45a4a4cab8bb6ca25b4f893" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check for software breakpoints/2abefe1474b74891a1c248a9969463cb" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "set console window title": { - "meta": { - "name": "set console window title", - "namespace": "host-interaction/gui/console", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Operating System", "Console"], - "objective": "Operating System", - "behavior": "Console", - "method": "", - "id": "C0033" - } - ], - "references": [], - "examples": ["mimikatz.exe_:0x44570F"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: set console window title\r\n namespace: host-interaction/gui/console\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n mbc:\r\n - Operating System::Console [C0033]\r\n examples:\r\n - mimikatz.exe_:0x44570F\r\n features:\r\n - or:\r\n - api: kernel32.SetConsoleTitle\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368814050 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetConsoleTitle" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368969441 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get disk size": { - "meta": { - "name": "get disk size", - "namespace": "host-interaction/hardware/storage", - "authors": ["michael.hunhoff@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [ - { - "parts": ["Discovery", "System Information Discovery"], - "objective": "Discovery", - "behavior": "System Information Discovery", - "method": "", - "id": "E1082" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L347" - ], - "examples": ["al-khaser_x86.exe_:0x4343D0", "al-khaser_x86.exe_:0x434010"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get disk size\r\n namespace: host-interaction/hardware/storage\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n mbc:\r\n - Discovery::System Information Discovery [E1082]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L347\r\n examples:\r\n - al-khaser_x86.exe_:0x4343D0\r\n - al-khaser_x86.exe_:0x434010\r\n features:\r\n - or:\r\n - api: kernel32.GetDiskFreeSpace\r\n - api: kernel32.GetDiskFreeSpaceEx\r\n - property/read: System.IO.DriveInfo::TotalSize\r\n - property/read: System.IO.DriveInfo::TotalFreeSpace\r\n - property/read: System.IO.DriveInfo::AvailableFreeSpace\r\n - basic block:\r\n - and:\r\n - match: interact with driver via IOCTL\r\n - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO\r\n - call:\r\n - and:\r\n - match: interact with driver via IOCTL\r\n - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO\r\n - and:\r\n - or:\r\n - string: /SELECT\\s+\\*\\s+FROM\\s+Win32_LogicalDisk/i\r\n - string: /SELECT\\s+\\*\\s+FROM\\s+Win32_DiskDrive\\s+WHERE\\s+\\(SerialNumber\\s+IS\\s+NOT\\s+NULL\\)\\s+AND\\s+\\(MediaType\\s+LIKE\\s+\\'Fixed\\s+hard\\s+disk\\%\\'\\)/i\r\n - string: \"Size\"\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368814865 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDiskFreeSpace" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDiskFreeSpaceEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::TotalSize" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::TotalFreeSpace" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::AvailableFreeSpace" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "interact with driver via IOCTL" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "DeviceIoControl" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920318 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368920268 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 475228, - "description": "IOCTL_DISK_GET_LENGTH_INFO" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920309 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "interact with driver via IOCTL" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "DeviceIoControl" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920064 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368920014 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 475228, - "description": "IOCTL_DISK_GET_LENGTH_INFO" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368920055 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [ - { "type": "absolute", "value": 5368920268 }, - { "type": "absolute", "value": 5368920014 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "get disk size/caf381278ac947948b25a47c8c0e29a2" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "regex", - "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_LogicalDisk/i" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "regex", - "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_DiskDrive\\s+WHERE\\s+\\(SerialNumber\\s+IS\\s+NOT\\s+NULL\\)\\s+AND\\s+\\(MediaType\\s+LIKE\\s+\\'Fixed\\s+hard\\s+disk\\%\\'\\)/i" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "Size" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368815525 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDiskFreeSpace" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetDiskFreeSpaceEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368918405 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::TotalSize" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::TotalFreeSpace" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::AvailableFreeSpace" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "get disk size/382eca0b8cf844eaa82f18e35725ccad" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "get disk size/caf381278ac947948b25a47c8c0e29a2" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "regex", - "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_LogicalDisk/i" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "regex", - "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_DiskDrive\\s+WHERE\\s+\\(SerialNumber\\s+IS\\s+NOT\\s+NULL\\)\\s+AND\\s+\\(MediaType\\s+LIKE\\s+\\'Fixed\\s+hard\\s+disk\\%\\'\\)/i" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "Size" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "enumerate services": { - "meta": { - "name": "enumerate services", - "namespace": "host-interaction/service/list", - "authors": ["moritz.raabe@mandiant.com", "michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "System Service Discovery"], - "tactic": "Discovery", - "technique": "System Service Discovery", - "subtechnique": "", - "id": "T1007" - } - ], - "mbc": [], - "references": [], - "examples": ["Practical Malware Analysis Lab 05-01.dll_:0x1000B823"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: enumerate services\r\n namespace: host-interaction/service/list\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::System Service Discovery [T1007]\r\n examples:\r\n - Practical Malware Analysis Lab 05-01.dll_:0x1000B823\r\n features:\r\n - or:\r\n - api: advapi32.EnumServicesStatus\r\n - api: advapi32.EnumServicesStatusEx\r\n - api: advapi32.EnumDependentServices\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368814905 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumServicesStatus" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumServicesStatusEx" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368932939 }, - { "type": "absolute", "value": 5368932726 } - ], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "EnumDependentServices" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "enumerate disk properties": { - "meta": { - "name": "enumerate disk properties", - "namespace": "host-interaction/hardware/storage", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L518" - ], - "examples": ["al-khaser_x86.exe_:0x4369B0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: enumerate disk properties\r\n namespace: host-interaction/hardware/storage\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires bytes features\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L518\r\n examples:\r\n - al-khaser_x86.exe_:0x4369B0\r\n features:\r\n - and:\r\n - basic block:\r\n - and:\r\n - api: setupapi.SetupDiGetClassDevs\r\n - bytes: 67 E9 36 4D 25 E3 CE 11 BF C1 08 00 2B E1 03 18 = GUID_DEVCLASS_DISKDRIVE\r\n - api: setupapi.SetupDiEnumDeviceInfo\r\n - api: setupapi.SetupDiGetDeviceRegistryProperty\r\n - optional:\r\n - api: setupapi.SetupDiDestroyDeviceInfoList\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815040 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetupDiGetClassDevs" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368927847 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "bytes", - "bytes": "67e9364d25e3ce11bfc108002be10318", - "description": "GUID_DEVCLASS_DISKDRIVE" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368927840 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368927760 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetupDiEnumDeviceInfo" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368927927 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetupDiGetDeviceRegistryProperty" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368927996 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetupDiDestroyDeviceInfoList" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368928245 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get disk information": { - "meta": { - "name": "get disk information", - "namespace": "host-interaction/hardware/storage", - "authors": ["moritz.raabe@mandiant.com", "anushka.virgaonkar@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [ - { - "parts": ["Discovery", "System Information Discovery"], - "objective": "Discovery", - "behavior": "System Information Discovery", - "method": "", - "id": "E1082" - } - ], - "references": [], - "examples": [ - "9324D1A8AE37A36AE560C37448C9705A:0x4052A0", - "972B219F18379907A045431303F4DA7D:0x41064E" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get disk information\r\n namespace: host-interaction/hardware/storage\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n mbc:\r\n - Discovery::System Information Discovery [E1082]\r\n examples:\r\n - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0\r\n - 972B219F18379907A045431303F4DA7D:0x41064E\r\n features:\r\n - or:\r\n - api: kernel32.GetDriveType\r\n - api: kernel32.GetLogicalDrives\r\n - api: kernel32.GetVolumeInformation\r\n - api: kernel32.GetVolumeNameForVolumeMountPoint\r\n - api: kernel32.GetVolumePathNamesForVolumeName\r\n - api: kernel32.GetLogicalDriveStrings\r\n - api: kernel32.QueryDosDevice\r\n - property/read: System.IO.DriveInfo::VolumeLabel\r\n - property/read: System.IO.DriveInfo::DriveType\r\n - property/read: System.IO.DriveInfo::DriveFormat\r\n - property/read: System.IO.DriveInfo::Name\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815050 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetDriveType" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetLogicalDrives" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetVolumeInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetVolumeNameForVolumeMountPoint" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetVolumePathNamesForVolumeName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetLogicalDriveStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "QueryDosDevice" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368881902 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::VolumeLabel" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::DriveType" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::DriveFormat" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::Name" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - [ - { "type": "absolute", "value": 5368882832 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "GetDriveType" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetLogicalDrives" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetVolumeInformation" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetVolumeNameForVolumeMountPoint" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetVolumePathNamesForVolumeName" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetLogicalDriveStrings" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "QueryDosDevice" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368883201 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::VolumeLabel" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::DriveType" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::DriveFormat" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "property", - "access": "read", - "property": "System.IO.DriveInfo::Name" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for PEB NtGlobalFlag flag": { - "meta": { - "name": "check for PEB NtGlobalFlag flag", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function" }, - "attack": [], - "mbc": [ - { - "parts": [ - "Anti-Behavioral Analysis", - "Debugger Detection", - "Process Environment Block NtGlobalFlag" - ], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "Process Environment Block NtGlobalFlag", - "id": "B0001.036" - } - ], - "references": [ - "Practical Malware Analysis, Chapter 16, p. 355", - "https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm" - ], - "examples": ["Practical Malware Analysis Lab 16-01.exe_:0x403530"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for PEB NtGlobalFlag flag\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: unsupported # requires offset, mnemonic features\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]\r\n references:\r\n - Practical Malware Analysis, Chapter 16, p. 355\r\n - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm\r\n examples:\r\n - Practical Malware Analysis Lab 16-01.exe_:0x403530\r\n features:\r\n - and:\r\n - basic block:\r\n - and:\r\n - match: PEB access\r\n - or:\r\n - and:\r\n - arch: i386\r\n - offset: 0x68 = PEB.NtGlobalFlag\r\n - and:\r\n - arch: amd64\r\n - offset: 0xBC = PEB.NtGlobalFlag\r\n - instruction:\r\n - arch: i386\r\n - mnemonic: add\r\n - offset: 0x68 = PEB.NtGlobalFlag\r\n - instruction:\r\n - arch: amd64\r\n - mnemonic: add\r\n - offset: 0xBC = PEB.NtGlobalFlag\r\n - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815115 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "PEB access" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "peb access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840394 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/fca5b275943840729617702ee26edcbc" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "fs access" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 48 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/b2fc0e71f7cb45c891fdd0a2416f468e" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "characteristic", - "characteristic": "gs access" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840394 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "offset", "offset": 96 } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "PEB access/721401aaee98487fbe98d5269bbe5362" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368840336 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "i386" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 104, - "description": "PEB.NtGlobalFlag" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 188, - "description": "PEB.NtGlobalFlag" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840403 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check for PEB NtGlobalFlag flag/b837da6a639b481c9721ac21a5fe6ba1/5a15099436914caa93ca620b517a4f61" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "instruction" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "arch", "arch": "amd64" } - }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "mnemonic", "mnemonic": "add" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840403 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 188, - "description": "PEB.NtGlobalFlag" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368840403 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368840403 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368840336 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "number", - "number": 112, - "description": "(FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)" - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368840426 }, - { "type": "absolute", "value": 5368840477 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "query or enumerate registry value": { - "meta": { - "name": "query or enumerate registry value", - "namespace": "host-interaction/registry", - "authors": [ - "william.ballenthin@mandiant.com", - "michael.hunhoff@mandiant.com", - "anushka.virgaonkar@mandiant.com" - ], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "Query Registry"], - "tactic": "Discovery", - "technique": "Query Registry", - "subtechnique": "", - "id": "T1012" - } - ], - "mbc": [ - { - "parts": ["Operating System", "Registry", "Query Registry Value"], - "objective": "Operating System", - "behavior": "Registry", - "method": "Query Registry Value", - "id": "C0036.006" - } - ], - "references": [], - "examples": [ - "BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A", - "Practical Malware Analysis Lab 03-02.dll_:0x100047AD" - ], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: query or enumerate registry value\r\n namespace: host-interaction/registry\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n - anushka.virgaonkar@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::Query Registry [T1012]\r\n mbc:\r\n - Operating System::Registry::Query Registry Value [C0036.006]\r\n examples:\r\n - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A\r\n - Practical Malware Analysis Lab 03-02.dll_:0x100047AD\r\n features:\r\n - and:\r\n - optional:\r\n - match: create or open registry key\r\n - or:\r\n - api: advapi32.RegGetValue\r\n - api: advapi32.RegEnumValue\r\n - api: advapi32.RegQueryValue\r\n - api: advapi32.RegQueryValueEx\r\n - api: advapi32.RegQueryMultipleValues\r\n - api: ZwQueryValueKey\r\n - api: ZwEnumerateValueKey\r\n - api: NtQueryValueKey\r\n - api: NtEnumerateValueKey\r\n - api: RtlQueryRegistryValues\r\n - api: SHGetValue\r\n - api: SHEnumValue\r\n - api: SHRegGetInt\r\n - api: SHRegGetPath\r\n - api: SHRegGetValue\r\n - api: SHQueryValueEx\r\n - api: SHRegGetUSValue\r\n - api: SHOpenRegStream\r\n - api: SHRegEnumUSValue\r\n - api: SHOpenRegStream2\r\n - api: SHRegQueryUSValue\r\n - api: SHRegGetBoolUSValue\r\n - api: SHRegGetValueFromHKCUHKLM\r\n - api: SHRegGetBoolValueFromHKCUHKLM\r\n - api: Microsoft.Win32.RegistryKey::GetValue\r\n - api: Microsoft.Win32.RegistryKey::GetValueKind\r\n - api: Microsoft.Win32.RegistryKey::GetValueNames\r\n - api: Microsoft.Win32.Registry::GetValue\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815165 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "create or open registry key" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenKeyEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368984936 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKeyEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenCurrentUser" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegOpenUserClassesRoot" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegCreateKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwOpenKeyTransactedEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwCreateKeyTransacted" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtOpenKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtCreateKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegOpenUSKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegCreateUSKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlCreateRegistryKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::OpenSubKey" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::OpenBaseKey" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::OpenRemoteBaseKey" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::CreateSubKey" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368984784 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegGetValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegEnumValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegQueryValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegQueryValueEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368984984 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RegQueryMultipleValues" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwQueryValueKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "ZwEnumerateValueKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtQueryValueKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "NtEnumerateValueKey" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "RtlQueryRegistryValues" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHGetValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHEnumValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetInt" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetPath" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHQueryValueEx" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetUSValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHOpenRegStream" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegEnumUSValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHOpenRegStream2" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegQueryUSValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetBoolUSValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetValueFromHKCUHKLM" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SHRegGetBoolValueFromHKCUHKLM" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.RegistryKey::GetValue" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::GetValueKind" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "api", - "api": "Microsoft.Win32.RegistryKey::GetValueNames" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "Microsoft.Win32.Registry::GetValue" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "modify access privileges": { - "meta": { - "name": "modify access privileges", - "namespace": "host-interaction/process/modify", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Privilege Escalation", "Access Token Manipulation"], - "tactic": "Privilege Escalation", - "technique": "Access Token Manipulation", - "subtechnique": "", - "id": "T1134" - } - ], - "mbc": [], - "references": [], - "examples": ["9324D1A8AE37A36AE560C37448C9705A:0x403BE0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: modify access privileges\r\n namespace: host-interaction/process/modify\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Privilege Escalation::Access Token Manipulation [T1134]\r\n examples:\r\n - 9324D1A8AE37A36AE560C37448C9705A:0x403BE0\r\n features:\r\n - and:\r\n - api: advapi32.AdjustTokenPrivileges\r\n - optional:\r\n - or:\r\n - api: advapi32.LookupPrivilegeValue\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815200 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "AdjustTokenPrivileges" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368985413 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "LookupPrivilegeValue" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368985372 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "find graphical window": { - "meta": { - "name": "find graphical window", - "namespace": "host-interaction/gui/window/find", - "authors": ["moritz.raabe@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Discovery", "Application Window Discovery"], - "tactic": "Discovery", - "technique": "Application Window Discovery", - "subtechnique": "", - "id": "T1010" - } - ], - "mbc": [], - "references": [], - "examples": ["7C843E75D4F02087B932FE280DF9C90C:0x41B180"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: find graphical window\r\n namespace: host-interaction/gui/window/find\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Discovery::Application Window Discovery [T1010]\r\n examples:\r\n - 7C843E75D4F02087B932FE280DF9C90C:0x41B180\r\n features:\r\n - or:\r\n - api: user32.FindWindow\r\n - api: user32.FindWindowEx\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815245 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "FindWindow" } }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368944355 }, - { "type": "absolute", "value": 5368944374 } - ], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "FindWindowEx" } }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get number of processor cores": { - "meta": { - "name": "get number of processor cores", - "namespace": "host-interaction/hardware/cpu", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L207" - ], - "examples": ["al-khaser_x86.exe_:0x435BA0"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get number of processor cores\r\n namespace: host-interaction/hardware/cpu\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L207\r\n examples:\r\n - al-khaser_x86.exe_:0x435BA0\r\n features:\r\n - and:\r\n - string: /SELECT\\s+\\*\\s+FROM\\s+Win32_Processor/\r\n - string: \"NumberOfCores\"\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815340 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "NumberOfCores" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368925008 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "regex", - "regex": "/SELECT\\s+\\*\\s+FROM\\s+Win32_Processor/" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368924837 }], - "captures": { - "SELECT * FROM Win32_Processor": [{ "type": "absolute", "value": 5368924837 }] - } - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "create mutex": { - "meta": { - "name": "create mutex", - "namespace": "host-interaction/mutex", - "authors": ["moritz.raabe@mandiant.com", "michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [], - "mbc": [ - { - "parts": ["Process", "Create Mutex"], - "objective": "Process", - "behavior": "Create Mutex", - "method": "", - "id": "C0042" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 01-01.dll_:0x10001010"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: create mutex\r\n namespace: host-interaction/mutex\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n mbc:\r\n - Process::Create Mutex [C0042]\r\n examples:\r\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\r\n features:\r\n - or:\r\n - api: kernel32.CreateMutex\r\n - api: kernel32.CreateMutexEx\r\n - api: System.Threading.Mutex::ctor\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815500 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateMutex" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368906981 }], - "captures": {} - }, - { - "success": false, - "node": { "type": "feature", "feature": { "type": "api", "api": "CreateMutexEx" } }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "System.Threading.Mutex::ctor" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "check for protected handle exception": { - "meta": { - "name": "check for protected handle exception", - "namespace": "anti-analysis/anti-debugging/debugger-detection", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [], - "mbc": [ - { - "parts": ["Anti-Behavioral Analysis", "Debugger Detection", "SetHandleInformation"], - "objective": "Anti-Behavioral Analysis", - "behavior": "Debugger Detection", - "method": "SetHandleInformation", - "id": "B0001.024" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp" - ], - "examples": ["al-khaser_x86.exe_:0x430D20"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: check for protected handle exception\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x430D20\r\n features:\r\n - and:\r\n - or:\r\n - description: SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);\r\n - basic block:\r\n - and:\r\n - count(number(2)): 2 or more\r\n - api: SetHandleInformation\r\n - call:\r\n - and:\r\n - count(number(2)): 2 or more\r\n - api: SetHandleInformation\r\n - api: CloseHandle\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368815500 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "api", "api": "CloseHandle" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368907024 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "or", - "description": "SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);" - } - }, - "children": [ - { - "success": true, - "node": { - "type": "statement", - "statement": { "type": "subscope", "scope": "basic block" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetHandleInformation" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368907013 }], - "captures": {} - }, - { - "success": true, - "node": { - "type": "statement", - "statement": { - "type": "range", - "min": 2, - "max": 9223372036854775808, - "child": { "type": "number", "number": 2 } - } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368907004 }, - { "type": "absolute", "value": 5368906998 } - ], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368906998 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "match", - "match": "check for protected handle exception/14e241b95d104a0fbfa0db5d508b8e69" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "get MAC address on Windows": { - "meta": { - "name": "get MAC address on Windows", - "namespace": "collection/network", - "authors": [ - "moritz.raabe@mandiant.com", - "michael.hunhoff@mandiant.com", - "echernofsky@google.com" - ], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [ - { - "parts": ["Discovery", "System Information Discovery"], - "tactic": "Discovery", - "technique": "System Information Discovery", - "subtechnique": "", - "id": "T1082" - } - ], - "mbc": [], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L128", - "https://evasions.checkpoint.com/techniques/network.html#check-if-mac-address-is-specific" - ], - "examples": ["al-khaser_x64.exe_:0x14001A1BC"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: get MAC address on Windows\r\n namespace: collection/network\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n - michael.hunhoff@mandiant.com\r\n - echernofsky@google.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n att&ck:\r\n - Discovery::System Information Discovery [T1082]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L128\r\n - https://evasions.checkpoint.com/techniques/network.html#check-if-mac-address-is-specific\r\n examples:\r\n - al-khaser_x64.exe_:0x14001A1BC\r\n features:\r\n - and:\r\n - os: windows\r\n - or:\r\n - and:\r\n - api: iphlpapi.GetAdaptersInfo\r\n - or:\r\n - offset: 0x194 = IP_ADAPTER_INFO.Address\r\n - offset: 0x195 = IP_ADAPTER_INFO.Address+1\r\n - offset: 0x196 = IP_ADAPTER_INFO.Address+2\r\n - offset: 0x197 = IP_ADAPTER_INFO.Address+3\r\n - offset: 0x198 = IP_ADAPTER_INFO.Address+4\r\n - offset: 0x199 = IP_ADAPTER_INFO.Address+5\r\n - optional:\r\n - string: \"%02X-%02X-%02X-%02X-%02X-%02X\"\r\n - and:\r\n - api: iphlpapi.GetAdaptersAddresses\r\n - offset: 0x2C = PhysicalAddress\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368816060 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "feature", "feature": { "type": "os", "os": "windows" } }, - "children": [], - "locations": [{ "type": "no address" }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAdaptersInfo" } - }, - "children": [], - "locations": [ - { "type": "absolute", "value": 5368994669 }, - { "type": "absolute", "value": 5368994549 } - ], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 404, - "description": "IP_ADAPTER_INFO.Address" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368994782 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 405, - "description": "IP_ADAPTER_INFO.Address+1" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 406, - "description": "IP_ADAPTER_INFO.Address+2" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 407, - "description": "IP_ADAPTER_INFO.Address+3" - } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 408, - "description": "IP_ADAPTER_INFO.Address+4" - } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368994795 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 409, - "description": "IP_ADAPTER_INFO.Address+5" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "optional" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "string", - "string": "%02X-%02X-%02X-%02X-%02X-%02X" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "GetAdaptersAddresses" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { - "type": "offset", - "offset": 44, - "description": "PhysicalAddress" - } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "set application hook": { - "meta": { - "name": "set application hook", - "namespace": "host-interaction/gui", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "thread" }, - "attack": [], - "mbc": [], - "references": [], - "examples": ["Practical Malware Analysis Lab 12-03.exe_:0x401000"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: set application hook\r\n namespace: host-interaction/gui\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: thread\r\n examples:\r\n - Practical Malware Analysis Lab 12-03.exe_:0x401000\r\n features:\r\n - and:\r\n - or:\r\n - api: user32.SetWindowsHookEx\r\n - api: user32.UnhookWindowsHookEx\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368816460 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetWindowsHookEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368956573 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "UnhookWindowsHookEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "log keystrokes via application hook": { - "meta": { - "name": "log keystrokes via application hook", - "namespace": "collection/keylog", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "function", "dynamic": "call" }, - "attack": [ - { - "parts": ["Collection", "Input Capture", "Keylogging"], - "tactic": "Collection", - "technique": "Input Capture", - "subtechnique": "Keylogging", - "id": "T1056.001" - } - ], - "mbc": [ - { - "parts": ["Collection", "Keylogging", "Application Hook"], - "objective": "Collection", - "behavior": "Keylogging", - "method": "Application Hook", - "id": "F0002.001" - } - ], - "references": [], - "examples": ["Practical Malware Analysis Lab 12-03.exe_:0x401000"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: log keystrokes via application hook\r\n namespace: collection/keylog\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: function\r\n dynamic: call\r\n att&ck:\r\n - Collection::Input Capture::Keylogging [T1056.001]\r\n mbc:\r\n - Collection::Keylogging::Application Hook [F0002.001]\r\n examples:\r\n - Practical Malware Analysis Lab 12-03.exe_:0x401000\r\n features:\r\n - and:\r\n - match: set application hook\r\n - or:\r\n - number: 13 = WH_KEYBOARD_LL\r\n - number: 2 = WH_KEYBOARD\r\n", - "matches": [ - [ - { "type": "absolute", "value": 5368816460 }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "match", "match": "set application hook" } - }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "and" } }, - "children": [ - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "SetWindowsHookEx" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368956573 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "api", "api": "UnhookWindowsHookEx" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [{ "type": "absolute", "value": 5368816460 }], - "captures": {} - }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 13, "description": "WH_KEYBOARD_LL" } - }, - "children": [], - "locations": [], - "captures": {} - }, - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "number", "number": 2, "description": "WH_KEYBOARD" } - }, - "children": [], - "locations": [{ "type": "absolute", "value": 5368956568 }], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "contain a thread local storage (.tls) section": { - "meta": { - "name": "contain a thread local storage (.tls) section", - "namespace": "executable/pe/section/tls", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "file", "dynamic": "file" }, - "attack": [], - "mbc": [], - "references": [], - "examples": ["Practical Malware Analysis Lab 16-02.exe_"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: contain a thread local storage (.tls) section\r\n namespace: executable/pe/section/tls\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: file\r\n dynamic: file\r\n examples:\r\n - Practical Malware Analysis Lab 16-02.exe_\r\n features:\r\n - section: .tls\r\n", - "matches": [ - [ - { "type": "no address" }, - { - "success": true, - "node": { "type": "feature", "feature": { "type": "section", "section": ".tls" } }, - "children": [], - "locations": [{ "type": "absolute", "value": 5369344000 }], - "captures": {} - } - ] - ] - }, - "read raw disk data": { - "meta": { - "name": "read raw disk data", - "namespace": "host-interaction/file-system", - "authors": ["william.ballenthin@mandiant.com"], - "scopes": { "static": "file", "dynamic": "file" }, - "attack": [], - "mbc": [], - "references": [], - "examples": [], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: read raw disk data\r\n namespace: host-interaction/file-system\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scopes:\r\n static: file\r\n dynamic: file\r\n features:\r\n - or:\r\n - string: \"\\\\\\\\.\\\\PhysicalDrive0\"\r\n - string: \"\\\\\\\\.\\\\C:\"\r\n", - "matches": [ - [ - { "type": "no address" }, - { - "success": true, - "node": { "type": "statement", "statement": { "type": "or" } }, - "children": [ - { - "success": true, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "\\\\.\\PhysicalDrive0" } - }, - "children": [], - "locations": [{ "type": "file", "value": 281800 }], - "captures": {} - }, - { - "success": false, - "node": { - "type": "feature", - "feature": { "type": "string", "string": "\\\\.\\C:" } - }, - "children": [], - "locations": [], - "captures": {} - } - ], - "locations": [], - "captures": {} - } - ] - ] - }, - "reference analysis tools strings": { - "meta": { - "name": "reference analysis tools strings", - "namespace": "anti-analysis", - "authors": ["michael.hunhoff@mandiant.com"], - "scopes": { "static": "file", "dynamic": "file" }, - "attack": [], - "mbc": [ - { - "parts": ["Discovery", "Analysis Tool Discovery", "Process detection"], - "objective": "Discovery", - "behavior": "Analysis Tool Discovery", - "method": "Process detection", - "id": "B0013.001" - } - ], - "references": [ - "https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp" - ], - "examples": ["al-khaser_x86.exe_"], - "description": "", - "lib": false, - "is_subscope_rule": false, - "maec": {} - }, - "source": "rule:\r\n meta:\r\n name: reference analysis tools strings\r\n namespace: anti-analysis\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scopes:\r\n static: file\r\n dynamic: file\r\n mbc:\r\n - Discovery::Analysis Tool Discovery::Process detection [B0013.001]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp\r\n examples:\r\n - al-khaser_x86.exe_\r\n features:\r\n - or:\r\n - string: /ollydbg(\\.exe)?/i\r\n - string: /ProcessHacker(\\.exe)?/i\r\n - string: /tcpview(\\.exe)?/i\r\n - string: /autoruns(\\.exe)?/i\r\n - string: /autorunsc(\\.exe)?/i\r\n - string: /filemon(\\.exe)?/i\r\n - string: /procmon(\\.exe)?/i\r\n - string: /regmon(\\.exe)?/i\r\n - string: /procexp(\\.exe)?/i\r\n - string: /(?