Summary:


NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtContinue(>)  30 

NtAllocateLocallyUniqueId(>)  1 
NtGdiHfontCreate(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtQueryInformationFile(>)  30 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateSemaphore(>)  7 
NtEnumerateKey(>)  31 

NtClearEvent(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserCallNoParam(>)  7 
NtCreateEvent(>)  32 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryVirtualMemory(>)  8 
NtOpenThreadToken(>)  33 

NtDelayExecution(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtWriteVirtualMemory(>)  8 
NtReleaseMutant(>)  38 

NtDuplicateToken(>)  1 
NtSetEvent(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtUnmapViewOfSection(>)  38 

NtGdiCreateBitmap(>)  1 
NtTestAlert(>)  2 
NtUserGetWindowDC(>)  10 
NtQueryInformationProcess(>)  39 

NtGdiCreateHalftonePalette(>)  1 
NtUserCloseDesktop(>)  2 
NtSetValueKey(>)  11 
NtProtectVirtualMemory(>)  40 

NtGdiCreatePaletteInternal(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserCallOneParam(>)  11 
NtQueryDefaultLocale(>)  42 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserDestroyWindow(>)  2 
NtUserSystemParametersInfo(>)  11 
NtUserUnregisterClass(>)  47 

NtGdiDoPalette(>)  1 
NtUserGetObjectInformation(>)  2 
NtWriteFile(>)  11 
NtUserFindExistingCursorIcon(>)  49 

NtGdiInit(>)  1 
NtUserMessageCall(>)  2 
NtOpenProcessToken(>)  14 
NtCreateSection(>)  56 

NtGdiQueryFontAssocInfo(>)  1 
NtCreateThread(>)  3 
NtRequestWaitReplyPort(>)  14 
NtUserRegisterClassExWOW(>)  65 

NtGdiSelectBitmap(>)  1 
NtDuplicateObject(>)  3 
NtNotifyChangeKey(>)  15 
NtWaitForSingleObject(>)  66 

NtOpenKeyedEvent(>)  1 
NtOpenMutant(>)  3 
NtQueryVolumeInformationFile(>)  15 
NtOpenSection(>)  74 

NtQueryFullAttributesFile(>)  1 
NtOpenProcess(>)  3 
NtCreateKey(>)  17 
NtReadFile(>)  77 

NtQueryInformationThread(>)  1 
NtResumeThread(>)  3 
NtDeviceIoControlFile(>)  17 
NtMapViewOfSection(>)  80 

NtQueryObject(>)  1 
NtTerminateProcess(>)  3 
NtFsControlFile(>)  17 
NtOpenFile(>)  88 

NtQueryPerformanceCounter(>)  1 
NtUserOpenDesktop(>)  3 
NtFlushInstructionCache(>)  19 
NtQuerySystemInformation(>)  89 

NtQuerySystemTime(>)  1 
NtUserRemoveProp(>)  3 
NtUserRegisterWindowMessage(>)  19 
NtUserGetClassInfo(>)  91 

NtSecureConnectPort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryDirectoryFile(>)  20 
NtAllocateVirtualMemory(>)  94 

NtUserBuildNameList(>)  1 
NtCreateMutant(>)  4 
NtSetInformationProcess(>)  21 
NtOpenProcessTokenEx(>)  110 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtEnumerateValueKey(>)  23 
NtOpenThreadTokenEx(>)  110 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtFreeVirtualMemory(>)  23 
NtQueryInformationToken(>)  126 

NtUserGetForegroundWindow(>)  1 
NtQuerySecurityObject(>)  4 
NtQueryDebugFilterState(>)  24 
NtQueryKey(>)  129 

NtUserGetGUIThreadInfo(>)  1 
NtGdiGetStockObject(>)  5 
NtRaiseException(>)  25 
NtUserQueryWindow(>)  134 

NtUserGetThreadDesktop(>)  1 
NtReadVirtualMemory(>)  5 
NtSetInformationFile(>)  25 
NtQueryAttributesFile(>)  147 

NtUserSetProp(>)  1 
NtSetInformationObject(>)  5 
NtCreateFile(>)  27 
NtQueryValueKey(>)  223 

NtAccessCheck(>)  2 
NtUserBuildHwndList(>)  5 
NtSetInformationThread(>)  27 
NtOpenKey(>)  475 

NtCreateIoCompletion(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQuerySection(>)  28 
NtClose(>)  570 

NtCreateProcessEx(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtReleaseSemaphore(>)  28 

Trace:
 00001   368   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   368   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   368   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   368   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   368   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   368   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   368   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   368   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   368   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   368   NtClose  (12, ... ) == 0x0
 00014   368   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   368   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   368   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   368   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   368   NtClose  (16, ... ) == 0x0
 00021   368   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   368   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   368   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   368   NtClose  (16, ... ) == 0x0
 00026   368   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   368   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   368   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   368   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 368, 1487, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 316, 368, 1487, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 368, 1487, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   368   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   368   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   368   NtClose  (16, ... ) == 0x0
 00036   368   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   368   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   368   NtClose  (28, ... ) == 0x0
 00041   368   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   368   NtClose  (28, ... ) == 0x0
 00045   368   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   368   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   368   NtClose  (28, ... ) == 0x0
 00049   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   368   NtClose  (28, ... ) == 0x0
 00052   368   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 368, 1488, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 316, 368, 1488, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 368, 1488, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   368   NtProtectVirtualMemory  (-1, (0x93e000), 4096, 4, ... (0x93e000), 4096, 128, ) == 0x0
 00057   368   NtProtectVirtualMemory  (-1, (0x93e000), 4096, 128, ... (0x93e000), 4096, 4, ) == 0x0
 00058   368   NtFlushInstructionCache  (-1, 9691136, 4096, ... ) == 0x0
 00059   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00060   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   368   NtClose  (28, ... ) == 0x0
 00062   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   368   NtClose  (28, ... ) == 0x0
 00065   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   368   NtClose  (28, ... ) == 0x0
 00068   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   368   NtClose  (28, ... ) == 0x0
 00071   368   NtProtectVirtualMemory  (-1, (0x93e000), 4096, 4, ... (0x93e000), 4096, 64, ) == 0x0
 00072   368   NtProtectVirtualMemory  (-1, (0x93e000), 4096, 64, ... (0x93e000), 4096, 4, ) == 0x0
 00073   368   NtFlushInstructionCache  (-1, 9691136, 4096, ... ) == 0x0
 00074   368   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   368   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   368   NtClose  (28, ... ) == 0x0
 00077   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   368   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   368   NtClose  (28, ... ) == 0x0
 00080   368   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   368   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   368   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   368   NtClose  (28, ... ) == 0x0
 00085   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   368   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   368   NtClose  (28, ... ) == 0x0
 00088   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   368   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 368, 1489, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 316, 368, 1489, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 368, 1489, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   368   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x940000), 0x0, 1060864, ) == 0x0
 00095   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   368   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   368   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   368   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   368   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   368   NtClose  (-2147482020, ... ) == 0x0
 00101   368   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   368   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   368   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   368   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   368   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   368   NtClose  (-2147482020, ... ) == 0x0
 00107   368   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   368   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   368   NtClose  (-2147482020, ... ) == 0x0
 00110   368   NtQueryDefaultLocale  (0, -133330420, ... ) == 0x0
 00111   368   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   368   NtUserCallNoParam  (24, ... ) == 0x0
 00113   368   NtGdiCreateCompatibleDC  (0, ...
 00114   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   368   NtGdiCreateCompatibleDC  ... ) == 0x170103db
 00115   368   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   368   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   368   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x16050382
 00118   368   NtGdiCreateSolidBrush  (0, 0, ...
 00119   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13959168, 4096, ) == 0x0
 00118   368   NtGdiCreateSolidBrush  ... ) == 0x1a100320
 00120   368   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   368   NtGdiCreateCompatibleDC  (0, ... ) == 0x4401031a
 00122   368   NtGdiSelectBitmap  (1140917018, 369427330, ... ) == 0x185000f
 00123   368   NtUserGetThreadDesktop  (368, 0, ... ) == 0x2c
 00124   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   368   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   368   NtClose  (52, ... ) == 0x0
 00127   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   368   NtAllocateVirtualMemory  (-1, 10907648, 0, 4096, 4096, 32, ... 10907648, 4096, ) == 0x0
 00142   368   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   368   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   368   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   368   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   368   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   368   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   368   NtCallbackReturn  (0, 0, 0, ...
 00152   368   NtGdiInit  (... ) == 0x1
 00153   368   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   368   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   368   NtTestAlert  (... ) == 0x0
 00156   368   NtContinue  (1244464, 1, ...
 00157   368   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x93e0cc,}, 4, ... ) == 0x0
 00158   368   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 14024704, 8192, ) == 0x0
 00159   368   NtAllocateVirtualMemory  (-1, 0, 0, 3072, 4096, 64, ... 14090240, 4096, ) == 0x0
 00160   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00161   368   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14155776, 4096, ) == 0x0
 00162   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00163   368   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14221312, 4096, ) == 0x0
 00164   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00165   368   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14286848, 4096, ) == 0x0
 00166   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00167   368   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 64, ... 14352384, 4096, ) == 0x0
 00168   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00169   368   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 14417920, 8192, ) == 0x0
 00170   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00171   368   NtAllocateVirtualMemory  (-1, 0, 0, 94430, 4096, 64, ... 14483456, 98304, ) == 0x0
 00172   368   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00173   368   NtContinue  (1242868, 0, ...
 00174   368   NtAllocateVirtualMemory  (-1, 0, 0, 4238336, 4096, 64, ... 14614528, 4239360, ) == 0x0
 00175   368   NtAllocateVirtualMemory  (-1, 1327104, 0, 81920, 4096, 4, ... 1327104, 81920, ) == 0x0
 00176   368   NtFreeVirtualMemory  (-1, (0x144000), 81920, 16384, ... (0x144000), 81920, ) == 0x0
 00177   368   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00178   368   NtAllocateVirtualMemory  (-1, 1331200, 0, 20480, 4096, 4, ... 1331200, 20480, ) == 0x0
 00179   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00180   368   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   368   NtClose  (52, ... ) == 0x0
 00182   368   NtAllocateVirtualMemory  (-1, 1351680, 0, 73728, 4096, 4, ... 1351680, 73728, ) == 0x0
 00183   368   NtFreeVirtualMemory  (-1, (0x144000), 98304, 16384, ... (0x144000), 98304, ) == 0x0
 00184   368   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00185   368   NtAllocateVirtualMemory  (-1, 1331200, 0, 20480, 4096, 4, ... 1331200, 20480, ) == 0x0
 00186   368   NtAllocateVirtualMemory  (-1, 1351680, 0, 65536, 4096, 4, ... 1351680, 65536, ) == 0x0
 00187   368   NtFreeVirtualMemory  (-1, (0x144000), 90112, 16384, ... (0x144000), 90112, ) == 0x0
 00188   368   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00189   368   NtAllocateVirtualMemory  (-1, 1331200, 0, 16384, 4096, 4, ... 1331200, 16384, ) == 0x0
 00190   368   NtAllocateVirtualMemory  (-1, 1347584, 0, 57344, 4096, 4, ... 1347584, 57344, ) == 0x0
 00191   368   NtFreeVirtualMemory  (-1, (0x144000), 77824, 16384, ... (0x144000), 77824, ) == 0x0
 00192   368   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00193   368   NtAllocateVirtualMemory  (-1, 1331200, 0, 16384, 4096, 4, ... 1331200, 16384, ) == 0x0
 00194   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00195   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00196   368   NtClose  (52, ... ) == 0x0
 00197   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 18874368, 65536, ) == 0x0
 00199   368   NtAllocateVirtualMemory  (-1, 18874368, 0, 4096, 4096, 4, ... 18874368, 4096, ) == 0x0
 00200   368   NtAllocateVirtualMemory  (-1, 18878464, 0, 8192, 4096, 4, ... 18878464, 8192, ) == 0x0
 00201   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00202   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1210000), 0x0, 12288, ) == 0x0
 00203   368   NtClose  (52, ... ) == 0x0
 00204   368   NtAllocateVirtualMemory  (-1, 18886656, 0, 4096, 4096, 4, ... 18886656, 4096, ) == 0x0
 00205   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241996, ... ) }, 1241996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241996, ... ) }, 1241996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241996, ... ) }, 1241996, ... ) == 0x0
 00209   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00210   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00211   368   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00212   368   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00213   368   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00214   368   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00216   368   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00217   368   NtClose  (64, ... ) == 0x0
 00218   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00219   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00220   368   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00221   368   NtClose  (64, ... ) == 0x0
 00222   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00223   368   NtClose  (60, ... ) == 0x0
 00224   368   NtClose  (52, ... ) == 0x0
 00225   368   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00226   368   NtClose  (56, ... ) == 0x0
 00227   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241192, ... ) }, 1241192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241192, ... ) }, 1241192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241192, ... ) }, 1241192, ... ) == 0x0
 00231   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00232   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00233   368   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00234   368   NtClose  (56, ... ) == 0x0
 00235   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00236   368   NtClose  (52, ... ) == 0x0
 00237   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00238   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00239   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00240   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00241   368   NtClose  (52, ... ) == 0x0
 00242   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00243   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00244   368   NtClose  (52, ... ) == 0x0
 00245   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00247   368   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00248   368   NtClose  (52, ... ) == 0x0
 00249   368   NtQueryDefaultUILanguage  (1240352, ...
 00250   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00251   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00252   368   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00253   368   NtClose  (-2147482020, ... ) == 0x0
 00254   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00255   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00256   368   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00257   368   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   368   NtClose  (-2147482032, ... ) == 0x0
 00259   368   NtClose  (-2147482020, ... ) == 0x0
 00249   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00260   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   368   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00262   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00263   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00264   368   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1220000), 0x0, 8323072, ) == 0x0
 00265   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   368   NtQueryDefaultUILanguage  (2013024600, ...
 00267   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00268   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00269   368   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00270   368   NtClose  (-2147482020, ... ) == 0x0
 00271   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00272   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   368   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00274   368   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   368   NtClose  (-2147482032, ... ) == 0x0
 00276   368   NtClose  (-2147482020, ... ) == 0x0
 00266   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00277   368   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00278   368   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00279   368   NtQueryDefaultLocale  (1, 1238388, ... ) == 0x0
 00280   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   368   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239244, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239244, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1507, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 368, 1507, 0}  (24, {128, 156, new_msg, 0, 1239244, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1507, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" )  ) == 0x0
 00282   368   NtClose  (52, ... ) == 0x0
 00283   368   NtClose  (56, ... ) == 0x0
 00284   368   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00285   368   NtUnmapViewOfSection  (-1, 0x12efcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00286   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00287   368   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00289   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00290   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237472, ... ) }, 1237472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00292   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00293   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00294   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238064, ... ) }, 1238064, ... ) == 0x0
 00295   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00296   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00298   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00299   368   NtClose  (52, ... ) == 0x0
 00300   368   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1220000), 0x0, 921600, ) == 0x0
 00301   368   NtClose  (60, ... ) == 0x0
 00302   368   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00303   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00305   368   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00306   368   NtClose  (60, ... ) == 0x0
 00307   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00308   368   NtClose  (52, ... ) == 0x0
 00309   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00310   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00311   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00312   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00313   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00314   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00315   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00316   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00317   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00318   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00319   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00320   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00321   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00322   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00323   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00324   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00325   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00326   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00327   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00328   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00329   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00330   368   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239248, ... ) , 42, 1239248, ... ) == 0x0
 00331   368   NtQueryDefaultUILanguage  (1237964, ...
 00332   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00333   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00334   368   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00335   368   NtClose  (-2147482020, ... ) == 0x0
 00336   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00337   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   368   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00339   368   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   368   NtClose  (-2147482032, ... ) == 0x0
 00341   368   NtClose  (-2147482020, ... ) == 0x0
 00331   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00342   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236816, ... ) }, 1236816, ... ) == 0x0
 00344   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00345   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00346   368   NtClose  (52, ... ) == 0x0
 00347   368   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1220000), 0x0, 4096, ) == 0x0
 00348   368   NtClose  (60, ... ) == 0x0
 00349   368   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00350   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236456, ... ) }, 1236456, ... ) == 0x0
 00351   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237156,  (0x80100080, {24, 0, 0x40, 0, 1237156, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00352   368   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00353   368   NtClose  (60, ... ) == 0x0
 00354   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1220000), {0, 0}, 4096, ) == 0x0
 00355   368   NtClose  (52, ... ) == 0x0
 00356   368   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00357   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00358   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00359   368   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1220000), 0x0, 4096, ) == 0x0
 00360   368   NtQueryInformationFile  (52, 1236776, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00361   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   368   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236856, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236856, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1508, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 368, 1508, 0}  (24, {128, 156, new_msg, 0, 1236856, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1508, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" )  ) == 0x0
 00363   368   NtClose  (52, ... ) == 0x0
 00364   368   NtClose  (60, ... ) == 0x0
 00365   368   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00366   368   NtUnmapViewOfSection  (-1, 0x12e678, ... ) == STATUS_NOT_MAPPED_VIEW
 00367   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00368   368   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00369   368   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00370   368   NtUserGetDC  (0, ... ) == 0x1010050
 00371   368   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00372   368   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00373   368   NtUserSystemParametersInfo  (66, 12, 1239268, 0, ... ) == 0x1
 00374   368   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00375   368   NtAccessCheck  (1329520, 60, 0x1, 1238672, 1238616, 56, 1238700, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00376   368   NtClose  (60, ... ) == 0x0
 00377   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00378   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00379   368   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00380   368   NtClose  (60, ... ) == 0x0
 00381   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00382   368   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00383   368   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00384   368   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   368   NtClose  (52, ... ) == 0x0
 00386   368   NtUserSystemParametersInfo  (41, 500, 1238768, 0, ... ) == 0x1
 00387   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00388   368   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00390   368   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   368   NtClose  (64, ... ) == 0x0
 00392   368   NtClose  (52, ... ) == 0x0
 00393   368   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00394   368   NtUserSystemParametersInfo  (4130, 0, 1239292, 0, ... ) == 0x1
 00395   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00396   368   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00397   368   NtClose  (52, ... ) == 0x0
 00398   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00399   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc03b
 00400   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc03d
 00401   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00402   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc03f
 00403   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00404   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc041
 00405   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00406   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc043
 00407   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc045
 00408   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00409   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc047
 00410   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00411   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc049
 00412   368   NtUserGetClassInfo  (1905590272, 1239188, 1239140, 1239216, 0, ... ) == 0xc049
 00413   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00414   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc04b
 00415   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00416   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc04d
 00417   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00418   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc04f
 00419   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc051
 00420   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00421   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc053
 00422   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00423   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc055
 00424   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc057
 00425   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00426   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc059
 00427   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10013
 00428   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc05b
 00429   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00430   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc05d
 00431   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00432   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc05f
 00433   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00434   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc017
 00435   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00436   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc019
 00437   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10013
 00438   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc018
 00439   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00440   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc01a
 00441   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00442   368   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810dc01c
 00443   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00444   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ...
 00445   368   NtAllocateVirtualMemory  (-1, 10911744, 0, 4096, 4096, 32, ... 10911744, 4096, ) == 0x0
 00444   368   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00446   368   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00447   368   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc01b
 00448   368   NtUserFindExistingCursorIcon  (1238568, 1238584, 1239152, ... ) == 0x10011
 00449   368   NtUserRegisterClassExWOW  (1239080, 1239160, 1239144, 1239176, 0, 384, 0, ... ) == 0x810dc068
 00450   368   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00451   368   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810dc06a
 00452   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00453   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00454   368   NtClose  (52, ... ) == 0x0
 00455   368   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 52, ) == 0x0
 00456   368   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00457   368   NtClose  (52, ... ) == 0x0
 00458   368   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00459   368   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00460   368   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00461   368   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00462   368   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463   368   NtClose  (52, ... ) == 0x0
 00464   368   NtUserSystemParametersInfo  (41, 500, 1239928, 0, ... ) == 0x1
 00465   368   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00466   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00467   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00468   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc03b
 00469   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00470   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc03d
 00471   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00472   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00473   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc03f
 00474   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00475   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00476   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc041
 00477   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00478   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00479   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc043
 00480   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00481   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc045
 00482   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00483   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00484   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc047
 00485   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00486   368   NtUserFindExistingCursorIcon  (1239716, 1239732, 1240300, ... ) == 0x10011
 00487   368   NtUserRegisterClassExWOW  (1240168, 1240248, 1240232, 1240264, 0, 384, 0, ... ) == 0x810dc049
 00488   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00489   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00490   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc04b
 00491   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00492   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00493   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc04d
 00494   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00495   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00496   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc04f
 00497   368   NtUserGetClassInfo  (1999896576, 1240340, 1240292, 1240368, 0, ... ) == 0x0
 00498   368   NtUserRegisterClassExWOW  (1240176, 1240256, 1240240, 1240272, 0, 384, 0, ... ) == 0x810dc051
 00499   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00500   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00501   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc053
 00502   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00503   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00504   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc055
 00505   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc057
 00506   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00507   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00508   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc059
 00509   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00510   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10013
 00511   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc05b
 00512   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00513   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00514   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc05d
 00515   368   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00516   368   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00517   368   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810dc05f
 00518   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc03b
 00519   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc03d
 00520   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc03f
 00521   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc041
 00522   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc043
 00523   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc045
 00524   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc047
 00525   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc049
 00526   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc04b
 00527   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc04d
 00528   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc04f
 00529   368   NtUserGetClassInfo  (1999896576, 1242092, 1242044, 1242120, 0, ... ) == 0xc051
 00530   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc053
 00531   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc055
 00532   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc059
 00533   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc05b
 00534   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc05d
 00535   368   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc05f
 00536   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00537   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00538   368   NtClose  (52, ... ) == 0x0
 00539   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00540   368   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00541   368   NtClose  (52, ... ) == 0x0
 00542   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00543   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00544   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00545   368   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00546   368   NtClose  (52, ... ) == 0x0
 00547   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00548   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00549   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00550   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00551   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00552   368   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553   368   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   368   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   368   NtClose  (52, ... ) == 0x0
 00556   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00557   368   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   368   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   368   NtClose  (52, ... ) == 0x0
 00560   368   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00561   368   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   368   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00563   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   368   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00567   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00568   368   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00569   368   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 00570   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1237128, ... ) }, 1237128, ... ) == 0x0
 00574   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00575   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00576   368   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00577   368   NtClose  (68, ... ) == 0x0
 00578   368   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00579   368   NtClose  (72, ... ) == 0x0
 00580   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00581   368   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00582   368   NtClose  (72, ... ) == 0x0
 00583   368   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 72, ) == 0x0
 00584   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00585   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 76, ) }, ... 76, ) == 0x0
 00586   368   NtNotifyChangeKey  (76, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00587   368   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00588   368   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00589   368   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00590   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1237128, ... ) }, 1237128, ... ) == 0x0
 00594   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00595   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00596   368   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00597   368   NtClose  (88, ... ) == 0x0
 00598   368   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00599   368   NtClose  (92, ... ) == 0x0
 00600   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1236324, ... ) }, 1236324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1236324, ... ) }, 1236324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1236324, ... ) }, 1236324, ... ) == 0x0
 00604   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00605   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00606   368   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00607   368   NtClose  (92, ... ) == 0x0
 00608   368   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00609   368   NtClose  (88, ... ) == 0x0
 00610   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00611   368   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19136512, 262144, ) == 0x0
 00612   368   NtAllocateVirtualMemory  (-1, 19136512, 0, 4096, 4096, 4, ... 19136512, 4096, ) == 0x0
 00613   368   NtAllocateVirtualMemory  (-1, 19140608, 0, 8192, 4096, 4, ... 19140608, 8192, ) == 0x0
 00614   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00615   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00616   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00617   368   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00618   368   NtClose  (88, ... ) == 0x0
 00619   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00620   368   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00621   368   NtClose  (88, ... ) == 0x0
 00622   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00623   368   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00624   368   NtClose  (88, ... ) == 0x0
 00625   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   368   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1237260, 0,  (0x1f0003, {24, 52, 0x80, 1237260, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00627   368   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 00628   368   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00629   368   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00630   368   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00631   368   NtQueryDefaultUILanguage  (1235496, ...
 00632   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00633   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 00634   368   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00635   368   NtClose  (-2147482040, ... ) == 0x0
 00636   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00637   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   368   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00639   368   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00640   368   NtClose  (-2147482044, ... ) == 0x0
 00641   368   NtClose  (-2147482040, ... ) == 0x0
 00631   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00642   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00644   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00645   368   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1280000), 0x0, 593920, ) == 0x0
 00646   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647   368   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00648   368   NtQueryDefaultLocale  (1, 1233532, ... ) == 0x0
 00649   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   368   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234388, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234388, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1578, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 368, 1578, 0}  (24, {128, 156, new_msg, 0, 1234388, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1578, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" )  ) == 0x0
 00651   368   NtClose  (96, ... ) == 0x0
 00652   368   NtClose  (100, ... ) == 0x0
 00653   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00654   368   NtUnmapViewOfSection  (-1, 0x12dcd4, ... ) == STATUS_NOT_MAPPED_VIEW
 00655   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   368   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00658   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00659   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1232072, ... ) }, 1232072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00660   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00661   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00662   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00663   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1232664, ... ) }, 1232664, ... ) == 0x0
 00664   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00665   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00666   368   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00667   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1237148, ... ) }, 1237148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1237148, ... ) }, 1237148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1237148, ... ) }, 1237148, ... ) == 0x0
 00671   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00672   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00673   368   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00674   368   NtClose  (104, ... ) == 0x0
 00675   368   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00676   368   NtClose  (108, ... ) == 0x0
 00677   368   NtAllocateVirtualMemory  (-1, 18890752, 0, 8192, 4096, 4, ... 18890752, 8192, ) == 0x0
 00678   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00680   368   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   368   NtClose  (108, ... ) == 0x0
 00682   368   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00683   368   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00684   368   NtClose  (108, ... ) == 0x0
 00685   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 108, ) }, ... 108, ) == 0x0
 00686   368   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00687   368   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00688   368   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00689   368   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00690   368   NtClose  (108, ... ) == 0x0
 00691   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 108, ) }, ... 108, ) == 0x0
 00692   368   NtQueryValueKey  (108,  (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00693   368   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00694   368   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00695   368   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00696   368   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00697   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236708, ... ) }, 1236708, ... ) == 0x0
 00698   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00699   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00700   368   NtClose  (104, ... ) == 0x0
 00701   368   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 135168, ) == 0x0
 00702   368   NtClose  (112, ... ) == 0x0
 00703   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00704   368   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00705   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237596, ... ) }, 1237596, ... ) == 0x0
 00706   368   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238264, ... ) }, 1238264, ... ) == 0x0
 00707   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238120,  (0x80100080, {24, 0, 0x40, 0, 1238120, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00708   368   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00709   368   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 135168, ) == 0x0
 00710   368   NtQueryDefaultLocale  (1, 1237928, ... ) == 0x0
 00711   368   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00712   368   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00713   368   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00714   368   NtQueryInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00715   368   NtSetInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00716   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00717   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00718   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00719   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00720   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00721   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00722   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00723   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00724   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00725   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00726   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00727   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00728   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00729   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00730   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00731   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00732   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00733   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00734   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00735   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00736   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00737   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00738   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00739   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00740   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00741   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00742   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00743   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00744   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00745   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00746   368   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00747   368   NtQueryInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00748   368   NtSetInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00749   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 00750   368   NtReadFile  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 00751   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00752   368   NtClose  (104, ... ) == 0x0
 00753   368   NtClose  (112, ... ) == 0x0
 00754   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236652, ... ) }, 1236652, ... ) == 0x0
 00755   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00756   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 104, ) == 0x0
 00757   368   NtClose  (112, ... ) == 0x0
 00758   368   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 135168, ) == 0x0
 00759   368   NtClose  (104, ... ) == 0x0
 00760   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00761   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236968, ... ) }, 1236968, ... ) == 0x0
 00762   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00763   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 112, ) == 0x0
 00764   368   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00765   368   NtClose  (104, ... ) == 0x0
 00766   368   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 00767   368   NtClose  (112, ... ) == 0x0
 00768   368   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00769   368   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00770   368   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00771   368   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00772   368   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00773   368   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00774   368   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00775   368   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00776   368   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00777   368   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00778   368   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00779   368   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00780   368   NtAllocateVirtualMemory  (-1, 1359872, 0, 20480, 4096, 4, ... 1359872, 20480, ) == 0x0
 00781   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00782   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00783   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00784   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00785   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00786   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00787   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00788   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00789   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00790   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00791   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00792   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00793   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00794   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00795   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00796   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00797   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00798   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00799   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00800   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00801   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00802   368   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00803   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235920, ... ) }, 1235920, ... ) == 0x0
 00804   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236652,  (0x80100080, {24, 0, 0x40, 0, 1236652, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00805   368   NtQueryVolumeInformationFile  (112, 1236812, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00806   368   NtQueryInformationFile  (112, 1236704, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00807   368   NtQueryInformationFile  (112, 1236996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00808   368   NtClose  (112, ... ) == 0x0
 00809   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235412, ... ) }, 1235412, ... ) == 0x0
 00810   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236144,  (0x80100080, {24, 0, 0x40, 0, 1236144, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00811   368   NtQueryVolumeInformationFile  (112, 1236304, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00812   368   NtQueryInformationFile  (112, 1236196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00813   368   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00814   368   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 135168, ) == 0x0
 00815   368   NtQueryDefaultLocale  (1, 1236284, ... ) == 0x0
 00816   368   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00817   368   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00818   368   NtQueryDefaultLocale  (1, 1236284, ... ) == 0x0
 00819   368   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00820   368   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00821   368   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00822   368   NtQueryInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00823   368   NtSetInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00824   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00825   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00826   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00827   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00828   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00829   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00830   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00831   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00832   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00833   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00834   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00835   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00836   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00837   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00838   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00839   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00840   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00841   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00842   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00843   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00844   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00845   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00846   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00847   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00848   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00849   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00850   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00851   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00852   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00853   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00854   368   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00855   368   NtQueryInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00856   368   NtSetInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00857   368   NtQueryInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00858   368   NtSetInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00859   368   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 00860   368   NtReadFile  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 00861   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00862   368   NtClose  (104, ... ) == 0x0
 00863   368   NtClose  (112, ... ) == 0x0
 00864   368   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 112, ) }, ... 112, ) == 0x0
 00865   368   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00866   368   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00867   368   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00868   368   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00869   368   NtClose  (112, ... ) == 0x0
 00870   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   368   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00872   368   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 00873   368   NtQueryInformationToken  (112, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 00874   368   NtClose  (112, ... ) == 0x0
 00875   368   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 00876   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 112, {status=0x0, info=0}, ) }, 7, 16, ... 112, {status=0x0, info=0}, ) == 0x0
 00877   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00878   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00879   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00880   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00881   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00882   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00883   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00884   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00885   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00886   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\276\347\254\241\210r\300\213\374\264=w\244\233\260\315\10m\234YUKl\203i\264\367\252-\360\366s\2607\257\177\353m\343K\242\211\261\300\333K\351\4\252\255\245T\322\10\241\266\274\332\276l\224hk\35\245\354\345m\361\357\22:\\24\271\264\1\226\241\212", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\276\347\254\241\210r\300\213\374\264=w\244\233\260\315\10m\234YUKl\203i\264\367\252-\360\366s\2607\257\177\353m\343K\242\211\261\300\333K\351\4\252\255\245T\322\10\241\266\274\332\276l\224hk\35\245\354\345m\361\357\22:\\24\271\264\1\226\241\212", 80, ... ) , 80, ... ) == 0x0
 00887   368   NtClose  (-2147482040, ... ) == 0x0
 00877   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\31&~\26mv0\213&\353-\373XD\370E\2\13\32:"\273\27m\253\307\37\254\214\234\373Di\371\204\242\33>\305\341\301\273\31\362L\343\26\232\211\20^f\3\242\376G\337\244\276\2574\2465\320\211\200\340M\10\270_\10\17\340\257?\2742\12IN\20>u9d\336Uce?R\225S\32\207R\222&\210\353\337\212\27\305\\253\201\376zf\375\207\260/\371\336CUQ\15M\233e\200A\221o\372\342\322\13$6b\203\37$\227\365yb\263.\200\312\234/r 4\205\353(\2640\7\317]w@\11p u\235\237\22\14\370}\276\234\13@]\360ZCMwz\231\333b"\305\355=\353\233cu\315 ab\202\13\16\216\344\213\215\202Y&\274l\256Q\345\244\334\31Hd6\3112\234\332R\246d\0\261\363\340\222\332\326g9\237f\231\364\21U,u\254\236_\231X\210\235\230, ) \273\27m\253\307\37\254\214\234\373Di\371\204\242\33>\305\341\301\273\31\362L\343\26\232\211\20^f\3\242\376G\337\244\276\2574\2465\320\211\200\340M\10\270_\10\17\340\257?\2742\12IN\20>u9d\336Uce?R\225S\32\207R\222&\210\353\337\212\27\305\\253\201\376zf\375\207\260/\371\336CUQ\15M\233e\200A\221o\372\342\322\13$6b\203\37$\227\365yb\263.\200\312\234/r 4\205\353(\2640\7\317]w@\11p u\235\237\22\14\370}\276\234\13@]\360ZCMwz\231\333b ... {status=0x0, info=256}, "\31&~\26mv0\213&\353-\373XD\370E\2\13\32:"\273\27m\253\307\37\254\214\234\373Di\371\204\242\33>\305\341\301\273\31\362L\343\26\232\211\20^f\3\242\376G\337\244\276\2574\2465\320\211\200\340M\10\270_\10\17\340\257?\2742\12IN\20>u9d\336Uce?R\225S\32\207R\222&\210\353\337\212\27\305\\253\201\376zf\375\207\260/\371\336CUQ\15M\233e\200A\221o\372\342\322\13$6b\203\37$\227\365yb\263.\200\312\234/r 4\205\353(\2640\7\317]w@\11p u\235\237\22\14\370}\276\234\13@]\360ZCMwz\231\333b"\305\355=\353\233cu\315 ab\202\13\16\216\344\213\215\202Y&\274l\256Q\345\244\334\31Hd6\3112\234\332R\246d\0\261\363\340\222\332\326g9\237f\231\364\21U,u\254\236_\231X\210\235\230, ) , ) == 0x0
 00888   368   NtClose  (108, ... ) == 0x0
 00889   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\21\310\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00890   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00891   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00892   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00893   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00894   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00895   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00896   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00897   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00898   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "v\32\223(,#\0\254\14\\223\16\356\33\331\346\226\364\325/p2/\270\333X\10m\337\242l\257.\277\24?[{{\235]\371.\222\313\315{\336^\363G\205\337\14\225F.\334G\25\332\254\343r\375)\23\205.\211\30tx\255\3\303\373N\233", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "v\32\223(,#\0\254\14\\223\16\356\33\331\346\226\364\325/p2/\270\333X\10m\337\242l\257.\277\24?[{{\235]\371.\222\313\315{\336^\363G\205\337\14\225F.\334G\25\332\254\343r\375)\23\205.\211\30tx\255\3\303\373N\233", 80, ... ) , 80, ... ) == 0x0
 00899   368   NtClose  (-2147482040, ... ) == 0x0
 00889   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\235_#\20$\270R\320v\37Lhb,\12\21 <\200R\243\346\265\3\246\323\247X\37\320\344\301a\226\202\257y\332\332\360\5F\362P\230\277\366K\314C\303\26!\262\226\361\306}}\237\205\363\361B\276\3'\266\26\255\177\330\302\216\370\230\206E\217!\26V\14\3\352*\204}5\325Z\364\205\311'\237\226\335\27\373\326;\207{\262b#1z\324\362@\27=iR\344*\220\12\314\352Y\36\272\310\335h#\344\262_e\234\214\17\210\17\224\241p\17\370\220\210\234\231P\315g6"s\235\364\20ab\207=\274\10\357\276\337\305:\202\242p\337\0\204\267\275\267\23\23\200\347\221\326? \230D\212\2.\365\0[\20)\203sg6L5\374\331k\355\250B*\5\35%\3447\202\276\\353\257\261\355\375i\326\5\230\345\322\37\4\3150|\325\2523\355.\300\377\355\367\2744\266\32x\337tL\6\276N\304.\346u\213", ) s\235\364\20ab\207=\274\10\357\276\337\305:\202\242p\337\0\204\267\275\267\23\23\200\347\221\326? \230D\212\2.\365\0[\20)\203sg6L5\374\331k\355\250B*\5\35%\3447\202\276\\353\257\261\355\375i\326\5\230\345\322\37\4\3150|\325\2523\355.\300\377\355\367\2744\266\32x\337tL\6\276N\304.\346u\213", ) == 0x0
 00900   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00901   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00902   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00903   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00904   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00905   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00906   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00907   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00908   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00909   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\373\335\23m%\226\236\2\354\332\276F*\213\372\263\215\0\6\4dr\266v\300\310\325\78\327(\346m+\332\300\346\334\366\225\244\330\10\304\221\220v4\360\334;\321=\11#\224,\2143\372\315\376\343:w\224F\245%\347\256}\220\344[~\2775v\36", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\373\335\23m%\226\236\2\354\332\276F*\213\372\263\215\0\6\4dr\266v\300\310\325\78\327(\346m+\332\300\346\334\366\225\244\330\10\304\221\220v4\360\334;\321=\11#\224,\2143\372\315\376\343:w\224F\245%\347\256}\220\344[~\2775v\36", 80, ... ) , 80, ... ) == 0x0
 00910   368   NtClose  (-2147482040, ... ) == 0x0
 00900   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "u\33\21#p\303\371G\177\2416\271\264B2 0S\347p\177\340r\246*i\1O-\277\274\12`@\275\26WF>\222qZa\2462#\242{\377\177\276\370{\202\]$&\3X\220{\33\203\3748\312\235\256\263\21\372y'uz]\24p\335P\330\243\207\272\216\300bj\237\25\16\361(1\6\325cz\261\270V\22\3219\244\267z\236\277\263C\337%8\217o\23Qfr0\357|x"\36\341I~\343W\257\320\326\303)\205U=\360\367=\30\326\204(}u\276\366\304\366\3\331\20?\240\246!5\344\351\373\244B\20#\0\332S\7U{\367\274\24\252\305"$8\21\23\3QPv-\220\26\217\1s \236\221\302U>\212\301\274\242\149\27\341\217b\370\272\342\240L\244\325\16\322\345\341\361\271\303\246\254\305\310\3\21+\237K\36\265\346\267hG\337\225\221\20e\337\367\7\347\362__:\205'\361", ) \36\341I~\343W\257\320\326\303)\205U=\360\367=\30\326\204(}u\276\366\304\366\3\331\20?\240\246!5\344\351\373\244B\20#\0\332S\7U{\367\274\24\252\305 ... {status=0x0, info=256}, "u\33\21#p\303\371G\177\2416\271\264B2 0S\347p\177\340r\246*i\1O-\277\274\12`@\275\26WF>\222qZa\2462#\242{\377\177\276\370{\202\]$&\3X\220{\33\203\3748\312\235\256\263\21\372y'uz]\24p\335P\330\243\207\272\216\300bj\237\25\16\361(1\6\325cz\261\270V\22\3219\244\267z\236\277\263C\337%8\217o\23Qfr0\357|x"\36\341I~\343W\257\320\326\303)\205U=\360\367=\30\326\204(}u\276\366\304\366\3\331\20?\240\246!5\344\351\373\244B\20#\0\332S\7U{\367\274\24\252\305"$8\21\23\3QPv-\220\26\217\1s \236\221\302U>\212\301\274\242\149\27\341\217b\370\272\342\240L\244\325\16\322\345\341\361\271\303\246\254\305\310\3\21+\237K\36\265\346\267hG\337\225\221\20e\337\367\7\347\362__:\205'\361", ) , ) == 0x0
 00911   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00912   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00913   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00914   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00915   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00916   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00917   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00918   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00919   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00920   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\255\27h=\3265\363E<'\222\2\21bT\337\365\317\376M\201\257<\\3272}i\377\355\340uH\303?.\363\270KF\260\216\3B \370\377m#\242\6\33\347e\305\225\245w\242 [6\276\274\224\375\234\7\357\230\273hg\177\31\300\3\372M\", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\255\27h=\3265\363E<'\222\2\21bT\337\365\317\376M\201\257<\\3272}i\377\355\340uH\303?.\363\270KF\260\216\3B \370\377m#\242\6\33\347e\305\225\245w\242 [6\276\274\224\375\234\7\357\230\273hg\177\31\300\3\372M\", 80, ... ) , 80, ... ) == 0x0
 00921   368   NtClose  (-2147482040, ... ) == 0x0
 00911   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "bT\225\202%O\270\336\372\234\21\271\331\210\260\272;\14nY%\34,5\31S\325=\13M\376A\207\351\10V\14\226\223\375\0\335\372=\343\266a!\274\213f\212\371C\222B\270\250\323\230\251\212\357(9\320\T\16P\242\371_\242\367\13\17\220\312\361\36\220\223\355F\351\26\202\4O`\246\365\260\20\352\232u\213\244\21ry\10\264\300\315+\361\213\343$e9X\325\277\224nw\337M\276gj\207\32\2303e'>\206^\250b\315\17\303\323\271\210\10i\7\337`\370\211\326~\272\4\247\11\341\344[\212%%\222\200\252\12\220KkSb\340\267\221\226\274\356\321\276m\272\275\360\270\367\352!~\362,\352\37\223\246v\374c\200\334C\252\356u#\251\3760\15\270\2242\2357\374U\274$~%\306\0Qc\31uy\375\37\223QT]\310\227<\267\32A\320v\234c:\330\5\37-_\261\14b\257L\343\2163\327", ) , ) == 0x0
 00922   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00923   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00924   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00925   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00926   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00927   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00928   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00929   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00930   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00931   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\31\236\256\14\323\323\232\235\215\354\351\231\234D\362h>\269\30,X\261\266\314\30\336\352\200f\301m0\373c\22\25{\227\363\245U\326V\31&\10,\341\252\213\12%\314\34\253\230\214\277\354\343o\2161\341=x\300H\360\353\373\327\303Z\247\264\377\222s", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\31\236\256\14\323\323\232\235\215\354\351\231\234D\362h>\269\30,X\261\266\314\30\336\352\200f\301m0\373c\22\25{\227\363\245U\326V\31&\10,\341\252\213\12%\314\34\253\230\214\277\354\343o\2161\341=x\300H\360\353\373\327\303Z\247\264\377\222s", 80, ... ) , 80, ... ) == 0x0
 00932   368   NtClose  (-2147482040, ... ) == 0x0
 00922   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "s\32\375\345S!\236\354U\13Ap]Z\274\251\230\240n\344\223^\257\237\32\204\252\276\223\215\2B\370,V\356\251o\366\2052\274\232\376Y\374te\356nE\222\203M\343W1\2328u_\354\5\330]z:H#\377\343\267\315\31W\27K0Xy\251\372a\244v1h\312\254\225Q\224\203\234\13\253\313\346y\333t\31\363J\314\370#\37"\22\321.\274\245\263\334\35\276\351\25\0\325\362\262\322\377\356\342hsg\336E\216\357\315\267O\364o\216\327\305\255DsH\237\365\207\350\36\24n\257RX\\361\364\201\300\317:\240\13\364\15\274\377\306GE\346\24\264\26L\275\344\15\33hT\212\274\276yl\242\3\343\377Wzk\233\324E2\343|\257\363JL\273\25K\332\37;/\274\356<\205\24\256\307s\244\276e\232\3453\202\222\305P\237\364h\21@\22\27Gs\225\211y\3478\203x\336\260\336O\244^'\255\24", ) \22\321.\274\245\263\334\35\276\351\25\0\325\362\262\322\377\356\342hsg\336E\216\357\315\267O\364o\216\327\305\255DsH\237\365\207\350\36\24n\257RX\\361\364\201\300\317:\240\13\364\15\274\377\306GE\346\24\264\26L\275\344\15\33hT\212\274\276yl\242\3\343\377Wzk\233\324E2\343|\257\363JL\273\25K\332\37;/\274\356<\205\24\256\307s\244\276e\232\3453\202\222\305P\237\364h\21@\22\27Gs\225\211y\3478\203x\336\260\336O\244^'\255\24", ) == 0x0
 00933   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00934   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00935   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00936   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00937   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00938   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00939   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00940   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00941   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00942   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\320\276<\262D\314ewoz\252\262\350\15~\344#Dt\316\325\237\17\323\265:\102\35i\37\355/P\261aS\3772\33\210tZI}\341Qf\207\324E\307J\357h\0m\346\367\341?\216!\307;\273\5\345\221\331\236\177\313\304\24:\235\234\231\207", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\320\276<\262D\314ewoz\252\262\350\15~\344#Dt\316\325\237\17\323\265:\102\35i\37\355/P\261aS\3772\33\210tZI}\341Qf\207\324E\307J\357h\0m\346\367\341?\216!\307;\273\5\345\221\331\236\177\313\304\24:\235\234\231\207", 80, ... ) , 80, ... ) == 0x0
 00943   368   NtClose  (-2147482040, ... ) == 0x0
 00933   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\242\205\204\13\232\222\324j\202/A\2313\372,\225.\247\32-\353\344i\300\242\232\222?\203\366\305 l\342\374\351\301jbu\304\32K\357\345\345\203f;\0\321\315$t\35S\272m\273\241M\303\322\227\253S\331`|\271_/\337\340]\225\206\316\267\15\204\22\L\255\267\177\22\216}\353\250Y\13\371>\251v\21\202\234\304\265\276}\303\243(\320\301\366\202I\317\253\3215\2054;\326\263\332\221r\224D\201\310Z:t.\202\270\240\352\247\34\3\276\20yH\11W3B\205\311+\17s\1\322\213eI'R\207\266\272\11\30\265\242\13\221\220\372\34\313\336\317\316&@\0'"1y]\36|\374\333\2\3508I\324]\306hfW\203\217\236\351P\26\12[\323#\302\262R\345{\240\11i\246+\226^\270\241\226>\370\177B\267I\266*\362\343\235\237h\275\231\13\3438B\213\363\363\303\233\0?\240<\222\362r\315k", ) 1y]\36|\374\333\2\3508I\324]\306hfW\203\217\236\351P\26\12[\323#\302\262R\345{\240\11i\246+\226^\270\241\226>\370\177B\267I\266*\362\343\235\237h\275\231\13\3438B\213\363\363\303\233\0?\240<\222\362r\315k", ) == 0x0
 00944   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00945   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00946   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00947   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00948   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00949   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00950   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00951   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00952   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00953   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "2\10~\373\265q\313+i\330.\227\353\204\354\302\321\305OJ\177\245\316\205\21^Xk\14'"y1\223\300\11\33\204 =\271\332\2625\217\356'\321,X4\2653w\2\211\20a@\312P1_\327\3-p\2006"\256\211\324\344{\202\16\363v\356", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "2\10~\373\265q\313+i\330.\227\353\204\354\302\321\305OJ\177\245\316\205\21^Xk\14'"y1\223\300\11\33\204 =\271\332\2625\217\356'\321,X4\2653w\2\211\20a@\312P1_\327\3-p\2006"\256\211\324\344{\202\16\363v\356", 80, ... ) y1\223\300\11\33\204 =\271\332\2625\217\356'\321,X4\2653w\2\211\20a@\312P1_\327\3-p\2006 (-2147482040, "Seed", 0, 3, "2\10~\373\265q\313+i\330.\227\353\204\354\302\321\305OJ\177\245\316\205\21^Xk\14'"y1\223\300\11\33\204 =\271\332\2625\217\356'\321,X4\2653w\2\211\20a@\312P1_\327\3-p\2006"\256\211\324\344{\202\16\363v\356", 80, ... ) , 80, ... ) == 0x0
 00954   368   NtClose  (-2147482040, ... ) == 0x0
 00944   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "b\4\255\203\6\30\362\362\312\240:\307\240\332\307\0\245\377:\340\312\4X%\37\30b\303k/\363(;B\276^:3\365\275K\256\0\354\271$\20%{\303q\2 \23\302r\21\353\241?\332h\310\346\14\276\333c\261\35QvO5\375\216W\213\351P\325\263\322?", ) \14\276\333c\261\35QvO5\375\216W\213\351P\325\263\322?", ) == 0x0
 00955   368   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00956   368   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00957   368   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00958   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00959   368   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00960   368   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00961   368   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00962   368   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00963   368   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 00964   368   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\354\16\254\23\307\04\330\241\202d[\344xT\207L\305\312R\255&\16E\260R,-\370`\220\23u\344o\274h\252\354\223\342\10\261\241T*\255,\26\15B\251ch^\3141x\364\346\360J\241\23\317N\321\220\227\312T5\347\372w\345&\341\356\231", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\354\16\254\23\307\04\330\241\202d[\344xT\207L\305\312R\255&\16E\260R,-\370`\220\23u\344o\274h\252\354\223\342\10\261\241T*\255,\26\15B\251ch^\3141x\364\346\360J\241\23\317N\321\220\227\312T5\347\372w\345&\341\356\231", 80, ... ) , 80, ... ) == 0x0
 00965   368   NtClose  (-2147482040, ... ) == 0x0
 00955   368   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "lcn\225l\253{(\35\211i\30\24-+\27\312-\317\234\255\327K\212\36S\337\213\260\272\341I0\237pP/\207-\324\216j^'\322N\220\362HL\321|X\1_\367R/'w'Sz\371\300J\222%\271\277\373\311\306Y5\242i\3251\224$\211\31I\207\324\263\333\205\243\315;\263C\334t<1@\270T\6\2339?}\25N\33vI\30\243\246M\244l\325\302\325j0.\357+O\177*\210\362\207\215\21\0o-\362\316\351\264@\317\\220a\202U\216\200\307\253\5{e\16\234\250\246\370P\354f1$SMT\26S\277\354zl\265\301\354\362\\3455\355O\332C\330FF\351\7\350\224\330\0v\315\222\275\370T*|r\31\275\247\5\244;\316C\12\223\15\363>'v\275\300GX\217\226\314\353\\20\304\243\25\352\11\34U8\362\320\262\3369\2070y\335-\247\370b\207\322\244\204\26w\363\205", ) , ) == 0x0
 00966   368   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 00967   368   NtQueryVolumeInformationFile  (108, 1237900, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00968   368   NtClose  (12, ... ) == 0x0
 00969   368   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237120,  (0x80100080, {24, 0, 0x40, 0, 1237120, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 00971   368   NtQueryInformationFile  (12, 1238056, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00972   368   NtQueryInformationFile  (12, 1238028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00973   368   NtQueryInformationFile  (12, 1237980, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00974   368   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 00975   368   NtQueryInformationFile  (12, 1382728, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00976   368   NtQueryInformationFile  (12, 1236524, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00977   368   NtQueryInformationFile  (12, 1236368, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00978   368   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1236376,  (0x40110080, {24, 0, 0x40, 0, 1236376, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00979   368   NtClose  (-2147482040, ... ) == 0x0
 00978   368   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00980   368   NtQueryVolumeInformationFile  (104, 1235748, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00981   368   NtQueryInformationFile  (104, 1235708, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00982   368   NtQueryVolumeInformationFile  (12, 1235748, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00983   368   NtQueryVolumeInformationFile  (12, 1235432, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00984   368   NtSetInformationFile  (104, 1235536, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00985   368   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 116, ) == 0x0
 00986   368   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 139264, ) == 0x0
 00987   368   NtClose  (116, ... ) == 0x0
 00988   368   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0PE\0\0L\1\12\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\314\340S\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\0\206\14\22\0\0\0\0\0\0\0\0\0\340S\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.idata\0\0\0`\1\0\0\20\0\0<7\1\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00989   368   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "Azo>w\307N\231\322\246z=y\242V\34\246\267Kz4\275\5a\263as\267\372\1\327h\324\314\334.Ez\356\354sHw\372\26\371\200", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00990   368   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "-\0[/\1-)2\30\22"=\177~\234z\214\4\273\272)\331.\366\15\342\352u\36\320\3\17O\26\12D\27\330'\22S\4d9$)\21\377\346\266\251>\333s\327\342\240\200\7Z=\6+\220\375\2U\24!#\33\352\177\235\204K\327\37H\340\130\36\30\0D\32LKFNI/\16Y+'\\242\11(\26uY\314\327\200\20\31\25Q\2\6\2U_E\4\30\10\325A\377*:\255\314\355\3428\37\344!z/~\1-9,!>=b\354a;y\17\0\44\24c8J-K\205zUy\356\361\351~?\327`\326\222"$\0Z`*\7\25aUB\7\5S\35.1\231\374\326W4\321\352\243\314\350\32\0.M8DP\30a\36\2BK&+)\33\37\353\\343~\225\264\274\0\17'=\36$\23#V931\364+\2278\257~}#\366\1\273X\276s\354,a\253^r\20\22@\207\23\12\364\10\36\36bT@\6K>(#!^N\274F\272[\24\22\227\354\366\227~i\324\7\15E.\3B\240\27Q\30@\37N\6\13\245\25\331n\263\363\377\364\333\227\307\220 \16b,8<*\17\270[\201\33!\155U1c\234\2716\231\353\2\273\216\260lz\315\236^\242\235m\233v\252\241m\234|\233\231U\1\273\323\320\22\344c\236\377Q\2246\233\352U\2276\234\253M\231\257\201\273s\333\342\315\236\326\242\242m\233^\252\235m\234v\227\227A\340\15 Eb\376*\3524\4'S\4KP\350@\272!\352\250\234", 14853, 0x0, 0, ... {status=0x0, info=14853}, ) =\177~\234z\214\4\273\272)\331.\366\15\342\352u\36\320\3\17O\26\12D\27\330'\22S\4d9$)\21\377\346\266\251>\333s\327\342\240\200\7Z=\6+\220\375\2U\24!#\33\352\177\235\204K\327\37H\340\130\36\30\0D\32LKFNI/\16Y+'\\242\11(\26uY\314\327\200\20\31\25Q\2\6\2U_E\4\30\10\325A\377*:\255\314\355\3428\37\344!z/~\1-9,!>=b\354a;y\17\0\44\24c8J-K\205zUy\356\361\351~?\327`\326\222 (104, 0, 0, 0, "-\0[/\1-)2\30\22"=\177~\234z\214\4\273\272)\331.\366\15\342\352u\36\320\3\17O\26\12D\27\330'\22S\4d9$)\21\377\346\266\251>\333s\327\342\240\200\7Z=\6+\220\375\2U\24!#\33\352\177\235\204K\327\37H\340\130\36\30\0D\32LKFNI/\16Y+'\\242\11(\26uY\314\327\200\20\31\25Q\2\6\2U_E\4\30\10\325A\377*:\255\314\355\3428\37\344!z/~\1-9,!>=b\354a;y\17\0\44\24c8J-K\205zUy\356\361\351~?\327`\326\222"$\0Z`*\7\25aUB\7\5S\35.1\231\374\326W4\321\352\243\314\350\32\0.M8DP\30a\36\2BK&+)\33\37\353\\343~\225\264\274\0\17'=\36$\23#V931\364+\2278\257~}#\366\1\273X\276s\354,a\253^r\20\22@\207\23\12\364\10\36\36bT@\6K>(#!^N\274F\272[\24\22\227\354\366\227~i\324\7\15E.\3B\240\27Q\30@\37N\6\13\245\25\331n\263\363\377\364\333\227\307\220 \16b,8<*\17\270[\201\33!\155U1c\234\2716\231\353\2\273\216\260lz\315\236^\242\235m\233v\252\241m\234|\233\231U\1\273\323\320\22\344c\236\377Q\2246\233\352U\2276\234\253M\231\257\201\273s\333\342\315\236\326\242\242m\233^\252\235m\234v\227\227A\340\15 Eb\376*\3524\4'S\4KP\350@\272!\352\250\234", 14853, 0x0, 0, ... {status=0x0, info=14853}, ) , 14853, 0x0, 0, ... {status=0x0, info=14853}, ) == 0x0
 00991   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00992   368   NtSetInformationFile  (104, 1237980, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00993   368   NtClose  (12, ... ) == 0x0
 00994   368   NtClose  (104, ... ) == 0x0
 00995   368   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00996   368   NtSetInformationFile  (104, 1238180, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00997   368   NtClose  (104, ... ) == 0x0
 00998   368   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00999   368   NtSetInformationFile  (104, 1238180, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01000   368   NtClose  (104, ... ) == 0x0
 01001   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237884,  (0x80100080, {24, 0, 0x40, 0, 1237884, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01002   368   NtQueryInformationFile  (104, 1237936, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01003   368   NtClose  (104, ... ) == 0x0
 01004   368   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1237884,  (0x40100080, {24, 0, 0x40, 0, 1237884, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01005   368   NtSetInformationFile  (104, 1237936, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01006   368   NtClose  (104, ... ) == 0x0
 01007   368   NtOpenFile  (0x10080, {24, 108, 0x40, 0, 0,  (0x10080, {24, 108, 0x40, 0, 0, "hbyzpr.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008   368   NtCreateFile  (0x40100080, {24, 108, 0x40, 0, 1238132,  (0x40100080, {24, 108, 0x40, 0, 1238132, "hbyzpr.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 01009   368   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del hbyzpr.bat\15\12", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01010   368   NtClose  (104, ... ) == 0x0
 01011   368   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231472, ... ) }, 1231472, ... ) == 0x0
 01013   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01014   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 12, ) == 0x0
 01015   368   NtClose  (104, ... ) == 0x0
 01016   368   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 262144, ) == 0x0
 01017   368   NtClose  (12, ... ) == 0x0
 01018   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 01019   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01020   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01021   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01022   368   NtAllocateVirtualMemory  (-1, 1392640, 0, 16384, 4096, 4, ... 1392640, 16384, ) == 0x0
 01023   368   NtUserRegisterClassExWOW  (1233556, 1233636, 1233620, 1233652, 0, 384, 0, ... ) == 0x810dc038
 01024   368   NtUserGetAtomName  (49208, 1232320, ... ) == 0x15
 01025   368   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01026   368   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01027   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229844, ... ) }, 1229844, ... ) == 0x0
 01028   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01029   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 104, ) == 0x0
 01030   368   NtClose  (12, ... ) == 0x0
 01031   368   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 204800, ) == 0x0
 01032   368   NtClose  (104, ... ) == 0x0
 01033   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 01034   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230160, ... ) }, 1230160, ... ) == 0x0
 01035   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01036   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 12, ) == 0x0
 01037   368   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01038   368   NtClose  (104, ... ) == 0x0
 01039   368   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01040   368   NtClose  (12, ... ) == 0x0
 01041   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01042   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01043   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01044   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01045   368   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01046   368   NtClose  (12, ... ) == 0x0
 01047   368   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01048   368   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 104, ) }, ... 104, ) == 0x0
 01049   368   NtQueryValueKey  (104,  (104, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   368   NtClose  (104, ... ) == 0x0
 01051   368   NtClose  (12, ... ) == 0x0
 01052   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01053   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01054   368   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01055   368   NtClose  (12, ... ) == 0x0
 01056   368   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01057   368   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 01058   368   NtQueryValueKey  (104,  (104, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   368   NtClose  (104, ... ) == 0x0
 01060   368   NtClose  (12, ... ) == 0x0
 01061   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1229660, ... ) }, 1229660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "UxTheme.dll"}, 1229660, ... ) }, 1229660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1229660, ... ) }, 1229660, ... ) == 0x0
 01064   368   NtUserGetProcessWindowStation  (... ) == 0x28
 01065   368   NtUserGetObjectInformation  (40, 2, 0, 0, 1231956, ... ) == 0x0
 01066   368   NtUserGetObjectInformation  (40, 2, 1347056, 16, 1231956, ... ) == 0x1
 01067   368   NtUserGetGUIThreadInfo  (368, 1231912, ... ) == 0x1
 01068   368   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1231732, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1231732, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01069   368   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 368, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 368, 1582, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 368, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01070   368   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 368, 1583, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 368, 1583, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 368, 1583, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01071   368   NtUserCallNoParam  (29, ...
 01072   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229204, ... ) }, 1229204, ... ) == 0x0
 01071   368   NtUserCallNoParam  ... ) == 0x0
 01073   368   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01074   368   NtGdiHfontCreate  (1231284, 356, 0, 0, 1356144, ... ) == 0xf0a044c
 01075   368   NtGdiHfontCreate  (1231284, 356, 0, 0, 1356136, ... ) == 0xb0a0453
 01076   368   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 368, 1584, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 368, 1584, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 368, 1584, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01077   368   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 331776, ) == 0x0
 01078   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01079   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01080   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01081   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01082   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01083   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01084   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01085   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01086   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01087   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01088   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01089   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01090   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01091   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01092   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01093   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01094   368   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01095   368   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x6100457
 01096   368   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01097   368   NtUserCallNoParam  (29, ...
 01098   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228648, ... ) }, 1228648, ... ) == 0x0
 01097   368   NtUserCallNoParam  ... ) == 0x0
 01099   368   NtUserCallNoParam  (29, ...
 01100   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228644, ... ) }, 1228644, ... ) == 0x0
 01099   368   NtUserCallNoParam  ... ) == 0x0
 01101   368   NtUserMessageCall  (0x100e0, WM_NCCREATE, 0x0, 0x12cd6c, 0, 670, 0, ... ) == 0x1
 01102   368   NtUserMessageCall  (0x100e0, WM_NCCALCSIZE, 0x0, 0x12cd94, 0, 670, 0, ... ) == 0x0
 01103   368   NtUserSetProp  (65760, 43288, -1, ... ) == 0x1
 01025   368   NtUserCreateWindowEx  ... ) == 0x100e0
 01104   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01105   368   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01107   368   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   368   NtClose  (120, ... ) == 0x0
 01109   368   NtClose  (116, ... ) == 0x0
 01110   368   NtAllocateVirtualMemory  (-1, 1409024, 0, 24576, 4096, 4, ... 1409024, 24576, ) == 0x0
 01111   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01112   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 01114   368   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   368   NtClose  (116, ... ) == 0x0
 01116   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01118   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01119   368   NtQuerySystemTime  (... {1517940680, 29874795}, ) == 0x0
 01120   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01121   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01123   368   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01124   368   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01125   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01126   368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01127   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01128   368   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01129   368   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01130   368   NtClose  (140, ... ) == 0x0
 01131   368   NtClose  (136, ... ) == 0x0
 01132   368   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01133   368   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01134   368   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01135   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01136   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01137   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01138   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01139   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232084,  (0xc0100080, {24, 0, 0x40, 0, 1232084, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01140   368   NtSetInformationFile  (152, 1232140, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01141   368   NtSetInformationFile  (152, 1232132, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01142   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01143   368   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01144   368   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\272$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01145   368   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\272$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\272$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01146   368   NtClose  (148, ... ) == 0x0
 01147   368   NtClose  (152, ... ) == 0x0
 01148   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1232128, ... ) }, 1232128, ... ) == 0x0
 01149   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01150   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01151   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "hbyzpr.bat"}, 1231948, ... ) }, 1231948, ... ) == 0x0
 01152   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01153   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01154   368   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356160, 0,  (0x1f0003, {24, 52, 0x80, 1356160, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 152, ) }, 0, 2147483647, ... 152, ) == STATUS_OBJECT_NAME_EXISTS
 01155   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01156   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01157   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01159   368   NtQueryValueKey  (148,  (148, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   368   NtClose  (148, ... ) == 0x0
 01161   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01162   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01163   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01165   368   NtQueryValueKey  (148,  (148, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   368   NtClose  (148, ... ) == 0x0
 01167   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01168   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01169   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01171   368   NtQueryValueKey  (148,  (148, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   368   NtClose  (148, ... ) == 0x0
 01173   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01174   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01175   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01177   368   NtQueryValueKey  (148,  (148, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   368   NtClose  (148, ... ) == 0x0
 01179   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 148, ) }, ... 148, ) == 0x0
 01180   368   NtEnumerateKey  (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01181   368   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 156, ) }, ... 156, ) == 0x0
 01182   368   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   368   NtClose  (156, ... ) == 0x0
 01184   368   NtEnumerateKey  (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01185   368   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 156, ) }, ... 156, ) == 0x0
 01186   368   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   368   NtClose  (156, ... ) == 0x0
 01188   368   NtEnumerateKey  (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01189   368   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 156, ) }, ... 156, ) == 0x0
 01190   368   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   368   NtClose  (156, ... ) == 0x0
 01192   368   NtEnumerateKey  (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01193   368   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 156, ) }, ... 156, ) == 0x0
 01194   368   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   368   NtClose  (156, ... ) == 0x0
 01196   368   NtEnumerateKey  (148, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01197   368   NtClose  (148, ... ) == 0x0
 01198   368   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   368   NtOpenProcessToken  (-1, 0x8, ... 148, ) == 0x0
 01200   368   NtQueryInformationToken  (148, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01201   368   NtClose  (148, ... ) == 0x0
 01202   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01203   368   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 148, 2, ) }, 0, 0x0, 0, ... 148, 2, ) == 0x0
 01204   368   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 156, ) == 0x0
 01205   368   NtCreateKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "SessionInfo\00000000000091f5"}, 0, 0x0, 1, ... 160, 2, ) }, 0, 0x0, 1, ... 160, 2, ) == 0x0
 01206   368   NtClose  (156, ... ) == 0x0
 01207   368   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   368   NtClose  (160, ... ) == 0x0
 01209   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01210   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01211   368   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01212   368   NtClose  (160, ... ) == 0x0
 01213   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 160, ) }, ... 160, ) == 0x0
 01214   368   NtSetInformationObject  (162, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01215   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01216   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01218   368   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01219   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01220   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01221   368   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01222   368   NtClose  (164, ... ) == 0x0
 01223   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   368   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   368   NtClose  (158, ... ) == 0x0
 01226   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01227   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01229   368   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01230   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01231   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01232   368   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01233   368   NtClose  (164, ... ) == 0x0
 01234   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   368   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   368   NtClose  (158, ... ) == 0x0
 01237   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01238   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01240   368   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01241   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01242   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01243   368   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01244   368   NtClose  (164, ... ) == 0x0
 01245   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   368   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01247   368   NtClose  (158, ... ) == 0x0
 01248   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01250   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01252   368   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01253   368   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01254   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01255   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01256   368   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01257   368   NtClose  (164, ... ) == 0x0
 01258   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   368   NtQueryValueKey  (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01260   368   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01261   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01262   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01263   368   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01264   368   NtClose  (164, ... ) == 0x0
 01265   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   368   NtQueryValueKey  (158,  (158, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   368   NtClose  (158, ... ) == 0x0
 01268   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01269   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01270   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01272   368   NtQueryValueKey  (156,  (156, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   368   NtClose  (156, ... ) == 0x0
 01274   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01275   368   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01276   368   NtClose  (156, ... ) == 0x0
 01277   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 156, ) }, ... 156, ) == 0x0
 01278   368   NtQueryValueKey  (156,  (156, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   368   NtClose  (156, ... ) == 0x0
 01280   368   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01281   368   NtQueryValueKey  (156, " (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01282   368   NtClose  (156, ... ) == 0x0
 01283   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01284   368   NtQueryVolumeInformationFile  (156, 1232268, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01285   368   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 164, ) }, ... 164, ) == 0x0
 01286   368   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 01287   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 168, ) }, ... 168, ) == 0x0
 01288   368   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x12e0000), {0, 0}, 57344, ) == 0x0
 01289   368   NtQueryInformationFile  (156, 1232232, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01290   368   NtQueryInformationFile  (156, 1232272, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01291   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01292   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01293   368   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01294   368   NtClose  (172, ... ) == 0x0
 01295   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   368   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 01297   368   NtClose  (156, ... ) == 0x0
 01298   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01299   368   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01300   368   NtClose  (156, ... ) == 0x0
 01301   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1230020, ... ) }, 1230020, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "CLBCATQ.DLL"}, 1230020, ... ) }, 1230020, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1230020, ... ) }, 1230020, ... ) == 0x0
 01305   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01306   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 172, ) == 0x0
 01307   368   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01308   368   NtClose  (156, ... ) == 0x0
 01309   368   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01310   368   NtClose  (172, ... ) == 0x0
 01311   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1229216, ... ) }, 1229216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "COMRes.dll"}, 1229216, ... ) }, 1229216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1229216, ... ) }, 1229216, ... ) == 0x0
 01315   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01316   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 156, ) == 0x0
 01317   368   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01318   368   NtClose  (172, ... ) == 0x0
 01319   368   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01320   368   NtClose  (156, ... ) == 0x0
 01321   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01322   368   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01323   368   NtClose  (156, ... ) == 0x0
 01324   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 156, ) }, ... 156, ) == 0x0
 01327   368   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   368   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   368   NtClose  (156, ... ) == 0x0
 01330   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1230048, ... ) }, 1230048, ... ) == 0x0
 01331   368   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   368   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01333   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01334   368   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01335   368   NtClose  (156, ... ) == 0x0
 01336   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 156, ) }, ... 156, ) == 0x0
 01337   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01338   368   NtNotifyChangeKey  (156, 172, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01339   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 176, ) }, ... 176, ) == 0x0
 01340   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01341   368   NtNotifyChangeKey  (176, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01342   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01343   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 188, ) }, ... 188, ) == 0x0
 01344   368   NtSetInformationObject  (188, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01345   368   NtNotifyChangeKey  (188, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01346   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 192, ) }, ... 192, ) == 0x0
 01347   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01348   368   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01349   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01350   368   NtNotifyChangeKey  (188, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01351   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01352   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01353   368   NtNotifyChangeKey  (204, 208, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01354   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01355   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01356   368   NtNotifyChangeKey  (212, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01357   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 220, ) }, ... 220, ) == 0x0
 01358   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01359   368   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01360   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 228, ) }, ... 228, ) == 0x0
 01361   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01362   368   NtNotifyChangeKey  (228, 232, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01363   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0
 01364   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01365   368   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01366   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01367   368   NtNotifyChangeKey  (188, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01368   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01369   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01370   368   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01371   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01372   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01373   368   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01374   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01375   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01376   368   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01377   368   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 272, ) }, ... 272, ) == 0x0
 01379   368   NtQueryValueKey  (272,  (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01380   368   NtClose  (272, ... ) == 0x0
 01381   368   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01382   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01383   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01384   368   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 272, ) }, ... 272, ) == 0x0
 01385   368   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x12f0000), {0, 0}, 24576, ) == 0x0
 01386   368   NtAllocateVirtualMemory  (-1, 18898944, 0, 8192, 4096, 4, ... 18898944, 8192, ) == 0x0
 01387   368   NtAllocateVirtualMemory  (-1, 18907136, 0, 8192, 4096, 4, ... 18907136, 8192, ) == 0x0
 01388   368   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01390   368   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01391   368   NtClose  (276, ... ) == 0x0
 01392   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01393   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01394   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 19922944, 65536, ) == 0x0
 01395   368   NtAllocateVirtualMemory  (-1, 19922944, 0, 4096, 4096, 4, ... 19922944, 4096, ) == 0x0
 01396   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01397   368   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01399   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01400   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01401   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01402   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01403   368   NtClose  (280, ... ) == 0x0
 01404   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   368   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   368   NtClose  (278, ... ) == 0x0
 01407   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01408   368   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01410   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01411   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01412   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01413   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01414   368   NtClose  (280, ... ) == 0x0
 01415   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01417   368   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01418   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01419   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01420   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01421   368   NtClose  (284, ... ) == 0x0
 01422   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423   368   NtQueryValueKey  (282,  (282, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   368   NtClose  (282, ... ) == 0x0
 01425   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01426   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01427   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01428   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01429   368   NtClose  (280, ... ) == 0x0
 01430   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01433   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01434   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01435   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01436   368   NtClose  (280, ... ) == 0x0
 01437   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01440   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01441   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01442   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01443   368   NtClose  (280, ... ) == 0x0
 01444   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01446   368   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01447   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01448   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01449   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01450   368   NtClose  (284, ... ) == 0x0
 01451   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   368   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01453   368   NtClose  (282, ... ) == 0x0
 01454   368   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01455   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01456   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01457   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01458   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01459   368   NtClose  (280, ... ) == 0x0
 01460   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01463   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01464   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01465   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01466   368   NtClose  (280, ... ) == 0x0
 01467   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01470   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01471   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01472   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01473   368   NtClose  (280, ... ) == 0x0
 01474   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01477   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01478   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01479   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01480   368   NtClose  (280, ... ) == 0x0
 01481   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01484   368   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01486   368   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01487   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01488   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01489   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01490   368   NtClose  (284, ... ) == 0x0
 01491   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   368   NtQueryValueKey  (282,  (282, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   368   NtClose  (282, ... ) == 0x0
 01494   368   NtClose  (278, ... ) == 0x0
 01495   368   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 276, ) == 0x0
 01496   368   NtQueryInformationProcess  (276, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01497   368   NtClose  (276, ... ) == 0x0
 01498   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01499   368   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01500   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01501   368   NtClose  (278, ... ) == 0x0
 01502   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01503   368   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01505   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01506   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01507   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01508   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01509   368   NtClose  (280, ... ) == 0x0
 01510   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   368   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01512   368   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01513   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01514   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01515   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01516   368   NtClose  (284, ... ) == 0x0
 01517   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   368   NtQueryValueKey  (282,  (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01519   368   NtClose  (282, ... ) == 0x0
 01520   368   NtClose  (278, ... ) == 0x0
 01521   368   NtAllocateVirtualMemory  (-1, 1445888, 0, 8192, 4096, 4, ... 1445888, 8192, ) == 0x0
 01522   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01523   368   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01525   368   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01526   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01527   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01528   368   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01529   368   NtClose  (280, ... ) == 0x0
 01530   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   368   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   368   NtClose  (278, ... ) == 0x0
 01533   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226440, ... ) }, 1226440, ... ) == 0x0
 01534   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01535   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 01536   368   NtClose  (276, ... ) == 0x0
 01537   368   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1310000), 0x0, 1339392, ) == 0x0
 01538   368   NtClose  (280, ... ) == 0x0
 01539   368   NtUnmapViewOfSection  (-1, 0x1310000, ... ) == 0x0
 01540   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226756, ... ) }, 1226756, ... ) == 0x0
 01541   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01542   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 01543   368   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01544   368   NtClose  (280, ... ) == 0x0
 01545   368   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01546   368   NtClose  (276, ... ) == 0x0
 01547   368   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01548   368   NtQueryDefaultUILanguage  (1225120, ...
 01549   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01550   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 01551   368   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01552   368   NtClose  (-2147482040, ... ) == 0x0
 01553   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 01554   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   368   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01556   368   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   368   NtClose  (-2147482044, ... ) == 0x0
 01558   368   NtClose  (-2147482040, ... ) == 0x0
 01548   368   NtQueryDefaultUILanguage  ... ) == 0x0
 01559   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 276, {status=0x0, info=1}, ) }, 1, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01561   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 276, ... 280, ) == 0x0
 01562   368   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1310000), 0x0, 1339392, ) == 0x0
 01563   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   368   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 01565   368   NtQueryDefaultLocale  (1, 1223156, ... ) == 0x0
 01566   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   368   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1224012, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1224012, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1585, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 368, 1585, 0}  (24, {128, 156, new_msg, 0, 1224012, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1585, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" )  ) == 0x0
 01568   368   NtClose  (276, ... ) == 0x0
 01569   368   NtClose  (280, ... ) == 0x0
 01570   368   NtUnmapViewOfSection  (-1, 0x1310000, ... ) == 0x0
 01571   368   NtUnmapViewOfSection  (-1, 0x12b44c, ... ) == STATUS_NOT_MAPPED_VIEW
 01572   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01573   368   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01575   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01576   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1221696, ... ) }, 1221696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01578   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01579   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01580   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1222288, ... ) }, 1222288, ... ) == 0x0
 01581   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 280, {status=0x0, info=1}, ) }, 3, 33, ... 280, {status=0x0, info=1}, ) == 0x0
 01582   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01583   368   NtUserFindExistingCursorIcon  (1226240, 1226256, 1226824, ... ) == 0x10011
 01584   368   NtUserRegisterClassExWOW  (1226692, 1226772, 1226756, 1226788, 0, 384, 0, ... ) == 0x810d0000
 01585   368   NtUserGetClassInfo  (1905590272, 1226856, 1226808, 1226884, 0, ... ) == 0xc05f
 01586   368   NtGdiCreateHalftonePalette  (0, ... ) == 0x6080458
 01587   368   NtGdiDoPalette  (101188696, 0, 256, 1225948, 2, 0, ... ) == 0x100
 01588   368   NtGdiDeleteObjectApp  (101188696, ... ) == 0x1
 01589   368   NtGdiCreateCompatibleDC  (0, ... ) == 0x7010458
 01590   368   NtGdiCreatePaletteInternal  (1225944, 256, ... ) == 0x6080459
 01591   368   NtGdiDeleteObjectApp  (117507160, ... ) == 0x1
 01592   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01593   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 276, ) }, ... 276, ) == 0x0
 01595   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01596   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01597   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01598   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01599   368   NtClose  (284, ... ) == 0x0
 01600   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   368   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01602   368   NtClose  (278, ... ) == 0x0
 01603   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01604   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01606   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01607   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01608   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01609   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01610   368   NtClose  (284, ... ) == 0x0
 01611   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   368   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01613   368   NtClose  (278, ... ) == 0x0
 01614   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01615   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01617   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01618   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01620   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   368   NtClose  (284, ... ) == 0x0
 01622   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   368   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01624   368   NtClose  (278, ... ) == 0x0
 01625   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01626   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01627   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01628   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01629   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01630   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01631   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01632   368   NtClose  (284, ... ) == 0x0
 01633   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   368   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01635   368   NtClose  (278, ... ) == 0x0
 01636   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01637   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01639   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01640   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01641   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01642   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01643   368   NtClose  (284, ... ) == 0x0
 01644   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   368   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01646   368   NtClose  (278, ... ) == 0x0
 01647   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   368   NtAllocateVirtualMemory  (-1, 1454080, 0, 12288, 4096, 4, ... 1454080, 12288, ) == 0x0
 01649   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01650   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01652   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01653   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01654   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01655   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01656   368   NtClose  (284, ... ) == 0x0
 01657   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   368   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   368   NtClose  (278, ... ) == 0x0
 01660   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01661   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01662   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01663   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 01664   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01665   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01666   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01667   368   NtClose  (284, ... ) == 0x0
 01668   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   368   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   368   NtClose  (278, ... ) == 0x0
 01671   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01672   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01673   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01674   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 01675   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01676   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01677   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01678   368   NtClose  (284, ... ) == 0x0
 01679   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   368   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   368   NtClose  (278, ... ) == 0x0
 01682   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01683   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01685   368   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01686   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01687   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01688   368   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01689   368   NtClose  (284, ... ) == 0x0
 01690   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   368   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01692   368   NtClose  (278, ... ) == 0x0
 01693   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 276, ) }, ... 276, ) == 0x0
 01694   368   NtEnumerateValueKey  (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01695   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01696   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01697   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01698   368   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01699   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01700   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01701   368   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01702   368   NtClose  (288, ... ) == 0x0
 01703   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   368   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01705   368   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01706   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01707   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01708   368   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01709   368   NtClose  (288, ... ) == 0x0
 01710   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711   368   NtQueryValueKey  (286,  (286, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   368   NtClose  (286, ... ) == 0x0
 01713   368   NtEnumerateValueKey  (276, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01714   368   NtClose  (276, ... ) == 0x0
 01715   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01716   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01717   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 1231400, ... ) }, 1231400, ... ) == 0x0
 01718   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01719   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01720   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01721   368   NtQueryValueKey  (276,  (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01722   368   NtClose  (276, ... ) == 0x0
 01723   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01724   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01725   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 1232428, ... ) }, 1232428, ... ) == 0x0
 01726   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01727   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01728   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01729   368   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01730   368   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01731   368   NtClose  (276, ... ) == 0x0
 01732   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01733   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01734   368   NtQueryValueKey  (276,  (276, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   368   NtClose  (276, ... ) == 0x0
 01736   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01737   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01738   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01739   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01740   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01741   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01742   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01743   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01744   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01745   368   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01746   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 276, ) }, ... 276, ) == 0x0
 01747   368   NtEnumerateKey  (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01748   368   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 284, ) }, ... 284, ) == 0x0
 01749   368   NtQueryValueKey  (284,  (284, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (284, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01750   368   NtQueryValueKey  (284,  (284, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (284, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01751   368   NtClose  (284, ... ) == 0x0
 01752   368   NtEnumerateKey  (276, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01753   368   NtClose  (276, ... ) == 0x0
 01754   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01756   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01769   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01770   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01771   368   NtClose  (276, ... ) == 0x0
 01772   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01774   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01775   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01776   368   NtClose  (276, ... ) == 0x0
 01777   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01779   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01780   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01781   368   NtClose  (276, ... ) == 0x0
 01782   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01784   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01785   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01786   368   NtClose  (276, ... ) == 0x0
 01787   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01789   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01790   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01791   368   NtClose  (276, ... ) == 0x0
 01792   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01794   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01795   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   368   NtClose  (276, ... ) == 0x0
 01797   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01799   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01800   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01801   368   NtClose  (276, ... ) == 0x0
 01802   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01804   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01805   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01806   368   NtClose  (276, ... ) == 0x0
 01807   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01809   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01810   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01811   368   NtClose  (276, ... ) == 0x0
 01812   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01813   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01814   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01815   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01816   368   NtClose  (276, ... ) == 0x0
 01817   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01819   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01820   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01821   368   NtClose  (276, ... ) == 0x0
 01822   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01824   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01825   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01826   368   NtClose  (276, ... ) == 0x0
 01827   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01829   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01830   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01831   368   NtClose  (276, ... ) == 0x0
 01832   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01834   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01835   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01836   368   NtClose  (276, ... ) == 0x0
 01837   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01839   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01840   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01841   368   NtClose  (276, ... ) == 0x0
 01842   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01844   368   NtQueryValueKey  (276,  (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01845   368   NtClose  (276, ... ) == 0x0
 01846   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01847   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01848   368   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01849   368   NtClose  (276, ... ) == 0x0
 01850   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   368   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01852   368   NtOpenProcessToken  (-1, 0xa, ... 276, ) == 0x0
 01853   368   NtDuplicateToken  (276, 0xc, {24, 0, 0x0, 0, 1233236, 0x0}, 0, 2, ... 284, ) == 0x0
 01854   368   NtClose  (276, ... ) == 0x0
 01855   368   NtAccessCheck  (1455520, 284, 0x1, 1233364, 1233308, 56, 1233392, ... (0x1), ) == 0x0
 01856   368   NtClose  (284, ... ) == 0x0
 01857   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 284, ) }, ... 284, ) == 0x0
 01858   368   NtQueryValueKey  (284,  (284, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (284, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01859   368   NtClose  (284, ... ) == 0x0
 01860   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233252,  (0x80100080, {24, 0, 0x40, 0, 1233252, "\??\u:\work\hbyzpr.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01861   368   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 276, ) }, ... 276, ) == 0x0
 01862   368   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\WinDfs\U:00000000000091f5", 66, ) , 66, ) == 0x0
 01863   368   NtClose  (276, ... ) == 0x0
 01864   368   NtQueryInformationFile  (284, 1231696, 528, Name, ... {status=0x0, info=72}, ) == 0x0
 01865   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01866   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01867   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\hbyzpr.bat"}, 1230376, ... ) }, 1230376, ... ) == 0x0
 01868   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 276, {status=0x0, info=1}, ) }, 3, 16417, ... 276, {status=0x0, info=1}, ) == 0x0
 01869   368   NtQueryDirectoryFile  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1,  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 01870   368   NtClose  (276, ... ) == 0x0
 01871   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 276, {status=0x0, info=1}, ) }, 3, 16417, ... 276, {status=0x0, info=1}, ) == 0x0
 01872   368   NtQueryDirectoryFile  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1,  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1, "hbyzpr.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01873   368   NtClose  (276, ... ) == 0x0
 01874   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1231108, ... ) }, 1231108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "WINTRUST.dll"}, 1231108, ... ) }, 1231108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01879   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1231108, ... ) }, 1231108, ... ) == 0x0
 01880   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01881   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 288, ) == 0x0
 01882   368   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01883   368   NtClose  (276, ... ) == 0x0
 01884   368   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01885   368   NtClose  (288, ... ) == 0x0
 01886   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 288, ) }, ... 288, ) == 0x0
 01887   368   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01888   368   NtClose  (288, ... ) == 0x0
 01889   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01890   368   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19988480, 262144, ) == 0x0
 01891   368   NtAllocateVirtualMemory  (-1, 19988480, 0, 4096, 4096, 4, ... 19988480, 4096, ) == 0x0
 01892   368   NtAllocateVirtualMemory  (-1, 19992576, 0, 8192, 4096, 4, ... 19992576, 8192, ) == 0x0
 01893   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01894   368   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20250624, 1048576, ) == 0x0
 01895   368   NtAllocateVirtualMemory  (-1, 20250624, 0, 1048576, 4096, 4, ... 20250624, 1048576, ) == 0x0
 01896   368   NtCreateMutant  (0x1f0001, 0x0, 0, ... 288, ) == 0x0
 01897   368   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 276, ) == 0x0
 01898   368   NtCreateMutant  (0x1f0001, 0x0, 0, ... 292, ) == 0x0
 01899   368   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 296, ) == 0x0
 01900   368   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 300, ) == 0x0
 01901   368   NtSetEvent  (300, ... 0x0, ) == 0x0
 01902   368   NtSetInformationFile  (284, 1233136, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01903   368   NtReadFile  (284, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (284, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 01904   368   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01905   368   NtClearEvent  (276, ... ) == 0x0
 01906   368   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01907   368   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01908   368   NtSetEvent  (276, ... 0x0, ) == 0x0
 01909   368   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01910   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01911   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01912   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 01913   368   NtClose  (304, ... ) == 0x0
 01914   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01915   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01916   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01917   368   NtClose  (304, ... ) == 0x0
 01918   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01919   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01920   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 01921   368   NtClose  (304, ... ) == 0x0
 01922   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01923   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01924   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 01925   368   NtClose  (304, ... ) == 0x0
 01926   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01927   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01928   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 01929   368   NtClose  (304, ... ) == 0x0
 01930   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01931   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01932   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 01933   368   NtClose  (304, ... ) == 0x0
 01934   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01936   368   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01937   368   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 01938   368   NtClose  (304, ... ) == 0x0
 01939   368   NtWaitForMultipleObjects  (2, (288, 276, ), 0, 0, 0x0, ... ) == 0x0
 01940   368   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01941   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01942   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01943   368   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01944   368   NtClose  (304, ... ) == 0x0
 01945   368   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01946   368   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01947   368   NtClose  (304, ... ) == 0x0
 01948   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 304, ) }, ... 304, ) == 0x0
 01949   368   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01950   368   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01951   368   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01952   368   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01953   368   NtClose  (304, ... ) == 0x0
 01954   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 304, ) }, ... 304, ) == 0x0
 01955   368   NtQueryValueKey  (304,  (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01956   368   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01957   368   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01958   368   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01959   368   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01960   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1230424, ... ) }, 1230424, ... ) == 0x0
 01961   368   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 308, ) }, ... 308, ) == 0x0
 01962   368   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01963   368   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01964   368   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01965   368   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01966   368   NtClose  (308, ... ) == 0x0
 01967   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   368   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01969   368   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 01970   368   NtQueryInformationToken  (308, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01971   368   NtClose  (308, ... ) == 0x0
 01972   368   NtClose  (304, ... ) == 0x0
 01973   368   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01974   368   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 01975   368   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01976   368   NtClose  (304, ... ) == 0x0
 01977   368   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01978   368   NtCreateKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 01979   368   NtClose  (304, ... ) == 0x0
 01980   368   NtQueryValueKey  (308,  (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 01981   368   NtClose  (308, ... ) == 0x0
 01982   368   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01983   368   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 01984   368   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01985   368   NtClose  (308, ... ) == 0x0
 01986   368   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 01987   368   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 304, ) }, ... 304, ) == 0x0
 01988   368   NtClose  (308, ... ) == 0x0
 01989   368   NtQueryValueKey  (304,  (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 01990   368   NtClose  (304, ... ) == 0x0
 01991   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   368   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01993   368   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 01994   368   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01995   368   NtClose  (304, ... ) == 0x0
 01996   368   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01997   368   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   368   NtClose  (304, ... ) == 0x0
 01999   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   368   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 284, ... 304, ) == 0x0
 02001   368   NtMapViewOfSection  (304, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1450000), {0, 0}, 4096, ) == 0x0
 02002   368   NtClose  (304, ... ) == 0x0
 02003   368   NtQueryInformationFile  (284, 1232640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02004   368   NtUnmapViewOfSection  (-1, 0x1450000, ... ) == 0x0
 02005   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02006   368   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02007   368   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02008   368   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02009   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02010   368   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02011   368   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02012   368   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02013   368   NtClose  (316, ... ) == 0x0
 02014   368   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02015   368   NtClose  (312, ... ) == 0x0
 02016   368   NtClose  (308, ... ) == 0x0
 02017   368   NtClose  (304, ... ) == 0x0
 02018   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02019   368   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02020   368   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 312, ) }, ... 312, ) == 0x0
 02021   368   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02022   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 316, ) }, ... 316, ) == 0x0
 02023   368   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02024   368   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02025   368   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02026   368   NtClose  (316, ... ) == 0x0
 02027   368   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02028   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02029   368   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02030   368   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02031   368   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02032   368   NtClose  (316, ... ) == 0x0
 02033   368   NtEnumerateKey  (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02034   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 316, ) }, ... 316, ) == 0x0
 02035   368   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02036   368   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02037   368   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02038   368   NtClose  (316, ... ) == 0x0
 02039   368   NtEnumerateKey  (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02040   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02041   368   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02042   368   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02043   368   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02044   368   NtClose  (316, ... ) == 0x0
 02045   368   NtEnumerateKey  (312, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02046   368   NtClose  (312, ... ) == 0x0
 02047   368   NtClose  (308, ... ) == 0x0
 02048   368   NtClose  (304, ... ) == 0x0
 02049   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02050   368   NtEnumerateKey  (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02051   368   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02052   368   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02053   368   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02054   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02055   368   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02056   368   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02057   368   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02058   368   NtClose  (316, ... ) == 0x0
 02059   368   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02060   368   NtClose  (312, ... ) == 0x0
 02061   368   NtClose  (308, ... ) == 0x0
 02062   368   NtEnumerateKey  (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02063   368   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 1"}, ... 308, ) }, ... 308, ) == 0x0
 02064   368   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02065   368   NtClose  (308, ... ) == 0x0
 02066   368   NtEnumerateKey  (304, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02067   368   NtClose  (304, ... ) == 0x0
 02068   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230168, ... ) }, 1230168, ... ) == 0x0
 02069   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02070   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 304, ... 308, ) == 0x0
 02071   368   NtClose  (304, ... ) == 0x0
 02072   368   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1450000), 0x0, 16384, ) == 0x0
 02073   368   NtClose  (308, ... ) == 0x0
 02074   368   NtUnmapViewOfSection  (-1, 0x1450000, ... ) == 0x0
 02075   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230484, ... ) }, 1230484, ... ) == 0x0
 02076   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02077   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 02078   368   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02079   368   NtClose  (308, ... ) == 0x0
 02080   368   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02081   368   NtClose  (304, ... ) == 0x0
 02082   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1229744, ... ) }, 1229744, ... ) == 0x0
 02083   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 304, ) == 0x0
 02084   368   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21430272, 1048576, ) == 0x0
 02085   368   NtAllocateVirtualMemory  (-1, 22470656, 0, 8192, 4096, 4, ... 22470656, 8192, ) == 0x0
 02086   368   NtProtectVirtualMemory  (-1, (0x156e000), 4096, 260, ... (0x156e000), 4096, 4, ) == 0x0
 02087   368   NtCreateThread  (0x1f03ff, 0x0, -1, 1231692, 1232408, 1, ... 308, {316, 792}, ) == 0x0
 02088   368   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=316,Tid=792,}, 0x0, ) == 0x0
 02089   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0<\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 316, 368, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0<\1\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 316, 368, 1586, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0<\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 316, 368, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0<\1\0\0\30\3\0\0" )  ) == 0x0
 02090   368   NtResumeThread  (308, ... 1, ) == 0x0
 02091   792   NtTestAlert  (... ) == 0x0
 02092   792   NtContinue  (22478128, 1, ...
 02093   792   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02094   792   NtWaitForMultipleObjects  (1, (304, ), 1, 0, {-150000000, -1}, ...
 02095   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 312, ) }, ... 312, ) == 0x0
 02096   368   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02097   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 0"}, ... 316, ) }, ... 316, ) == 0x0
 02098   368   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 320, ) }, ... 320, ) == 0x0
 02099   368   NtEnumerateKey  (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02100   368   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 324, ) }, ... 324, ) == 0x0
 02101   368   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02102   368   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02103   368   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02104   368   NtClose  (324, ... ) == 0x0
 02105   368   NtEnumerateKey  (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02106   368   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02107   368   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02108   368   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02109   368   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02110   368   NtClose  (324, ... ) == 0x0
 02111   368   NtEnumerateKey  (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02112   368   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 324, ) }, ... 324, ) == 0x0
 02113   368   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02114   368   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02115   368   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02116   368   NtClose  (324, ... ) == 0x0
 02117   368   NtEnumerateKey  (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02118   368   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02119   368   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02120   368   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02121   368   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02122   368   NtClose  (324, ... ) == 0x0
 02123   368   NtEnumerateKey  (320, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02124   368   NtClose  (320, ... ) == 0x0
 02125   368   NtClose  (316, ... ) == 0x0
 02126   368   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02127   368   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 1"}, ... 316, ) }, ... 316, ) == 0x0
 02128   368   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   368   NtClose  (316, ... ) == 0x0
 02130   368   NtEnumerateKey  (312, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02131   368   NtClose  (312, ... ) == 0x0
 02132   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1230476, ... ) }, 1230476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "MSISIP.DLL"}, 1230476, ... ) }, 1230476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1230476, ... ) }, 1230476, ... ) == 0x0
 02136   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02137   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02138   368   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02139   368   NtClose  (312, ... ) == 0x0
 02140   368   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02141   368   NtClose  (316, ... ) == 0x0
 02142   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02143   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 21299200, 65536, ) == 0x0
 02144   368   NtAllocateVirtualMemory  (-1, 21299200, 0, 4096, 4096, 4, ... 21299200, 4096, ) == 0x0
 02145   368   NtAllocateVirtualMemory  (-1, 21303296, 0, 8192, 4096, 4, ... 21303296, 8192, ) == 0x0
 02146   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1230064, ... ) }, 1230064, ... ) == 0x0
 02147   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02148   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02149   368   NtClose  (316, ... ) == 0x0
 02150   368   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1570000), 0x0, 262144, ) == 0x0
 02151   368   NtClose  (312, ... ) == 0x0
 02152   368   NtUnmapViewOfSection  (-1, 0x1570000, ... ) == 0x0
 02153   368   NtAllocateLocallyUniqueId  (... {95726, 0}, ) == 0x0
 02154   368   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02155   368   NtOpenProcessToken  (-1, 0x20008, ... 312, ) == 0x0
 02156   368   NtQueryInformationToken  (312, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02157   368   NtClose  (312, ... ) == 0x0
 02158   368   NtCreateSection  (0xf0007, {24, 52, 0x80, 1231384, 0,  (0xf0007, {24, 52, 0x80, 1231384, 0, "DfSharedHeap175EE"}, {4194304, 0}, 4, 67108864, 0, ... 312, ) }, {4194304, 0}, 4, 67108864, 0, ... 312, ) == 0x0
 02159   368   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1570000), {0, 0}, 4194304, ) == 0x0
 02160   368   NtAllocateVirtualMemory  (-1, 22478848, 0, 16376, 4096, 4, ... 22478848, 16384, ) == 0x0
 02161   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228900,  (0x80100080, {24, 0, 0x40, 0, 1228900, "\??\UNC\missouri\binaries\work\hbyzpr.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 02162   368   NtReadFile  (316, 0, 0, 1231604, 512, {0, 0}, 0, ... {status=0x0, info=122},  (316, 0, 0, 1231604, 512, {0, 0}, 0, ... {status=0x0, info=122}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del hbyzpr.bat\15\12", ) , ) == 0x0
 02163   368   NtClose  (316, ... ) == 0x0
 02164   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230168, ... ) }, 1230168, ... ) == 0x0
 02165   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02166   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 320, ) == 0x0
 02167   368   NtClose  (316, ... ) == 0x0
 02168   368   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1970000), 0x0, 69632, ) == 0x0
 02169   368   NtClose  (320, ... ) == 0x0
 02170   368   NtUnmapViewOfSection  (-1, 0x1970000, ... ) == 0x0
 02171   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230484, ... ) }, 1230484, ... ) == 0x0
 02172   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02173   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 02174   368   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02175   368   NtClose  (320, ... ) == 0x0
 02176   368   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02177   368   NtClose  (316, ... ) == 0x0
 02178   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02179   368   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02180   368   NtClose  (316, ... ) == 0x0
 02181   368   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02182   368   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02183   368   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02184   368   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02185   368   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02186   368   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02187   368   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02188   368   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02189   368   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02190   368   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02191   368   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02192   368   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02193   368   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02194   368   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02195   368   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02196   368   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02197   368   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02198   368   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02199   368   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02200   368   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02201   368   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02202   368   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02203   368   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02204   368   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02205   368   NtClose  (316, ... ) == 0x0
 02206   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02207   368   NtReleaseMutant  (16, ...
 02208   368   NtContinue  (-133332856, 0, ...
 02207   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02209   368   NtQueryDefaultLocale  (1, 1229164, ... ) == 0x0
 02210   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227156, ... ) }, 1227156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227156, ... ) }, 1227156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02233   368   NtReleaseMutant  (16, ...
 02234   368   NtContinue  (-133332856, 0, ...
 02233   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02235   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227156, ... ) }, 1227156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02247   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02248   368   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02249   368   NtClose  (316, ... ) == 0x0
 02250   368   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 316, ) }, ... 316, ) == 0x0
 02251   368   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 320, ) }, ... 320, ) == 0x0
 02252   368   NtClose  (316, ... ) == 0x0
 02253   368   NtQueryValueKey  (320,  (320, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02254   368   NtQueryValueKey  (320,  (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02255   368   NtClose  (320, ... ) == 0x0
 02256   368   NtClose  (284, ... ) == 0x0
 02257   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 26673152, 4096, ) == 0x0
 02258   368   NtAllocateVirtualMemory  (-1, 26673152, 0, 4096, 4096, 4, ... 26673152, 4096, ) == 0x0
 02259   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 284, ) }, ... 284, ) == 0x0
 02260   368   NtQueryValueKey  (284,  (284, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   368   NtClose  (284, ... ) == 0x0
 02262   368   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   368   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02264   368   NtOpenProcessToken  (-1, 0x2000a, ... 284, ) == 0x0
 02265   368   NtQueryInformationToken  (284, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   368   NtQueryInformationToken  (284, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02267   368   NtClose  (284, ... ) == 0x0
 02268   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02270   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02271   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 284, ) }, ... 284, ) == 0x0
 02273   368   NtQueryValueKey  (284,  (284, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   368   NtClose  (284, ... ) == 0x0
 02275   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02276   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02277   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 284, ) }, ... 284, ) == 0x0
 02279   368   NtQueryValueKey  (284,  (284, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   368   NtClose  (284, ... ) == 0x0
 02281   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02282   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 02284   368   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02285   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02286   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02287   368   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02288   368   NtClose  (320, ... ) == 0x0
 02289   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   368   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02291   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1229772, ... ) }, 1229772, ... ) == 0x0
 02292   368   NtClose  (286, ... ) == 0x0
 02293   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02294   368   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 284, {status=0x0, info=1}, ) }, 3, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02295   368   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 320, ) }, ... 320, ) == 0x0
 02296   368   NtQuerySymbolicLinkObject  (320, ...  (320, ... "\Device\WinDfs\U:00000000000091f5", 66, ) , 66, ) == 0x0
 02297   368   NtClose  (320, ... ) == 0x0
 02298   368   NtQueryVolumeInformationFile  (284, 1233124, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02299   368   NtClose  (284, ... ) == 0x0
 02300   368   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02301   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 284, ) }, ... 284, ) == 0x0
 02302   368   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 320, ) }, ... 320, ) == 0x0
 02303   368   NtQueryValueKey  (320,  (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02304   368   NtQueryValueKey  (320,  (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02305   368   NtClose  (320, ... ) == 0x0
 02306   368   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02307   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02308   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02309   368   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02311   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02312   368   NtClose  (320, ... ) == 0x0
 02313   368   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02314   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02315   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02316   368   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02318   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02319   368   NtClose  (320, ... ) == 0x0
 02320   368   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02321   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02322   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02323   368   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02324   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02325   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02326   368   NtClose  (320, ... ) == 0x0
 02327   368   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02328   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02329   368   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02330   368   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02332   368   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02333   368   NtClose  (320, ... ) == 0x0
 02334   368   NtClose  (284, ... ) == 0x0
 02335   368   NtQueryDefaultLocale  (1, 1232676, ... ) == 0x0
 02336   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230688, ... ) }, 1230688, ... ) == 0x0
 02337   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02338   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 320, ) == 0x0
 02339   368   NtClose  (284, ... ) == 0x0
 02340   368   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 12288, ) == 0x0
 02341   368   NtClose  (320, ... ) == 0x0
 02342   368   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02343   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231004, ... ) }, 1231004, ... ) == 0x0
 02344   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02345   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02346   368   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02347   368   NtClose  (320, ... ) == 0x0
 02348   368   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02349   368   NtClose  (284, ... ) == 0x0
 02350   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 284, ) }, ... 284, ) == 0x0
 02351   368   NtQueryValueKey  (284,  (284, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (284, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02352   368   NtClose  (284, ... ) == 0x0
 02353   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230688, ... ) }, 1230688, ... ) == 0x0
 02354   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02355   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 320, ) == 0x0
 02356   368   NtClose  (284, ... ) == 0x0
 02357   368   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 40960, ) == 0x0
 02358   368   NtClose  (320, ... ) == 0x0
 02359   368   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02360   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231004, ... ) }, 1231004, ... ) == 0x0
 02361   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02362   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02363   368   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02364   368   NtClose  (320, ... ) == 0x0
 02365   368   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02366   368   NtClose  (284, ... ) == 0x0
 02367   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02368   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1230192, ... ) }, 1230192, ... ) == 0x0
 02369   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02370   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 320, ) == 0x0
 02371   368   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02372   368   NtClose  (284, ... ) == 0x0
 02373   368   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02374   368   NtClose  (320, ... ) == 0x0
 02375   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1230192, ... ) }, 1230192, ... ) == 0x0
 02377   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02378   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02379   368   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02380   368   NtClose  (320, ... ) == 0x0
 02381   368   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02382   368   NtClose  (284, ... ) == 0x0
 02383   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02384   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1229388, ... ) }, 1229388, ... ) == 0x0
 02385   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02386   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 320, ) == 0x0
 02387   368   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02388   368   NtClose  (284, ... ) == 0x0
 02389   368   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02390   368   NtClose  (320, ... ) == 0x0
 02391   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1229388, ... ) }, 1229388, ... ) == 0x0
 02393   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02394   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02395   368   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02396   368   NtClose  (320, ... ) == 0x0
 02397   368   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02398   368   NtClose  (284, ... ) == 0x0
 02399   368   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 284, ) }, ... 284, ) == 0x0
 02400   368   NtQueryValueKey  (284,  (284, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   368   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 320, ) == 0x0
 02402   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230688, ... ) }, 1230688, ... ) == 0x0
 02403   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02404   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 324, ) == 0x0
 02405   368   NtClose  (316, ... ) == 0x0
 02406   368   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 24576, ) == 0x0
 02407   368   NtClose  (324, ... ) == 0x0
 02408   368   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02409   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231004, ... ) }, 1231004, ... ) == 0x0
 02410   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02411   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 316, ) == 0x0
 02412   368   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02413   368   NtClose  (324, ... ) == 0x0
 02414   368   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02415   368   NtClose  (316, ... ) == 0x0
 02416   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02417   368   NtQueryValueKey  (316,  (316, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02418   368   NtClose  (316, ... ) == 0x0
 02419   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02420   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02421   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02422   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02423   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == 0x0
 02424   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02425   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 324, ) == 0x0
 02426   368   NtClose  (316, ... ) == 0x0
 02427   368   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 122880, ) == 0x0
 02428   368   NtClose  (324, ... ) == 0x0
 02429   368   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02430   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02431   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02432   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02433   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02434   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == 0x0
 02435   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02436   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 316, ) == 0x0
 02437   368   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02438   368   NtClose  (324, ... ) == 0x0
 02439   368   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 02440   368   NtClose  (316, ... ) == 0x0
 02441   368   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02442   368   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02443   368   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02444   368   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02445   368   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02446   368   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02447   368   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02448   368   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02449   368   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02450   368   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02451   368   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02452   368   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02453   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02454   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 26738688, 65536, ) == 0x0
 02455   368   NtAllocateVirtualMemory  (-1, 26738688, 0, 4096, 4096, 4, ... 26738688, 4096, ) == 0x0
 02456   368   NtAllocateVirtualMemory  (-1, 26742784, 0, 8192, 4096, 4, ... 26742784, 8192, ) == 0x0
 02457   368   NtAllocateVirtualMemory  (-1, 26750976, 0, 4096, 4096, 4, ... 26750976, 4096, ) == 0x0
 02458   368   NtQueryPerformanceCounter  (... {108668494, 0}, {3579545, 0}, ) == 0x0
 02459   368   NtRaiseException  (1230488, 1229748, 1, ...
 02460   368   NtContinue  (1228544, 0, ...
 02461   368   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 316, ) }, ... 316, ) == 0x0
 02462   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02463   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02464   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02465   368   NtRaiseException  (1220464, 1219724, 1, ...
 02466   368   NtContinue  (1218520, 0, ...
 02467   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02468   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02470   368   NtRaiseException  (1222224, 1221484, 1, ...
 02471   368   NtContinue  (1220280, 0, ...
 02472   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02473   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02474   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02475   368   NtRaiseException  (1222228, 1221488, 1, ...
 02476   368   NtContinue  (1220284, 0, ...
 02477   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02478   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02480   368   NtRaiseException  (1222224, 1221484, 1, ...
 02481   368   NtContinue  (1220280, 0, ...
 02482   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02483   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02484   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02485   368   NtRaiseException  (1222228, 1221488, 1, ...
 02486   368   NtContinue  (1220284, 0, ...
 02487   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02488   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02489   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02490   368   NtRaiseException  (1222224, 1221484, 1, ...
 02491   368   NtContinue  (1220280, 0, ...
 02492   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02493   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02495   368   NtRaiseException  (1222228, 1221488, 1, ...
 02496   368   NtContinue  (1220284, 0, ...
 02497   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02498   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02500   368   NtRaiseException  (1222224, 1221484, 1, ...
 02501   368   NtContinue  (1220280, 0, ...
 02502   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02503   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02504   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02505   368   NtRaiseException  (1222228, 1221488, 1, ...
 02506   368   NtContinue  (1220284, 0, ...
 02507   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02508   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02509   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02510   368   NtRaiseException  (1222224, 1221484, 1, ...
 02511   368   NtContinue  (1220280, 0, ...
 02512   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02513   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02514   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02515   368   NtRaiseException  (1222228, 1221488, 1, ...
 02516   368   NtContinue  (1220284, 0, ...
 02517   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02518   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02519   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02520   368   NtRaiseException  (1222224, 1221484, 1, ...
 02521   368   NtContinue  (1220280, 0, ...
 02522   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02523   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02524   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02525   368   NtRaiseException  (1222228, 1221488, 1, ...
 02526   368   NtContinue  (1220284, 0, ...
 02527   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02528   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02529   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02530   368   NtRaiseException  (1222224, 1221484, 1, ...
 02531   368   NtContinue  (1220280, 0, ...
 02532   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02533   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02534   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02535   368   NtRaiseException  (1222228, 1221488, 1, ...
 02536   368   NtContinue  (1220284, 0, ...
 02537   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02538   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02540   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230656, ... ) }, 1230656, ... ) == 0x0
 02541   368   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 324, ) == 0x0
 02542   368   NtQueryInformationProcess  (324, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02543   368   NtClose  (324, ... ) == 0x0
 02544   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230656, ... ) }, 1230656, ... ) == 0x0
 02545   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02546   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 02547   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02548   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02549   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229704,  (0xc0100080, {24, 0, 0x40, 0, 1229704, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02550   368   NtSetInformationFile  (328, 1229760, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02551   368   NtSetInformationFile  (328, 1229752, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02552   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02553   368   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02554   368   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\273$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02555   368   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\273$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\273$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02556   368   NtClose  (324, ... ) == 0x0
 02557   368   NtClose  (328, ... ) == 0x0
 02558   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02559   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02560   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02561   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02562   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229704,  (0xc0100080, {24, 0, 0x40, 0, 1229704, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02563   368   NtSetInformationFile  (324, 1229760, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02564   368   NtSetInformationFile  (324, 1229752, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02565   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02566   368   NtWriteFile  (324, 129, 0, 0,  (324, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02567   368   NtReadFile  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02568   368   NtFsControlFile  (324, 129, 0x0, 0x0, 0x11c017,  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02569   368   NtClose  (328, ... ) == 0x0
 02570   368   NtClose  (324, ... ) == 0x0
 02571   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02572   368   NtQueryKey  (324, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02573   368   NtQuerySecurityObject  (324, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02574   368   NtQuerySecurityObject  (324, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02575   368   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 26804224, 524288, ) == 0x0
 02576   368   NtAllocateVirtualMemory  (-1, 26804224, 0, 4096, 4096, 4, ... 26804224, 4096, ) == 0x0
 02577   368   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02578   368   NtClose  (324, ... ) == 0x0
 02579   368   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02580   368   NtFsControlFile  (324, 0, 0x0, 0x0, 0x600bc,  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02581   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02582   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02583   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02584   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02585   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231144,  (0xc0100080, {24, 0, 0x40, 0, 1231144, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02586   368   NtSetInformationFile  (332, 1231200, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02587   368   NtSetInformationFile  (332, 1231192, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02588   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02589   368   NtWriteFile  (332, 129, 0, 0,  (332, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02590   368   NtReadFile  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\275$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02591   368   NtFsControlFile  (332, 129, 0x0, 0x0, 0x11c017,  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\220\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\275$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\220\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\275$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02592   368   NtClose  (328, ... ) == 0x0
 02593   368   NtClose  (332, ... ) == 0x0
 02594   368   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02595   368   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02596   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230656, ... ) }, 1230656, ... ) == 0x0
 02597   368   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02598   368   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02599   368   NtClose  (332, ... ) == 0x0
 02600   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02601   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02602   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02603   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02604   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231180,  (0xc0100080, {24, 0, 0x40, 0, 1231180, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02605   368   NtSetInformationFile  (328, 1231236, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02606   368   NtSetInformationFile  (328, 1231228, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02607   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02608   368   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02609   368   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20^#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02610   368   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20^#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20^#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02611   368   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\324h\23\230^F\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\324h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\324h\23\230^F\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\324h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02612   368   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\325h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\325h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\325h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\325h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02613   368   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\324h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\324h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02614   368   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\325h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\325h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02615   368   NtClose  (332, ... ) == 0x0
 02616   368   NtClose  (328, ... ) == 0x0
 02617   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02618   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02619   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02620   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02621   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == 0x0
 02622   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02623   368   NtQueryValueKey  (328,  (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 02624   368   NtClose  (328, ... ) == 0x0
 02625   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02626   368   NtQueryValueKey  (328,  (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 02627   368   NtClose  (328, ... ) == 0x0
 02628   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 02629   368   NtQueryValueKey  (328,  (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02630   368   NtClose  (328, ... ) == 0x0
 02631   368   NtRaiseException  (1221148, 1220408, 1, ...
 02632   368   NtContinue  (1219204, 0, ...
 02633   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02634   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02636   368   NtRaiseException  (1221144, 1220404, 1, ...
 02637   368   NtContinue  (1219200, 0, ...
 02638   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02639   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02640   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02641   368   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1231812, 0,  (0x1f0001, {24, 52, 0x80, 1231812, 0, "HGFSMUTEX"}, 1, ... 328, ) }, 1, ... 328, ) == 0x0
 02642   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02643   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1228832, ... ) }, 1228832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02644   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "shfolder.dll"}, 1228832, ... ) }, 1228832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02645   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1228832, ... ) }, 1228832, ... ) == 0x0
 02646   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02647   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 336, ) == 0x0
 02648   368   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02649   368   NtClose  (332, ... ) == 0x0
 02650   368   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 02651   368   NtClose  (336, ... ) == 0x0
 02652   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02653   368   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356160, 0,  (0x1f0003, {24, 52, 0x80, 1356160, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 336, ) }, 0, 2147483647, ... 336, ) == STATUS_OBJECT_NAME_EXISTS
 02654   368   NtReleaseSemaphore  (336, 1, ... 0, ) == 0x0
 02655   368   NtWaitForSingleObject  (336, 0, {0, 0}, ... ) == 0x0
 02656   368   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02657   368   NtQueryValueKey  (332,  (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 02658   368   NtClose  (332, ... ) == 0x0
 02659   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1229364, ... ) }, 1229364, ... ) == 0x0
 02660   368   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02661   368   NtSetValueKey  (332,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 02662   368   NtClose  (332, ... ) == 0x0
 02663   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02664   368   NtQueryDirectoryFile  (332, 0, 0, 0, 1229504, 616, BothDirectory, 1,  (332, 0, 0, 0, 1229504, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 02665   368   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 02666   368   NtRaiseException  (1220784, 1220044, 1, ...
 02667   368   NtContinue  (1218840, 0, ...
 02668   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02669   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02670   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02671   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1231812, 1231388,  (0xc0100080, {24, 0, 0x40, 1231812, 1231388, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02672   368   NtRaiseException  (1220784, 1220044, 1, ...
 02673   368   NtContinue  (1218840, 0, ...
 02674   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02675   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02677   368   NtCreateSection  (0xf0007, {24, 52, 0x80, 1231812, 0,  (0xf0007, {24, 52, 0x80, 1231812, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 340, ... 344, ) }, {27876, 0}, 4, 134217728, 340, ... 344, ) == 0x0
 02678   368   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1a20000), {0, 0}, 28672, ) == 0x0
 02679   368   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02680   368   NtRaiseException  (1222200, 1221460, 1, ...
 02681   368   NtContinue  (1220256, 0, ...
 02682   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02683   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02684   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02685   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232856, 1232444,  (0xc0100080, {24, 0, 0x40, 1232856, 1232444, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 02686   368   NtDeviceIoControlFile  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 02687   368   NtClose  (348, ... ) == 0x0
 02688   368   NtRaiseException  (1222180, 1221440, 1, ...
 02689   368   NtContinue  (1220236, 0, ...
 02690   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02691   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02692   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02693   368   NtRaiseException  (1222200, 1221460, 1, ...
 02694   368   NtContinue  (1220256, 0, ...
 02695   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02696   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02697   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02698   368   NtAllocateVirtualMemory  (-1, 1466368, 0, 20480, 4096, 4, ... 1466368, 20480, ) == 0x0
 02699   368   NtAllocateVirtualMemory  (-1, 1486848, 0, 20480, 4096, 4, ... 1486848, 20480, ) == 0x0
 02700   368   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02701   368   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02702   368   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 02703   368   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 02704   368   NtClose  (348, ... ) == 0x0
 02705   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02706   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02707   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02708   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02709   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231120,  (0xc0100080, {24, 0, 0x40, 0, 1231120, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02710   368   NtSetInformationFile  (352, 1231176, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02711   368   NtSetInformationFile  (352, 1231168, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02712   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02713   368   NtWriteFile  (352, 129, 0, 0,  (352, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02714   368   NtReadFile  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20_#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02715   368   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20_#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20_#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02716   368   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\326h\23\230^F\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\326h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\326h\23\230^F\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\326h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02717   368   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\327h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\327h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\327h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\327h\23\230^F\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02718   368   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\326h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\326h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02719   368   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\327h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\327h\23\230^F\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02720   368   NtClose  (348, ... ) == 0x0
 02721   368   NtClose  (352, ... ) == 0x0
 02722   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02723   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02724   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02725   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02726   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231212,  (0xc0100080, {24, 0, 0x40, 0, 1231212, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02727   368   NtSetInformationFile  (348, 1231268, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02728   368   NtSetInformationFile  (348, 1231260, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02729   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02730   368   NtWriteFile  (348, 129, 0, 0,  (348, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02731   368   NtReadFile  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\36*\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02732   368   NtFsControlFile  (348, 129, 0x0, 0x0, 0x11c017,  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\36*\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\36*\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02733   368   NtClose  (352, ... ) == 0x0
 02734   368   NtClose  (348, ... ) == 0x0
 02735   368   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02736   368   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02737   368   NtClose  (348, ... ) == 0x0
 02738   368   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02739   368   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02740   368   NtClose  (348, ... ) == 0x0
 02741   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02742   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02743   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02744   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02745   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02746   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02747   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02749   368   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02750   368   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02751   368   NtClose  (348, ... ) == 0x0
 02752   368   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02753   368   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02754   368   NtClose  (348, ... ) == 0x0
 02755   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02756   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02757   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02759   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02761   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02763   368   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02764   368   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02765   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02766   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02767   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02768   368   NtClose  (348, ... ) == 0x0
 02769   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02770   368   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Network"}, ... 352, ) }, ... 352, ) == 0x0
 02771   368   NtClose  (348, ... ) == 0x0
 02772   368   NtQueryKey  (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 02773   368   NtQuerySecurityObject  (352, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02774   368   NtQuerySecurityObject  (352, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02775   368   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02776   368   NtEnumerateKey  (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 02777   368   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "f"}, ... 348, ) }, ... 348, ) == 0x0
 02778   368   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02779   368   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02780   368   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02781   368   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02782   368   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02783   368   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02784   368   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02785   368   NtClose  (348, ... ) == 0x0
 02786   368   NtEnumerateKey  (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 02787   368   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "u"}, ... 348, ) }, ... 348, ) == 0x0
 02788   368   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02789   368   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02790   368   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02791   368   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02792   368   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02793   368   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02794   368   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02795   368   NtClose  (348, ... ) == 0x0
 02796   368   NtClose  (352, ... ) == 0x0
 02797   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02798   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02799   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02800   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02801   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02802   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02803   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 352, ) }, ... 352, ) == 0x0
 02804   368   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02805   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02806   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02807   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02808   368   NtClose  (348, ... ) == 0x0
 02809   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   368   NtEnumerateKey  (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 02811   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02812   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02813   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 348, ) }, ... 348, ) == 0x0
 02814   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 02815   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02816   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02817   368   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02818   368   NtClose  (356, ... ) == 0x0
 02819   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820   368   NtQueryValueKey  (350,  (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02821   368   NtClose  (350, ... ) == 0x0
 02822   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02823   368   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 348, {status=0x0, info=1}, ) }, 3, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02824   368   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 356, ) }, ... 356, ) == 0x0
 02825   368   NtQuerySymbolicLinkObject  (356, ...  (356, ... "\Device\WinDfs\U:00000000000091f5", 66, ) , 66, ) == 0x0
 02826   368   NtClose  (356, ... ) == 0x0
 02827   368   NtQueryVolumeInformationFile  (348, 1232532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02828   368   NtClose  (348, ... ) == 0x0
 02829   368   NtEnumerateKey  (354, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02830   368   NtClose  (354, ... ) == 0x0
 02831   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02832   368   NtQueryDirectoryFile  (352, 0, 0, 0, 1231320, 616, BothDirectory, 1,  (352, 0, 0, 0, 1231320, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02833   368   NtClose  (352, ... ) == 0x0
 02834   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02835   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02836   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 352, ) }, ... 352, ) == 0x0
 02837   368   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02838   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02839   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02840   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02841   368   NtClose  (348, ... ) == 0x0
 02842   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02843   368   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02844   368   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02845   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02846   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02847   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02848   368   NtClose  (348, ... ) == 0x0
 02849   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02850   368   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 02851   368   NtClose  (354, ... ) == 0x0
 02852   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02853   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02854   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02855   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02856   368   NtQueryValueKey  (352,  (352, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02857   368   NtClose  (352, ... ) == 0x0
 02858   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02859   368   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 352, ) == 0x0
 02860   368   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02861   368   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02862   368   NtClose  (352, ... ) == 0x0
 02863   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02864   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02865   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02866   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02867   368   NtQueryValueKey  (352,  (352, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02868   368   NtClose  (352, ... ) == 0x0
 02869   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02870   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02871   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02872   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02873   368   NtQueryValueKey  (352,  (352, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02874   368   NtClose  (352, ... ) == 0x0
 02875   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02876   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02877   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02878   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02879   368   NtQueryValueKey  (352,  (352, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02880   368   NtClose  (352, ... ) == 0x0
 02881   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02882   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02883   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02884   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02885   368   NtQueryValueKey  (352,  (352, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02886   368   NtClose  (352, ... ) == 0x0
 02887   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02888   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02889   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02890   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02891   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02892   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02893   368   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02894   368   NtClose  (352, ... ) == 0x0
 02895   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02896   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02897   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02899   368   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02900   368   NtClose  (352, ... ) == 0x0
 02901   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02902   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02903   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02904   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02905   368   NtQueryValueKey  (352,  (352, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02906   368   NtClose  (352, ... ) == 0x0
 02907   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02908   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02909   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02910   368   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "Advanced"}, ... 352, ) }, ... 352, ) == 0x0
 02911   368   NtQueryValueKey  (352,  (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 02912   368   NtQueryValueKey  (352,  (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02913   368   NtQueryValueKey  (352,  (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02914   368   NtQueryValueKey  (352,  (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02915   368   NtQueryValueKey  (352,  (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02916   368   NtQueryValueKey  (352,  (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02917   368   NtQueryValueKey  (352,  (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02918   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02919   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02920   368   NtQueryValueKey  (352,  (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02921   368   NtQueryValueKey  (352,  (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02922   368   NtQueryValueKey  (352,  (352, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02923   368   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02924   368   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02925   368   NtClose  (352, ... ) == 0x0
 02926   368   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356160, 0,  (0x1f0003, {24, 52, 0x80, 1356160, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 352, ) }, 0, 2147483647, ... 352, ) == STATUS_OBJECT_NAME_EXISTS
 02927   368   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 02928   368   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 02929   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02930   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02931   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02932   368   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02933   368   NtClose  (356, ... ) == 0x0
 02934   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02935   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02936   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02937   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02938   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02939   368   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02940   368   NtClose  (356, ... ) == 0x0
 02941   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02942   368   NtQueryValueKey  (350,  (350, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02943   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02944   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02945   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02946   368   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02947   368   NtClose  (356, ... ) == 0x0
 02948   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02949   368   NtQueryValueKey  (350,  (350, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02950   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02951   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02952   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02953   368   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02954   368   NtClose  (356, ... ) == 0x0
 02955   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02956   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02957   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02958   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02959   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 356, ) }, ... 356, ) == 0x0
 02960   368   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 02961   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02962   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02963   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02964   368   NtClose  (360, ... ) == 0x0
 02965   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02966   368   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02967   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02968   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02969   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02970   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02971   368   NtClose  (360, ... ) == 0x0
 02972   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02973   368   NtQueryValueKey  (350,  (350, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02974   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02975   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02976   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02977   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02978   368   NtClose  (360, ... ) == 0x0
 02979   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02980   368   NtQueryValueKey  (350,  (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02981   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02982   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02983   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02984   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02985   368   NtClose  (360, ... ) == 0x0
 02986   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02987   368   NtQueryValueKey  (350,  (350, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02988   368   NtClose  (350, ... ) == 0x0
 02989   368   NtClose  (358, ... ) == 0x0
 02990   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02991   368   NtQueryDirectoryFile  (356, 0, 0, 0, 1231244, 616, BothDirectory, 1,  (356, 0, 0, 0, 1231244, 616, BothDirectory, 1, "hbyzpr.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02992   368   NtClose  (356, ... ) == 0x0
 02993   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02994   368   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "FileExts"}, ... 356, ) }, ... 356, ) == 0x0
 02995   368   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02996   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02997   368   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02998   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02999   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03000   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 348, ) }, ... 348, ) == 0x0
 03001   368   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03002   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03003   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03004   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03005   368   NtClose  (360, ... ) == 0x0
 03006   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03007   368   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03008   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03009   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03010   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 360, ) }, ... 360, ) == 0x0
 03011   368   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03012   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03013   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03014   368   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03015   368   NtClose  (364, ... ) == 0x0
 03016   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03017   368   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03018   368   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03019   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03020   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03021   368   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03022   368   NtClose  (364, ... ) == 0x0
 03023   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024   368   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0, ""}, ... 364, ) == 0x0
 03025   368   NtClose  (362, ... ) == 0x0
 03026   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03027   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03028   368   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03029   368   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03030   368   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03031   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03032   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03033   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03034   368   NtClose  (360, ... ) == 0x0
 03035   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03036   368   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03037   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03038   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03039   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03041   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03043   368   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03044   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03045   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03046   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03047   368   NtClose  (368, ... ) == 0x0
 03048   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03049   368   NtQueryValueKey  (362,  (362, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03050   368   NtClose  (362, ... ) == 0x0
 03051   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03052   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03053   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03054   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03055   368   NtClose  (360, ... ) == 0x0
 03056   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03057   368   NtQueryValueKey  (366,  (366, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03058   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03059   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03060   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03061   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03062   368   NtClose  (360, ... ) == 0x0
 03063   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064   368   NtQueryValueKey  (366,  (366, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03065   368   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03066   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03067   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03068   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03069   368   NtClose  (360, ... ) == 0x0
 03070   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03071   368   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03072   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03073   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03074   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 360, ) }, ... 360, ) == 0x0
 03075   368   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03076   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03077   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03078   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03079   368   NtClose  (368, ... ) == 0x0
 03080   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03081   368   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03082   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03083   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03084   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03085   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03086   368   NtClose  (368, ... ) == 0x0
 03087   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03088   368   NtQueryValueKey  (366,  (366, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03089   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03090   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03091   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03092   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03093   368   NtClose  (368, ... ) == 0x0
 03094   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03095   368   NtQueryValueKey  (366,  (366, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03096   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03097   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03098   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03099   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03100   368   NtClose  (368, ... ) == 0x0
 03101   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03102   368   NtQueryValueKey  (366,  (366, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03103   368   NtClose  (350, ... ) == 0x0
 03104   368   NtClose  (366, ... ) == 0x0
 03105   368   NtClose  (362, ... ) == 0x0
 03106   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03107   368   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03108   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03109   368   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03111   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03112   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03113   368   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03114   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03115   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03116   368   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03117   368   NtClose  (364, ... ) == 0x0
 03118   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03119   368   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03120   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03121   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03122   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 364, ) }, ... 364, ) == 0x0
 03123   368   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03124   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03125   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03126   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03127   368   NtClose  (348, ... ) == 0x0
 03128   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03129   368   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03130   368   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03131   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03132   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03133   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03134   368   NtClose  (348, ... ) == 0x0
 03135   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03136   368   NtOpenKey  (0x2000000, {24, 366, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 03137   368   NtClose  (366, ... ) == 0x0
 03138   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03139   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03140   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03141   368   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03142   368   NtClose  (364, ... ) == 0x0
 03143   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03144   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03145   368   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03146   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03147   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03148   368   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03149   368   NtClose  (364, ... ) == 0x0
 03150   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03151   368   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03152   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03153   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03154   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03155   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03156   368   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03157   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03158   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03159   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03160   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03161   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03162   368   NtClose  (368, ... ) == 0x0
 03163   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   368   NtQueryValueKey  (366,  (366, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   368   NtClose  (366, ... ) == 0x0
 03166   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03167   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 364, ) }, ... 364, ) == 0x0
 03169   368   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03170   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03171   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03172   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03173   368   NtClose  (368, ... ) == 0x0
 03174   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   368   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   368   NtClose  (362, ... ) == 0x0
 03177   368   NtClose  (350, ... ) == 0x0
 03178   368   NtClose  (366, ... ) == 0x0
 03179   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03180   368   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03181   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03182   368   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03183   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03184   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03186   368   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03187   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03188   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03189   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03190   368   NtClose  (348, ... ) == 0x0
 03191   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   368   NtQueryValueKey  (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03193   368   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03194   368   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03195   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 348, ) }, ... 348, ) == 0x0
 03196   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03197   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03198   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03199   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03200   368   NtClose  (360, ... ) == 0x0
 03201   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03202   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03203   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03204   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03205   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03206   368   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03207   368   NtClose  (360, ... ) == 0x0
 03208   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03209   368   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0, ""}, ... 360, ) == 0x0
 03210   368   NtClose  (350, ... ) == 0x0
 03211   368   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03212   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03213   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03214   368   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03215   368   NtClose  (348, ... ) == 0x0
 03216   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03217   368   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0,  (0x2000000, {24, 362, 0x40, 0, 0, "shell\open"}, ... 348, ) }, ... 348, ) == 0x0
 03218   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03219   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03220   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03221   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03222   368   NtClose  (368, ... ) == 0x0
 03223   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03224   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03225   368   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03226   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03227   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03228   368   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03229   368   NtClose  (372, ... ) == 0x0
 03230   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03231   368   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03232   368   NtClose  (370, ... ) == 0x0
 03233   368   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03234   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03235   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03236   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03237   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03238   368   NtClose  (368, ... ) == 0x0
 03239   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03240   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03241   368   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03242   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03243   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03244   368   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03245   368   NtClose  (372, ... ) == 0x0
 03246   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03247   368   NtQueryValueKey  (370,  (370, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03248   368   NtClose  (370, ... ) == 0x0
 03249   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\hbyzpr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03250   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03251   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03252   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03253   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03254   368   NtClose  (368, ... ) == 0x0
 03255   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03256   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03257   368   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03258   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03259   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03260   368   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03261   368   NtClose  (372, ... ) == 0x0
 03262   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03263   368   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03264   368   NtClose  (370, ... ) == 0x0
 03265   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03266   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03267   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03268   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03269   368   NtClose  (368, ... ) == 0x0
 03270   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03271   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03272   368   NtUserGetForegroundWindow  (... ) == 0x2005e
 03273   368   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03274   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03275   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03276   368   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03277   368   NtClose  (368, ... ) == 0x0
 03278   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03279   368   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03280   368   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03281   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03282   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03283   368   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03284   368   NtClose  (372, ... ) == 0x0
 03285   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03286   368   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03287   368   NtClose  (370, ... ) == 0x0
 03288   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03289   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03290   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03291   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03292   368   NtQueryValueKey  (368,  (368, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03293   368   NtClose  (368, ... ) == 0x0
 03294   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03295   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03296   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03297   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03298   368   NtQueryValueKey  (368,  (368, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299   368   NtClose  (368, ... ) == 0x0
 03300   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\hbyzpr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03302   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\hbyzpr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   368   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03304   368   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03305   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03306   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03307   368   NtQueryValueKey  (368,  (368, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03308   368   NtClose  (368, ... ) == 0x0
 03309   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\hbyzpr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03310   368   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03311   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 1227728, ... ) }, 1227728, ... ) == 0x0
 03312   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 1228420, ... ) }, 1228420, ... ) == 0x0
 03313   368   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03314   368   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03315   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 372, ) }, ... 372, ) == 0x0
 03316   368   NtQueryValueKey  (372,  (372, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03317   368   NtClose  (372, ... ) == 0x0
 03318   368   NtQueryVolumeInformationFile  (368, 1227728, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03319   368   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03320   368   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03321   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1225712, ... ) }, 1225712, ... ) == 0x0
 03322   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 03323   368   NtQueryInformationFile  (372, 1226316, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03324   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 372, ... 376, ) == 0x0
 03325   368   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1a30000), 0x0, 1028096, ) == 0x0
 03326   368   NtQueryInformationFile  (372, 1226412, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03327   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03328   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03329   368   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03330   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03331   368   NtQueryDirectoryFile  (380, 0, 0, 0, 1223976, 616, BothDirectory, 1,  (380, 0, 0, 0, 1223976, 616, BothDirectory, 1, "hbyzpr.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03332   368   NtClose  (380, ... ) == 0x0
 03333   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03334   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03335   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 1223364, ... ) }, 1223364, ... ) == 0x0
 03336   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03337   368   NtQueryDirectoryFile  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1,  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03338   368   NtClose  (380, ... ) == 0x0
 03339   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03340   368   NtQueryDirectoryFile  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1,  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1, "hbyzpr.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03341   368   NtClose  (380, ... ) == 0x0
 03342   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03343   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03344   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03345   368   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 380, {status=0x0, info=1}, ) }, 3, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03346   368   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 384, ) }, ... 384, ) == 0x0
 03347   368   NtQuerySymbolicLinkObject  (384, ...  (384, ... "\Device\WinDfs\U:00000000000091f5", 66, ) , 66, ) == 0x0
 03348   368   NtClose  (384, ... ) == 0x0
 03349   368   NtQueryVolumeInformationFile  (380, 1224116, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03350   368   NtClose  (380, ... ) == 0x0
 03351   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03352   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 380, ) == 0x0
 03353   368   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03354   368   NtClose  (380, ... ) == 0x0
 03355   368   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03356   368   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\hbyzpr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03357   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03358   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03359   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hbyzpr.bat"}, 1225644, ... ) }, 1225644, ... ) == 0x0
 03360   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03361   368   NtQueryDirectoryFile  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03362   368   NtClose  (380, ... ) == 0x0
 03363   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03364   368   NtQueryDirectoryFile  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1, "hbyzpr.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03365   368   NtClose  (380, ... ) == 0x0
 03366   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03367   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03368   368   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03369   368   NtQueryVolumeInformationFile  (368, 1226288, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03370   368   NtQueryInformationFile  (368, 1226268, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03371   368   NtQueryInformationFile  (368, 1226308, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03372   368   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03373   368   NtUnmapViewOfSection  (-1, 0x1a30000, ... ) == 0x0
 03374   368   NtClose  (376, ... ) == 0x0
 03375   368   NtClose  (372, ... ) == 0x0
 03376   368   NtClose  (368, ... ) == 0x0
 03377   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1227704, ... ) }, 1227704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03378   368   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "cmd.exe"}, 1227704, ... ) }, 1227704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03379   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1227704, ... ) }, 1227704, ... ) == 0x0
 03380   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228420, ... ) }, 1228420, ... ) == 0x0
 03381   368   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03382   368   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... 372, ) == 0x0
 03383   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03384   368   NtQuerySection  (372, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03385   368   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03386   368   NtCreateProcessEx  (1230356, 2035711, 0, -1, 0, 372, 0, 0, 0, ... ) == 0x0
 03387   368   NtSetInformationProcess  (376, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03388   368   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=964,ParentPid=316,}, 0x0, ) == 0x0
 03389   368   NtReadVirtualMemory  (376, 0x7ffdf008, 4, ...  (376, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03390   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03391   368   NtReadVirtualMemory  (376, 0x4ad00000, 4096, ...  (376, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03392   368   NtReadVirtualMemory  (376, 0x4ad3b000, 256, ...  (376, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03393   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03394   368   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=964,ParentPid=316,}, 0x0, ) == 0x0
 03395   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1228420, ... ) }, 1228420, ... ) == 0x0
 03396   368   NtAllocateVirtualMemory  (-1, 0, 0, 1644, 4096, 4, ... 27459584, 4096, ) == 0x0
 03397   368   NtAllocateVirtualMemory  (376, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03398   368   NtWriteVirtualMemory  (376, 0x10000,  (376, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03399   368   NtAllocateVirtualMemory  (376, 0, 0, 1644, 4096, 4, ... 131072, 4096, ) == 0x0
 03400   368   NtWriteVirtualMemory  (376, 0x20000,  (376, 0x20000, "\0\20\0\0l\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0<\0>\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\20\6\0\0\36\0 \0H\6\0\0\0\0\2\0h\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1644, ... 0x0, ) , 1644, ... 0x0, ) == 0x0
 03401   368   NtWriteVirtualMemory  (376, 0x7ffdf010,  (376, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03402   368   NtWriteVirtualMemory  (376, 0x7ffdf1e8,  (376, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03403   368   NtFreeVirtualMemory  (-1, (0x1a30000), 0, 32768, ... (0x1a30000), 4096, ) == 0x0
 03404   368   NtAllocateVirtualMemory  (376, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03405   368   NtAllocateVirtualMemory  (376, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03406   368   NtCreateThread  (0x1f03ff, 0x0, 376, 1228620, 1229340, 1, ... 380, {964, 968}, ) == 0x0
 03407   368   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1230452, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1230452, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 368, 1588, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 368, 1588, 0}  (24, {168, 196, new_msg, 0, 0, 1230452, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 368, 1588, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03408   368   NtResumeThread  (380, ... 1, ) == 0x0
 03409   368   NtClose  (368, ... ) == 0x0
 03410   368   NtClose  (372, ... ) == 0x0
 03411   368   NtClose  (350, ... ) == 0x0
 03412   368   NtClose  (366, ... ) == 0x0
 03413   368   NtClose  (362, ... ) == 0x0
 03414   368   NtClose  (376, ... ) == 0x0
 03415   368   NtClose  (380, ... ) == 0x0
 03416   368   NtGdiDeleteObjectApp  (101188697, ... ) == 0x1
 03417   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03418   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03419   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03420   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03421   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03422   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03423   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03424   368   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03425   368   NtUnmapViewOfSection  (-1, 0x1460000, ... ) == 0x0
 03426   368   NtClose  (280, ... ) == 0x0
 03427   368   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03428   368   NtUserDestroyWindow  (65760, ...
 03429   368   NtUserRemoveProp  (65760, 43288, ... ) == 0xffffffff
 03430   368   NtUserRemoveProp  (65760, 43282, ... ) == 0x0
 03431   368   NtUserRemoveProp  (65760, 43287, ... ) == 0x0
 03428   368   NtUserDestroyWindow  ... ) == 0x1
 03432   368   NtUserUnregisterClass  (1233800, 1998258176, 1233788, ... ) == 0x1
 03433   368   NtFreeVirtualMemory  (-1, (0x152000), 12288, 16384, ... (0x152000), 12288, ) == 0x0
 03434   368   NtClose  (184, ... ) == 0x0
 03435   368   NtClose  (176, ... ) == 0x0
 03436   368   NtClose  (180, ... ) == 0x0
 03437   368   NtClose  (156, ... ) == 0x0
 03438   368   NtClose  (172, ... ) == 0x0
 03439   368   NtClose  (204, ... ) == 0x0
 03440   368   NtClose  (208, ... ) == 0x0
 03441   368   NtClose  (200, ... ) == 0x0
 03442   368   NtClose  (192, ... ) == 0x0
 03443   368   NtClose  (196, ... ) == 0x0
 03444   368   NtClose  (220, ... ) == 0x0
 03445   368   NtClose  (224, ... ) == 0x0
 03446   368   NtClose  (212, ... ) == 0x0
 03447   368   NtClose  (216, ... ) == 0x0
 03448   368   NtClose  (244, ... ) == 0x0
 03449   368   NtClose  (236, ... ) == 0x0
 03450   368   NtClose  (240, ... ) == 0x0
 03451   368   NtClose  (228, ... ) == 0x0
 03452   368   NtClose  (232, ... ) == 0x0
 03453   368   NtClose  (248, ... ) == 0x0
 03454   368   NtClose  (252, ... ) == 0x0
 03455   368   NtClose  (264, ... ) == 0x0
 03456   368   NtClose  (268, ... ) == 0x0
 03457   368   NtClose  (256, ... ) == 0x0
 03458   368   NtClose  (260, ... ) == 0x0
 03459   368   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03460   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1234676, ... ) }, 1234676, ... ) == 0x0
 03461   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1235368, ... ) }, 1235368, ... ) == 0x0
 03462   368   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 03463   368   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 260, ... 256, ) == 0x0
 03464   368   NtQueryVolumeInformationFile  (260, 1234676, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03465   368   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03466   368   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03467   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 03468   368   NtQueryInformationFile  (268, 1233264, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03469   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 268, ... 264, ) == 0x0
 03470   368   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1a30000), 0x0, 1028096, ) == 0x0
 03471   368   NtQueryInformationFile  (268, 1233360, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03472   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03474   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1230924, 616, BothDirectory, 1,  (252, 0, 0, 0, 1230924, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03475   368   NtClose  (252, ... ) == 0x0
 03476   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03477   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03478   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1230312, ... ) }, 1230312, ... ) == 0x0
 03479   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03480   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03481   368   NtClose  (252, ... ) == 0x0
 03482   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03483   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03484   368   NtClose  (252, ... ) == 0x0
 03485   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03486   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03487   368   NtClose  (252, ... ) == 0x0
 03488   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03489   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03490   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03491   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03492   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 252, ) == 0x0
 03493   368   NtQueryInformationToken  (252, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03494   368   NtClose  (252, ... ) == 0x0
 03495   368   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03496   368   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\lssas.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03498   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03499   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1232592, ... ) }, 1232592, ... ) == 0x0
 03500   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03501   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03502   368   NtClose  (252, ... ) == 0x0
 03503   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03504   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03505   368   NtClose  (252, ... ) == 0x0
 03506   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03507   368   NtQueryDirectoryFile  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03508   368   NtClose  (252, ... ) == 0x0
 03509   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03510   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03511   368   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03512   368   NtQueryVolumeInformationFile  (260, 1233236, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03513   368   NtQueryInformationFile  (260, 1233216, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03514   368   NtQueryInformationFile  (260, 1233256, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03515   368   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03516   368   NtUnmapViewOfSection  (-1, 0x1a30000, ... ) == 0x0
 03517   368   NtClose  (264, ... ) == 0x0
 03518   368   NtClose  (268, ... ) == 0x0
 03519   368   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03520   368   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lssas.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03521   368   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03522   368   NtOpenProcessToken  (-1, 0xa, ... 268, ) == 0x0
 03523   368   NtQueryInformationToken  (268, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03524   368   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03526   368   NtQueryValueKey  (264,  (264, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (264, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03527   368   NtQueryValueKey  (264,  (264, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (264, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03528   368   NtClose  (264, ... ) == 0x0
 03529   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03530   368   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03531   368   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03532   368   NtClose  (264, ... ) == 0x0
 03533   368   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 264, ) }, ... 264, ) == 0x0
 03534   368   NtQuerySymbolicLinkObject  (264, ...  (264, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03535   368   NtClose  (264, ... ) == 0x0
 03536   368   NtQueryInformationFile  (260, 1233028, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 03537   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03538   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03539   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1231708, ... ) }, 1231708, ... ) == 0x0
 03540   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03541   368   NtQueryDirectoryFile  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03542   368   NtClose  (264, ... ) == 0x0
 03543   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03544   368   NtQueryDirectoryFile  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03545   368   NtClose  (264, ... ) == 0x0
 03546   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03547   368   NtQueryDirectoryFile  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03548   368   NtClose  (264, ... ) == 0x0
 03549   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03550   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03551   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03552   368   NtQueryValueKey  (264,  (264, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553   368   NtClose  (264, ... ) == 0x0
 03554   368   NtQueryInformationToken  (268, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03555   368   NtQueryInformationToken  (268, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03556   368   NtClose  (268, ... ) == 0x0
 03557   368   NtCreateProcessEx  (1237304, 2035711, 0, -1, 4, 256, 0, 0, 0, ... ) == 0x0
 03558   368   NtSetInformationProcess  (268, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03559   368   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1132,ParentPid=316,}, 0x0, ) == 0x0
 03560   368   NtReadVirtualMemory  (268, 0x7ffdf008, 4, ...  (268, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03561   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03562   368   NtReadVirtualMemory  (268, 0x400000, 4096, ...  (268, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0PE\0\0L\1\12\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\314\340S\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\0\206\14\22\0\0\0\0\0\0\0\0\0\340S\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.idata\0\0\0`\1\0\0\20\0\0<7\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03563   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03564   368   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1132,ParentPid=316,}, 0x0, ) == 0x0
 03565   368   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 21364736, 4096, ) == 0x0
 03566   368   NtAllocateVirtualMemory  (268, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03567   368   NtWriteVirtualMemory  (268, 0x10000,  (268, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03568   368   NtAllocateVirtualMemory  (268, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03569   368   NtWriteVirtualMemory  (268, 0x20000,  (268, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0o\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03570   368   NtWriteVirtualMemory  (268, 0x7ffdf010,  (268, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03571   368   NtWriteVirtualMemory  (268, 0x7ffdf1e8,  (268, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03572   368   NtFreeVirtualMemory  (-1, (0x1460000), 0, 32768, ... (0x1460000), 4096, ) == 0x0
 03573   368   NtAllocateVirtualMemory  (268, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03574   368   NtAllocateVirtualMemory  (268, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03575   368   NtProtectVirtualMemory  (268, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03576   368   NtCreateThread  (0x1f03ff, 0x0, 268, 1235568, 1236288, 1, ... 264, {1132, 1084}, ) == 0x0
 03577   368   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442864, 1237388}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442864, 1237388} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0l\4\0\0<\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 368, 1612, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0l\4\0\0<\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 368, 1612, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442864, 1237388} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0l\4\0\0<\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 368, 1612, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0l\4\0\0<\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03578   368   NtResumeThread  (264, ... 1, ) == 0x0
 03579   368   NtClose  (260, ... ) == 0x0
 03580   368   NtClose  (256, ... ) == 0x0
 03581   368   NtTerminateProcess  (0, 0, ...
 02094   792   NtWaitForMultipleObjects  ... ) == 0xc0
 03581   368   NtTerminateProcess  ... ) == 0x0
 03582   368   NtRaiseException  (1237052, 1236312, 1, ...
 03583   368   NtContinue  (1235108, 0, ...
 03584   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 03585   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03586   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 03587   368   NtRaiseException  (1227028, 1226288, 1, ...
 03588   368   NtContinue  (1225084, 0, ...
 03589   368   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 03590   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03591   368   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 03592   368   NtUnmapViewOfSection  (-1, 0x1a20000, ... ) == 0x0
 03593   368   NtClose  (344, ... ) == 0x0
 03594   368   NtClose  (340, ... ) == 0x0
 03595   368   NtClose  (328, ... ) == 0x0
 03596   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03597   368   NtFreeVirtualMemory  (-1, (0x1980000), 0, 32768, ... (0x1980000), 65536, ) == 0x0
 03598   368   NtClose  (320, ... ) == 0x0
 03599   368   NtClose  (324, ... ) == 0x0
 03600   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03601   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 03602   368   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03603   368   NtClose  (324, ... ) == 0x0
 03604   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03605   368   NtFreeVirtualMemory  (-1, (0x1450000), 0, 32768, ... (0x1450000), 65536, ) == 0x0
 03606   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03607   368   NtFreeVirtualMemory  (-1, (0x1310000), 0, 32768, ... (0x1310000), 262144, ) == 0x0
 03608   368   NtUnmapViewOfSection  (-1, 0x12f0000, ... ) == 0x0
 03609   368   NtClose  (272, ... ) == 0x0
 03610   368   NtFreeVirtualMemory  (-1, (0x1300000), 4096, 16384, ... (0x1300000), 4096, ) == 0x0
 03611   368   NtFreeVirtualMemory  (-1, (0x1300000), 0, 32768, ... (0x1300000), 65536, ) == 0x0
 03612   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03613   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03614   368   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 03615   368   NtClose  (104, ... ) == 0x0
 03616   368   NtGdiDeleteObjectApp  (101712983, ... ) == 0x1
 03617   368   NtUserGetProcessWindowStation  (... ) == 0x28
 03618   368   NtUserBuildNameList  (40, 256, 1331736, 1237692, ... ) == 0x0
 03619   368   NtUserGetProcessWindowStation  (... ) == 0x28
 03620   368   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x68
 03621   368   NtUserBuildHwndList  (104, 0, 0, 0, 64, ... (0x30046, 0x100dc, 0x100aa, 0x60030, 0x20060, 0x2005c, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x30044, 0x10066, 0x30036, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100e2, 0x100d8, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x2005e, 0x100d0, 0x100c6, 0x200ae, 0x100ac, 0x100a6, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x10082, 0x10076, 0x1, ), 41, ) == 0x0
 03622   368   NtUserQueryWindow  (196678, 0, ... ) == 0x774
 03623   368   NtUserQueryWindow  (196678, 1, ... ) == 0x784
 03624   368   NtUserQueryWindow  (65756, 0, ... ) == 0x774
 03625   368   NtUserQueryWindow  (65756, 1, ... ) == 0x784
 03626   368   NtUserQueryWindow  (65706, 0, ... ) == 0x7dc
 03627   368   NtUserQueryWindow  (65706, 1, ... ) == 0x7e0
 03628   368   NtUserQueryWindow  (393264, 0, ... ) == 0x7dc
 03629   368   NtUserQueryWindow  (393264, 1, ... ) == 0x7e0
 03630   368   NtUserQueryWindow  (131168, 0, ... ) == 0x7dc
 03631   368   NtUserQueryWindow  (131168, 1, ... ) == 0x7e0
 03632   368   NtUserQueryWindow  (131164, 0, ... ) == 0x7dc
 03633   368   NtUserQueryWindow  (131164, 1, ... ) == 0x7e0
 03634   368   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 03635   368   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 03636   368   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 03637   368   NtUserQueryWindow  (65662, 1, ... ) == 0x784
 03638   368   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 03639   368   NtUserQueryWindow  (65664, 0, ... ) == 0x774
 03640   368   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 03641   368   NtUserQueryWindow  (65670, 0, ... ) == 0x774
 03642   368   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 03643   368   NtUserQueryWindow  (65672, 0, ... ) == 0x774
 03644   368   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 03645   368   NtUserQueryWindow  (65674, 0, ... ) == 0x774
 03646   368   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 03647   368   NtUserQueryWindow  (65678, 0, ... ) == 0x774
 03648   368   NtUserQueryWindow  (65678, 1, ... ) == 0x784
 03649   368   NtUserQueryWindow  (65680, 0, ... ) == 0x774
 03650   368   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 03651   368   NtUserQueryWindow  (65682, 0, ... ) == 0x774
 03652   368   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 03653   368   NtUserQueryWindow  (65684, 0, ... ) == 0x774
 03654   368   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 03655   368   NtUserQueryWindow  (65686, 0, ... ) == 0x774
 03656   368   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 03657   368   NtUserQueryWindow  (65690, 0, ... ) == 0x774
 03658   368   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 03659   368   NtUserQueryWindow  (65692, 0, ... ) == 0x774
 03660   368   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 03661   368   NtUserQueryWindow  (65694, 0, ... ) == 0x774
 03662   368   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 03663   368   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 03664   368   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 03665   368   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 03666   368   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 03667   368   NtUserQueryWindow  (196676, 0, ... ) == 0x774
 03668   368   NtUserQueryWindow  (196676, 1, ... ) == 0x784
 03669   368   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 03670   368   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 03671   368   NtUserQueryWindow  (196662, 0, ... ) == 0x774
 03672   368   NtUserQueryWindow  (196662, 1, ... ) == 0x784
 03673   368   NtUserBuildHwndList  (0, 196662, 1, 0, 64, ... (0x30038, 0x3003c, 0x3003a, 0x3003e, 0x30040, 0x30042, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 03674   368   NtUserQueryWindow  (196664, 0, ... ) == 0x774
 03675   368   NtUserQueryWindow  (196664, 1, ... ) == 0x784
 03676   368   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 03677   368   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 03678   368   NtUserQueryWindow  (196666, 0, ... ) == 0x774
 03679   368   NtUserQueryWindow  (196666, 1, ... ) == 0x784
 03680   368   NtUserQueryWindow  (196670, 0, ... ) == 0x774
 03681   368   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 03682   368   NtUserQueryWindow  (196672, 0, ... ) == 0x774
 03683   368   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 03684   368   NtUserQueryWindow  (196674, 0, ... ) == 0x774
 03685   368   NtUserQueryWindow  (196674, 1, ... ) == 0x784
 03686   368   NtUserQueryWindow  (65642, 0, ... ) == 0x774
 03687   368   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 03688   368   NtUserQueryWindow  (65646, 0, ... ) == 0x774
 03689   368   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 03690   368   NtUserQueryWindow  (65650, 0, ... ) == 0x774
 03691   368   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 03692   368   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 03693   368   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 03694   368   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 03695   368   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 03696   368   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 03697   368   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 03698   368   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03699   368   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 03700   368   NtUserQueryWindow  (65762, 0, ... ) == 0x3c4
 03701   368   NtUserQueryWindow  (65762, 1, ... ) == 0x3c8
 03702   368   NtUserQueryWindow  (65752, 0, ... ) == 0x2d8
 03703   368   NtUserQueryWindow  (65752, 1, ... ) == 0x2e0
 03704   368   NtUserQueryWindow  (65746, 0, ... ) == 0x2d8
 03705   368   NtUserQueryWindow  (65746, 1, ... ) == 0x2e0
 03706   368   NtUserQueryWindow  (65726, 0, ... ) == 0x7ec
 03707   368   NtUserQueryWindow  (65726, 1, ... ) == 0x7f0
 03708   368   NtUserQueryWindow  (65724, 0, ... ) == 0x7ec
 03709   368   NtUserQueryWindow  (65724, 1, ... ) == 0x7f0
 03710   368   NtUserQueryWindow  (65722, 0, ... ) == 0x7ec
 03711   368   NtUserQueryWindow  (65722, 1, ... ) == 0x7f0
 03712   368   NtUserQueryWindow  (65720, 0, ... ) == 0x7ec
 03713   368   NtUserQueryWindow  (65720, 1, ... ) == 0x7f0
 03714   368   NtUserQueryWindow  (65718, 0, ... ) == 0x7ec
 03715   368   NtUserQueryWindow  (65718, 1, ... ) == 0x7f0
 03716   368   NtUserQueryWindow  (65716, 0, ... ) == 0x7ec
 03717   368   NtUserQueryWindow  (65716, 1, ... ) == 0x7f0
 03718   368   NtUserQueryWindow  (65714, 0, ... ) == 0x7ec
 03719   368   NtUserQueryWindow  (65714, 1, ... ) == 0x7f0
 03720   368   NtUserQueryWindow  (65712, 0, ... ) == 0x7ec
 03721   368   NtUserQueryWindow  (65712, 1, ... ) == 0x7f0
 03722   368   NtUserQueryWindow  (131166, 0, ... ) == 0x7f8
 03723   368   NtUserQueryWindow  (131166, 1, ... ) == 0x7fc
 03724   368   NtUserQueryWindow  (65744, 0, ... ) == 0x774
 03725   368   NtUserQueryWindow  (65744, 1, ... ) == 0x30c
 03726   368   NtUserQueryWindow  (65734, 0, ... ) == 0x774
 03727   368   NtUserQueryWindow  (65734, 1, ... ) == 0x30c
 03728   368   NtUserBuildHwndList  (0, 65734, 1, 0, 64, ... (0x100c8, 0x100ca, 0x100cc, 0x100ce, 0x1, ), 5, ) == 0x0
 03729   368   NtUserQueryWindow  (65736, 0, ... ) == 0x774
 03730   368   NtUserQueryWindow  (65736, 1, ... ) == 0x30c
 03731   368   NtUserQueryWindow  (65738, 0, ... ) == 0x774
 03732   368   NtUserQueryWindow  (65738, 1, ... ) == 0x30c
 03733   368   NtUserQueryWindow  (65740, 0, ... ) == 0x774
 03734   368   NtUserQueryWindow  (65740, 1, ... ) == 0x30c
 03735   368   NtUserQueryWindow  (65742, 0, ... ) == 0x774
 03736   368   NtUserQueryWindow  (65742, 1, ... ) == 0x30c
 03737   368   NtUserQueryWindow  (131246, 0, ... ) == 0x774
 03738   368   NtUserQueryWindow  (131246, 1, ... ) == 0x784
 03739   368   NtUserQueryWindow  (65708, 0, ... ) == 0x7dc
 03740   368   NtUserQueryWindow  (65708, 1, ... ) == 0x7e0
 03741   368   NtUserQueryWindow  (65702, 0, ... ) == 0x7d0
 03742   368   NtUserQueryWindow  (65702, 1, ... ) == 0x7d4
 03743   368   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 03744   368   NtUserQueryWindow  (65644, 1, ... ) == 0x7a0
 03745   368   NtUserQueryWindow  (327754, 0, ... ) == 0x774
 03746   368   NtUserQueryWindow  (327754, 1, ... ) == 0x778
 03747   368   NtUserQueryWindow  (262222, 0, ... ) == 0x774
 03748   368   NtUserQueryWindow  (262222, 1, ... ) == 0x778
 03749   368   NtUserQueryWindow  (327752, 0, ... ) == 0x774
 03750   368   NtUserQueryWindow  (327752, 1, ... ) == 0x778
 03751   368   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 03752   368   NtUserQueryWindow  (65666, 1, ... ) == 0x778
 03753   368   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 03754   368   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 03755   368   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 03756   368   NtUserQueryWindow  (65656, 0, ... ) == 0x774
 03757   368   NtUserQueryWindow  (65656, 1, ... ) == 0x778
 03758   368   NtUserQueryWindow  (65658, 0, ... ) == 0x774
 03759   368   NtUserQueryWindow  (65658, 1, ... ) == 0x778
 03760   368   NtUserCloseDesktop  (104, ...
 03761   368   NtClose  (104, ... ) == 0x0
 03760   368   NtUserCloseDesktop  ... ) == 0x1
 03762   368   NtUserGetProcessWindowStation  (... ) == 0x28
 03763   368   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03764   368   NtUserGetProcessWindowStation  (... ) == 0x28
 03765   368   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03766   368   NtGdiDeleteObjectApp  (252314700, ... ) == 0x1
 03767   368   NtGdiDeleteObjectApp  (185205843, ... ) == 0x1
 03768   368   NtClose  (12, ... ) == 0x0
 03769   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03770   368   NtFreeVirtualMemory  (-1, (0x14c000), 16384, 16384, ... (0x14c000), 16384, ) == 0x0
 03771   368   NtClose  (96, ... ) == 0x0
 03772   368   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 03773   368   NtClose  (100, ... ) == 0x0
 03774   368   NtClose  (92, ... ) == 0x0
 03775   368   NtFreeVirtualMemory  (-1, (0x1240000), 0, 32768, ... (0x1240000), 262144, ) == 0x0
 03776   368   NtUserUnregisterClass  (1237652, 1991376896, 1237640, ... ) == 0x0
 03777   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03778   368   NtUnmapViewOfSection  (-1, 0x1570000, ... ) == 0x0
 03779   368   NtClose  (312, ... ) == 0x0
 03780   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc03b
 03781   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03782   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc03d
 03783   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03784   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc03f
 03785   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03786   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc041
 03787   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03788   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc043
 03789   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03790   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc045
 03791   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03792   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc047
 03793   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03794   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc049
 03795   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03796   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc04b
 03797   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03798   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc04d
 03799   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03800   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc04f
 03801   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03802   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc051
 03803   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03804   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc053
 03805   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03806   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc057
 03807   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03808   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc059
 03809   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03810   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc05b
 03811   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03812   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc05d
 03813   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03814   368   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc05f
 03815   368   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03816   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc03b
 03817   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03818   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc03d
 03819   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03820   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc03f
 03821   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03822   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc041
 03823   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03824   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc043
 03825   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03826   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc045
 03827   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03828   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc047
 03829   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03830   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc049
 03831   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03832   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc04b
 03833   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03834   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc04d
 03835   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03836   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc04f
 03837   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03838   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc051
 03839   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03840   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc053
 03841   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03842   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc057
 03843   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03844   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc059
 03845   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03846   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc05b
 03847   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03848   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc05d
 03849   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03850   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc05f
 03851   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03852   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc017
 03853   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03854   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc019
 03855   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03856   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc018
 03857   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03858   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01a
 03859   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03860   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01c
 03861   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03862   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01e
 03863   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03864   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01b
 03865   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03866   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc068
 03867   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03868   368   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc06a
 03869   368   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03870   368   NtUnmapViewOfSection  (-1, 0x1230000, ... ) == 0x0
 03871   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03872   368   NtClose  (336, ... ) == 0x0
 03873   368   NtClose  (152, ... ) == 0x0
 03874   368   NtClose  (352, ... ) == 0x0
 03875   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03876   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03877   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03878   368   NtClose  (148, ... ) == 0x0
 03879   368   NtClose  (356, ... ) == 0x0
 03880   368   NtClose  (112, ... ) == 0x0
 03881   368   NtFreeVirtualMemory  (-1, (0x1970000), 4096, 32768, ... (0x1970000), 4096, ) == 0x0
 03882   368   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237876}  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237876} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 316, 368, 1659, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ... {20, 48, reply, 0, 316, 368, 1659, 0}  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237876} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 316, 368, 1659, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ) == 0x0
 03883   368   NtTerminateProcess  (-1, 0, ...
 03884   368   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtContinue(>)	30
NtAllocateLocallyUniqueId(>)	1	NtGdiHfontCreate(>)	2	NtQuerySymbolicLinkObject(>)	6	NtQueryInformationFile(>)	30
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtCreateSemaphore(>)	7	NtEnumerateKey(>)	31
NtClearEvent(>)	1	NtQueryInformationJobObject(>)	2	NtUserCallNoParam(>)	7	NtCreateEvent(>)	32
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryVirtualMemory(>)	8	NtOpenThreadToken(>)	33
NtDelayExecution(>)	1	NtRegisterThreadTerminatePort(>)	2	NtWriteVirtualMemory(>)	8	NtReleaseMutant(>)	38
NtDuplicateToken(>)	1	NtSetEvent(>)	2	NtQueryDefaultUILanguage(>)	10	NtUnmapViewOfSection(>)	38
NtGdiCreateBitmap(>)	1	NtTestAlert(>)	2	NtUserGetWindowDC(>)	10	NtQueryInformationProcess(>)	39
NtGdiCreateHalftonePalette(>)	1	NtUserCloseDesktop(>)	2	NtSetValueKey(>)	11	NtProtectVirtualMemory(>)	40
NtGdiCreatePaletteInternal(>)	1	NtUserCreateWindowEx(>)	2	NtUserCallOneParam(>)	11	NtQueryDefaultLocale(>)	42
NtGdiCreatePatternBrushInternal(>)	1	NtUserDestroyWindow(>)	2	NtUserSystemParametersInfo(>)	11	NtUserUnregisterClass(>)	47
NtGdiDoPalette(>)	1	NtUserGetObjectInformation(>)	2	NtWriteFile(>)	11	NtUserFindExistingCursorIcon(>)	49
NtGdiInit(>)	1	NtUserMessageCall(>)	2	NtOpenProcessToken(>)	14	NtCreateSection(>)	56
NtGdiQueryFontAssocInfo(>)	1	NtCreateThread(>)	3	NtRequestWaitReplyPort(>)	14	NtUserRegisterClassExWOW(>)	65
NtGdiSelectBitmap(>)	1	NtDuplicateObject(>)	3	NtNotifyChangeKey(>)	15	NtWaitForSingleObject(>)	66
NtOpenKeyedEvent(>)	1	NtOpenMutant(>)	3	NtQueryVolumeInformationFile(>)	15	NtOpenSection(>)	74
NtQueryFullAttributesFile(>)	1	NtOpenProcess(>)	3	NtCreateKey(>)	17	NtReadFile(>)	77
NtQueryInformationThread(>)	1	NtResumeThread(>)	3	NtDeviceIoControlFile(>)	17	NtMapViewOfSection(>)	80
NtQueryObject(>)	1	NtTerminateProcess(>)	3	NtFsControlFile(>)	17	NtOpenFile(>)	88
NtQueryPerformanceCounter(>)	1	NtUserOpenDesktop(>)	3	NtFlushInstructionCache(>)	19	NtQuerySystemInformation(>)	89
NtQuerySystemTime(>)	1	NtUserRemoveProp(>)	3	NtUserRegisterWindowMessage(>)	19	NtUserGetClassInfo(>)	91
NtSecureConnectPort(>)	1	NtWaitForMultipleObjects(>)	3	NtQueryDirectoryFile(>)	20	NtAllocateVirtualMemory(>)	94
NtUserBuildNameList(>)	1	NtCreateMutant(>)	4	NtSetInformationProcess(>)	21	NtOpenProcessTokenEx(>)	110
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtEnumerateValueKey(>)	23	NtOpenThreadTokenEx(>)	110
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtFreeVirtualMemory(>)	23	NtQueryInformationToken(>)	126
NtUserGetForegroundWindow(>)	1	NtQuerySecurityObject(>)	4	NtQueryDebugFilterState(>)	24	NtQueryKey(>)	129
NtUserGetGUIThreadInfo(>)	1	NtGdiGetStockObject(>)	5	NtRaiseException(>)	25	NtUserQueryWindow(>)	134
NtUserGetThreadDesktop(>)	1	NtReadVirtualMemory(>)	5	NtSetInformationFile(>)	25	NtQueryAttributesFile(>)	147
NtUserSetProp(>)	1	NtSetInformationObject(>)	5	NtCreateFile(>)	27	NtQueryValueKey(>)	223
NtAccessCheck(>)	2	NtUserBuildHwndList(>)	5	NtSetInformationThread(>)	27	NtOpenKey(>)	475
NtCreateIoCompletion(>)	2	NtUserGetProcessWindowStation(>)	5	NtQuerySection(>)	28	NtClose(>)	570
NtCreateProcessEx(>)	2	NtGdiDeleteObjectApp(>)	6	NtReleaseSemaphore(>)	28