Summary:


NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtSetInformationProcess(>)  29 

NtAllocateLocallyUniqueId(>)  1 
NtGdiHfontCreate(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtEnumerateKey(>)  31 

NtCallbackReturn(>)  1 
NtLockFile(>)  2 
NtResumeThread(>)  6 
NtContinue(>)  32 

NtClearEvent(>)  1 
NtOpenDirectoryObject(>)  2 
NtSetEventBoostPriority(>)  6 
NtCreateFile(>)  33 

NtConnectPort(>)  1 
NtQueryInformationJobObject(>)  2 
NtCreateSemaphore(>)  7 
NtOpenThreadToken(>)  33 

NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtTestAlert(>)  7 
NtSetInformationFile(>)  33 

NtGdiCreateBitmap(>)  1 
NtSetEvent(>)  2 
NtUserCallNoParam(>)  7 
NtCreateEvent(>)  35 

NtGdiCreateHalftonePalette(>)  1 
NtUnlockFile(>)  2 
NtDelayExecution(>)  8 
NtQueryInformationFile(>)  37 

NtGdiCreatePaletteInternal(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryVirtualMemory(>)  8 
NtReleaseMutant(>)  39 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserCreateWindowEx(>)  2 
NtRegisterThreadTerminatePort(>)  8 
NtQueryDefaultLocale(>)  42 

NtGdiDoPalette(>)  1 
NtUserDestroyWindow(>)  2 
NtWriteVirtualMemory(>)  8 
NtUnmapViewOfSection(>)  42 

NtGdiInit(>)  1 
NtUserGetObjectInformation(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtQueryInformationProcess(>)  47 

NtGdiQueryFontAssocInfo(>)  1 
NtUserMessageCall(>)  2 
NtUserGetWindowDC(>)  10 
NtUserUnregisterClass(>)  47 

NtGdiSelectBitmap(>)  1 
NtYieldExecution(>)  2 
NtSetValueKey(>)  11 
NtUserFindExistingCursorIcon(>)  49 

NtOpenKeyedEvent(>)  1 
NtOpenMutant(>)  3 
NtUserCallOneParam(>)  11 
NtCreateSection(>)  59 

NtQueryFullAttributesFile(>)  1 
NtOpenProcess(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserRegisterClassExWOW(>)  65 

NtQueryObject(>)  1 
NtTerminateProcess(>)  3 
NtWriteFile(>)  14 
NtProtectVirtualMemory(>)  67 

NtQueryPerformanceCounter(>)  1 
NtTerminateThread(>)  3 
NtFreeVirtualMemory(>)  15 
NtWaitForSingleObject(>)  75 

NtQuerySystemTime(>)  1 
NtUserOpenDesktop(>)  3 
NtOpenProcessToken(>)  15 
NtOpenSection(>)  76 

NtSecureConnectPort(>)  1 
NtUserRemoveProp(>)  3 
NtCreateKey(>)  17 
NtReadFile(>)  82 

NtUserBuildNameList(>)  1 
NtWaitForMultipleObjects(>)  3 
NtDeviceIoControlFile(>)  17 
NtMapViewOfSection(>)  86 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtFsControlFile(>)  17 
NtOpenFile(>)  91 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtNotifyChangeKey(>)  17 
NtQuerySystemInformation(>)  91 

NtUserGetForegroundWindow(>)  1 
NtQueryInformationThread(>)  4 
NtQueryVolumeInformationFile(>)  17 
NtUserGetClassInfo(>)  91 

NtUserGetGUIThreadInfo(>)  1 
NtQuerySecurityObject(>)  4 
NtRequestWaitReplyPort(>)  17 
NtAllocateVirtualMemory(>)  97 

NtUserGetThreadDesktop(>)  1 
NtUserBuildHwndList(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtOpenProcessTokenEx(>)  110 

NtUserKillTimer(>)  1 
NtCreateMutant(>)  5 
NtQueryDirectoryFile(>)  20 
NtOpenThreadTokenEx(>)  110 

NtUserSetProp(>)  1 
NtDuplicateObject(>)  5 
NtEnumerateValueKey(>)  23 
NtUserQueryWindow(>)  114 

NtUserSetTimer(>)  1 
NtGdiGetStockObject(>)  5 
NtQueryDebugFilterState(>)  24 
NtQueryInformationToken(>)  127 

NtUserSetWindowsHookEx(>)  1 
NtReadVirtualMemory(>)  5 
NtRaiseException(>)  25 
NtQueryKey(>)  129 

NtUserUnhookWindowsHookEx(>)  1 
NtSetInformationObject(>)  5 
NtSetInformationThread(>)  27 
NtQueryAttributesFile(>)  152 

NtAccessCheck(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtReleaseSemaphore(>)  28 
NtQueryValueKey(>)  302 

NtCreateIoCompletion(>)  2 
NtCreateThread(>)  6 
NtFlushInstructionCache(>)  29 
NtOpenKey(>)  498 

NtCreateProcessEx(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtQuerySection(>)  29 
NtClose(>)  607 


Trace:
 00001   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   428   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   428   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   428   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   428   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   428   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   428   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   428   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   428   NtClose  (12, ... ) == 0x0
 00014   428   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   428   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   428   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   428   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   428   NtClose  (16, ... ) == 0x0
 00021   428   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   428   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   428   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   428   NtClose  (16, ... ) == 0x0
 00026   428   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   428   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   428   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   428   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 424, 428, 1485, 0} "\30\221\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 424, 428, 1485, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 424, 428, 1485, 0} "\30\221\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   428   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   428   NtClose  (16, ... ) == 0x0
 00036   428   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   428   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   428   NtClose  (28, ... ) == 0x0
 00041   428   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   428   NtClose  (28, ... ) == 0x0
 00045   428   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   428   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   428   NtClose  (28, ... ) == 0x0
 00049   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   428   NtClose  (28, ... ) == 0x0
 00052   428   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 424, 428, 1487, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 424, 428, 1487, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 424, 428, 1487, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 128, ) == 0x0
 00057   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 128, ... (0x422000), 24576, 4, ) == 0x0
 00058   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00059   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   428   NtClose  (28, ... ) == 0x0
 00062   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   428   NtClose  (28, ... ) == 0x0
 00065   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 64, ) == 0x0
 00066   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 64, ... (0x422000), 24576, 4, ) == 0x0
 00067   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00068   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   428   NtClose  (28, ... ) == 0x0
 00071   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 64, ) == 0x0
 00072   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 64, ... (0x422000), 24576, 4, ) == 0x0
 00073   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00074   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00076   428   NtClose  (28, ... ) == 0x0
 00077   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00078   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00079   428   NtClose  (28, ... ) == 0x0
 00080   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00082   428   NtClose  (28, ... ) == 0x0
 00083   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00085   428   NtClose  (28, ... ) == 0x0
 00086   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 64, ) == 0x0
 00087   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 64, ... (0x422000), 24576, 4, ) == 0x0
 00088   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00089   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00091   428   NtClose  (28, ... ) == 0x0
 00092   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00094   428   NtClose  (28, ... ) == 0x0
 00095   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 64, ) == 0x0
 00096   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 64, ... (0x422000), 24576, 4, ) == 0x0
 00097   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00098   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 64, ) == 0x0
 00099   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 64, ... (0x422000), 24576, 4, ) == 0x0
 00100   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00101   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   428   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00103   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00106   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00107   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00108   428   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00109   428   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00110   428   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00111   428   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00113   428   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00114   428   NtClose  (40, ... ) == 0x0
 00115   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00116   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00117   428   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00118   428   NtClose  (40, ... ) == 0x0
 00119   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   428   NtClose  (36, ... ) == 0x0
 00121   428   NtClose  (28, ... ) == 0x0
 00122   428   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00123   428   NtClose  (32, ... ) == 0x0
 00124   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00128   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00129   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00130   428   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00131   428   NtClose  (32, ... ) == 0x0
 00132   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00133   428   NtClose  (28, ... ) == 0x0
 00134   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 4, ... (0x422000), 24576, 64, ) == 0x0
 00135   428   NtProtectVirtualMemory  (-1, (0x422000), 24576, 64, ... (0x422000), 24576, 4, ) == 0x0
 00136   428   NtFlushInstructionCache  (-1, 4333568, 24576, ... ) == 0x0
 00137   428   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   428   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   428   NtClose  (28, ... ) == 0x0
 00140   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   428   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   428   NtClose  (28, ... ) == 0x0
 00143   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   428   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   428   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   428   NtClose  (28, ... ) == 0x0
 00147   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   428   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   428   NtClose  (28, ... ) == 0x0
 00150   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   428   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00155   428   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00156   428   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00157   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00158   428   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00159   428   NtClose  (32, ... ) == 0x0
 00160   428   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00161   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00162   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 424, 428, 1497, 0} "\210\36\27\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 424, 428, 1497, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 424, 428, 1497, 0} "\210\36\27\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00163   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   428   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00165   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00166   428   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00167   428   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00168   428   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00169   428   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00170   428   NtClose  (-2147482032, ... ) == 0x0
 00171   428   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00172   428   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00173   428   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00174   428   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00175   428   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   428   NtClose  (-2147482032, ... ) == 0x0
 00177   428   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00178   428   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   428   NtClose  (-2147482032, ... ) == 0x0
 00180   428   NtQueryDefaultLocale  (0, -130577908, ... ) == 0x0
 00181   428   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00182   428   NtUserCallNoParam  (24, ... ) == 0x0
 00183   428   NtGdiCreateCompatibleDC  (0, ...
 00184   428   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00183   428   NtGdiCreateCompatibleDC  ... ) == 0x120103c5
 00185   428   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00186   428   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00187   428   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050404
 00188   428   NtGdiCreateSolidBrush  (0, 0, ...
 00189   428   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00188   428   NtGdiCreateSolidBrush  ... ) == 0xe10040a
 00190   428   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00191   428   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010383
 00192   428   NtGdiSelectBitmap  (1879114627, 319095812, ... ) == 0x185000f
 00193   428   NtUserGetThreadDesktop  (428, 0, ... ) == 0x2c
 00194   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00195   428   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00196   428   NtClose  (52, ... ) == 0x0
 00197   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00198   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00199   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00201   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00203   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00205   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00206   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00207   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00208   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00209   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00210   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00211   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00212   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00213   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00214   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00215   428   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00216   428   NtAllocateVirtualMemory  (-1, 6451200, 0, 4096, 4096, 32, ... 6451200, 4096, ) == 0x0
 00215   428   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00217   428   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00218   428   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00219   428   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00220   428   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00221   428   NtCallbackReturn  (0, 0, 0, ...
 00222   428   NtGdiInit  (... ) == 0x1
 00223   428   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00224   428   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00225   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00228   428   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00229   428   NtClose  (52, ... ) == 0x0
 00230   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00231   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00232   428   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00233   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00234   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00235   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00236   428   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   428   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   428   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   428   NtClose  (52, ... ) == 0x0
 00240   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00241   428   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   428   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   428   NtClose  (52, ... ) == 0x0
 00244   428   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00245   428   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   428   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00247   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   428   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00250   428   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   428   NtClose  (56, ... ) == 0x0
 00252   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00255   428   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   428   NtClose  (56, ... ) == 0x0
 00257   428   NtQueryDefaultUILanguage  (1241756, ...
 00258   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00259   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00260   428   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00261   428   NtClose  (-2147482032, ... ) == 0x0
 00262   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00263   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   428   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00265   428   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   428   NtClose  (-2147482044, ... ) == 0x0
 00267   428   NtClose  (-2147482032, ... ) == 0x0
 00257   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00268   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   428   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00270   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00271   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00272   428   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 8323072, ) == 0x0
 00273   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   428   NtQueryDefaultUILanguage  (2013024600, ...
 00275   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00277   428   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   428   NtClose  (-2147482032, ... ) == 0x0
 00279   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00280   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   428   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00282   428   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   428   NtClose  (-2147482044, ... ) == 0x0
 00284   428   NtClose  (-2147482032, ... ) == 0x0
 00274   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00285   428   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00286   428   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00287   428   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00288   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1500, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 424, 428, 1500, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1500, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00290   428   NtClose  (56, ... ) == 0x0
 00291   428   NtClose  (60, ... ) == 0x0
 00292   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00293   428   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00294   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00295   428   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00298   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00300   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00301   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00302   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00303   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00305   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00306   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00307   428   NtClose  (56, ... ) == 0x0
 00308   428   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 921600, ) == 0x0
 00309   428   NtClose  (64, ... ) == 0x0
 00310   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00311   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00312   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00313   428   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   428   NtClose  (64, ... ) == 0x0
 00315   428   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00316   428   NtClose  (56, ... ) == 0x0
 00317   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00318   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00319   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00320   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00321   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00322   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00323   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00324   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00325   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00326   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00327   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00328   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00329   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00330   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00331   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00332   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   428   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00339   428   NtQueryDefaultUILanguage  (1239368, ...
 00340   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00341   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00342   428   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00343   428   NtClose  (-2147482032, ... ) == 0x0
 00344   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00345   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   428   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00347   428   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   428   NtClose  (-2147482044, ... ) == 0x0
 00349   428   NtClose  (-2147482032, ... ) == 0x0
 00339   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00350   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00352   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00353   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00354   428   NtClose  (56, ... ) == 0x0
 00355   428   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00356   428   NtClose  (64, ... ) == 0x0
 00357   428   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00358   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00359   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00360   428   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00361   428   NtClose  (64, ... ) == 0x0
 00362   428   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00363   428   NtClose  (56, ... ) == 0x0
 00364   428   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00365   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00366   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00367   428   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00368   428   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00369   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1501, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 424, 428, 1501, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1501, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00371   428   NtClose  (56, ... ) == 0x0
 00372   428   NtClose  (64, ... ) == 0x0
 00373   428   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00374   428   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00375   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00376   428   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00377   428   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00378   428   NtUserGetDC  (0, ... ) == 0x1010054
 00379   428   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00380   428   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00381   428   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00382   428   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00383   428   NtAccessCheck  (1327448, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00384   428   NtClose  (64, ... ) == 0x0
 00385   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00386   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00387   428   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00388   428   NtClose  (64, ... ) == 0x0
 00389   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00390   428   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00391   428   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00392   428   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   428   NtClose  (56, ... ) == 0x0
 00394   428   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00395   428   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00396   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00397   428   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00399   428   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   428   NtClose  (68, ... ) == 0x0
 00401   428   NtClose  (56, ... ) == 0x0
 00402   428   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00403   428   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00404   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00405   428   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00406   428   NtClose  (56, ... ) == 0x0
 00407   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00409   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00410   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00411   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00412   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00414   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00415   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00416   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00417   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00419   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00421   428   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00422   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00423   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00424   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00426   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00428   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00429   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00431   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00433   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00434   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00436   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00437   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00438   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00440   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00441   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00442   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00443   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00444   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00446   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00447   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00448   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00449   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00450   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00451   428   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ...
 00452   428   NtAllocateVirtualMemory  (-1, 6455296, 0, 4096, 4096, 32, ... 6455296, 4096, ) == 0x0
 00451   428   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00453   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00454   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00455   428   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00456   428   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00457   428   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00458   428   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00459   428   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00460   428   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00461   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00462   428   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00463   428   NtClose  (56, ... ) == 0x0
 00464   428   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {424, 0}, ... 56, ) == 0x0
 00465   428   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00466   428   NtClose  (56, ... ) == 0x0
 00467   428   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00468   428   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00469   428   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00470   428   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00471   428   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00472   428   NtClose  (56, ... ) == 0x0
 00473   428   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00474   428   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00475   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03b
 00478   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03d
 00480   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03f
 00483   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00484   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00485   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc041
 00486   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc043
 00489   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc045
 00491   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00492   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00493   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc047
 00494   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00495   428   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00496   428   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810dc049
 00497   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00498   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00499   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04b
 00500   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00501   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00502   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04d
 00503   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00504   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00505   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04f
 00506   428   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00507   428   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810dc051
 00508   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00509   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00510   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc053
 00511   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00512   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00513   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc055
 00514   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc057
 00515   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00516   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00517   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc059
 00518   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00519   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00520   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05b
 00521   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00522   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00523   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05d
 00524   428   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00525   428   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00526   428   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05f
 00527   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00528   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00529   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00530   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00531   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00532   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00533   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00534   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00535   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00536   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00537   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00538   428   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00539   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00540   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00541   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00542   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00543   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00544   428   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00545   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00546   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00547   428   NtTestAlert  (... ) == 0x0
 00548   428   NtContinue  (1244464, 1, ...
 00549   428   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x421aa0,}, 4, ... ) == 0x0
 00550   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00551   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00552   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00553   428   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00554   428   NtClose  (56, ... ) == 0x0
 00555   428   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00556   428   NtClose  (-2147482032, ... ) == 0x0
 00555   428   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00557   428   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00558   428   NtClose  (56, ... ) == 0x0
 00559   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00560   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00561   428   NtQueryVolumeInformationFile  (56, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00562   428   NtQueryInformationFile  (56, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   428   NtQueryInformationFile  (56, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00564   428   NtSetInformationFile  (56, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00565   428   NtSetInformationFile  (56, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00566   428   NtReadFile  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00567   428   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9502720, 524288, ) == 0x0
 00568   428   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00569   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00571   428   NtClose  (-2147482032, ... ) == 0x0
 00570   428   NtCreateFile  ... 68, {status=0x0, info=2}, ) == 0x0
 00572   428   NtQueryVolumeInformationFile  (68, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00573   428   NtQueryInformationFile  (68, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00574   428   NtAllocateVirtualMemory  (-1, 1335296, 0, 8192, 4096, 4, ... 1335296, 8192, ) == 0x0
 00575   428   NtAllocateVirtualMemory  (-1, 1343488, 0, 36864, 4096, 4, ... 1343488, 36864, ) == 0x0
 00576   428   NtAllocateVirtualMemory  (-1, 1380352, 0, 36864, 4096, 4, ... 1380352, 36864, ) == 0x0
 00577   428   NtQueryInformationFile  (56, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00578   428   NtSetInformationFile  (56, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00579   428   NtSetInformationFile  (56, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00580   428   NtReadFile  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00581   428   NtSetInformationFile  (56, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00582   428   NtSetInformationFile  (68, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00583   428   NtReadFile  (56, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (56, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00584   428   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00585   428   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00586   428   NtQueryInformationFile  (56, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00587   428   NtSetInformationFile  (68, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00588   428   NtFreeVirtualMemory  (-1, (0x146000), 81920, 16384, ... (0x146000), 81920, ) == 0x0
 00589   428   NtClose  (68, ... ) == 0x0
 00590   428   NtClose  (56, ... ) == 0x0
 00591   428   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00592   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00593   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00594   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 68, ) == 0x0
 00595   428   NtClose  (56, ... ) == 0x0
 00596   428   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 36864, ) == 0x0
 00597   428   NtClose  (68, ... ) == 0x0
 00598   428   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00599   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00600   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00601   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 56, ) == 0x0
 00602   428   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00603   428   NtClose  (68, ... ) == 0x0
 00604   428   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00605   428   NtClose  (56, ... ) == 0x0
 00606   428   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00607   428   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00608   428   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00609   428   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00610   428   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00611   428   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00612   428   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00613   428   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00614   428   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00615   428   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00616   428   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00617   428   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00618   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00619   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00620   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00621   428   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00622   428   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x0
 00623   428   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x20091
 00624   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00625   428   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00626   428   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00627   428   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 68, {424, 380}, ) == 0x0
 00628   428   NtQueryInformationThread  (68, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=424,Tid=380,}, 0x0, ) == 0x0
 00629   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0D\0\0\0\250\1\0\0|\1\0\0" ... {28, 56, reply, 0, 424, 428, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\250\1\0\0|\1\0\0" )  ... {28, 56, reply, 0, 424, 428, 1502, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0D\0\0\0\250\1\0\0|\1\0\0" ... {28, 56, reply, 0, 424, 428, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\250\1\0\0|\1\0\0" )  ) == 0x0
 00630   428   NtResumeThread  (68, ... 1, ) == 0x0
 00631   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00632   380   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 72, ) == 0x0
 00633   380   NtWaitForSingleObject  (72, 0, 0x0, ...
 00634   428   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0
 00635   428   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ... (0xb8e000), 4096, 4, ) == 0x0
 00636   428   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 76, {424, 568}, ) == 0x0
 00637   428   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=424,Tid=568,}, 0x0, ) == 0x0
 00638   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 424, 428, 1502, 0}  (24, {28, 56, new_msg, 0, 424, 428, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\250\1\0\08\2\0\0" ... {28, 56, reply, 0, 424, 428, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\250\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 424, 428, 1503, 0}  (24, {28, 56, new_msg, 0, 424, 428, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\250\1\0\08\2\0\0" ... {28, 56, reply, 0, 424, 428, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\250\1\0\08\2\0\0" )  ) == 0x0
 00639   428   NtResumeThread  (76, ... 1, ) == 0x0
 00640   428   NtUserSetTimer  (0, 0, 4096, 268451664, ... ) == 0x7ff9
 00641   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12124160, 1048576, ) == 0x0
 00642   428   NtAllocateVirtualMemory  (-1, 13164544, 0, 8192, 4096, 4, ...
 00643   568   NtWaitForSingleObject  (72, 0, 0x0, ...
 00642   428   NtAllocateVirtualMemory  ... 13164544, 8192, ) == 0x0
 00644   428   NtProtectVirtualMemory  (-1, (0xc8e000), 4096, 260, ... (0xc8e000), 4096, 4, ) == 0x0
 00645   428   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 80, {424, 572}, ) == 0x0
 00646   428   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=424,Tid=572,}, 0x0, ) == 0x0
 00647   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 424, 428, 1503, 0}  (24, {28, 56, new_msg, 0, 424, 428, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\250\1\0\0<\2\0\0" ... {28, 56, reply, 0, 424, 428, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\250\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 424, 428, 1504, 0}  (24, {28, 56, new_msg, 0, 424, 428, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\250\1\0\0<\2\0\0" ... {28, 56, reply, 0, 424, 428, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\250\1\0\0<\2\0\0" )  ) == 0x0
 00648   428   NtResumeThread  (80, ... 1, ) == 0x0
 00649   572   NtWaitForSingleObject  (72, 0, 0x0, ...
 00650   428   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651   428   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... 84, ) }, {20480, 0}, 4, 134217728, 0, ... 84, ) == 0x0
 00652   428   NtSetEventBoostPriority  (72, ...
 00633   380   NtWaitForSingleObject  ... ) == 0x0
 00653   380   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00654   380   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00655   380   NtSetEventBoostPriority  (72, ...
 00643   568   NtWaitForSingleObject  ... ) == 0x0
 00656   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00657   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00658   568   NtSetEventBoostPriority  (72, ...
 00649   572   NtWaitForSingleObject  ... ) == 0x0
 00659   572   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00660   572   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00661   572   NtTestAlert  (... ) == 0x0
 00662   572   NtContinue  (13172016, 1, ...
 00663   572   NtRegisterThreadTerminatePort  (24, ...
 00658   568   NtSetEventBoostPriority  ... ) == 0x0
 00655   380   NtSetEventBoostPriority  ... ) == 0x0
 00652   428   NtSetEventBoostPriority  ... ) == 0x0
 00664   568   NtTestAlert  (...
 00665   380   NtTestAlert  (...
 00663   572   NtRegisterThreadTerminatePort  ... ) == 0x0
 00664   568   NtTestAlert  ... ) == 0x0
 00665   380   NtTestAlert  ... ) == 0x0
 00666   572   NtDelayExecution  (0, {-20480000, -1}, ...
 00667   428   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00668   568   NtContinue  (12123440, 1, ...
 00667   428   NtMapViewOfSection  ... (0x370000), {0, 0}, 20480, ) == 0x0
 00669   568   NtRegisterThreadTerminatePort  (24, ...
 00670   428   NtUnmapViewOfSection  (-1, 0x370000, ...
 00669   568   NtRegisterThreadTerminatePort  ... ) == 0x0
 00670   428   NtUnmapViewOfSection  ... ) == 0x0
 00671   568   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00672   568   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00673   568   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00674   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00675   568   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... }, ...
 00676   380   NtContinue  (11074864, 1, ...
 00677   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 00678   380   NtRegisterThreadTerminatePort  (24, ...
 00677   428   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00678   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 00679   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 00680   380   NtDelayExecution  (0, {-40960000, -1}, ...
 00679   428   NtSetInformationProcess  ... ) == 0x0
 00681   428   NtDelayExecution  (0, {-10000000, -1}, ...
 00675   568   NtOpenKey  ... 96, ) == 0x0
 00682   568   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00683   568   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00684   568   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00685   568   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   568   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00687   568   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00688   568   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00689   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00690   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00691   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00692   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\265\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\265\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\266\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\265\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\265\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\266\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\265\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\265\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\266\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00693   568   NtClose  (104, ... ) == 0x0
 00694   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00695   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00696   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00697   568   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00698   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\273\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\273\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\274\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\273\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\273\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\274\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\273\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\273\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\274\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00699   568   NtClose  (104, ... ) == 0x0
 00700   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00701   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00702   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00703   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\300\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\300\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\301\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\300\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\300\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\301\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\300\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\300\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\301\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00704   568   NtClose  (104, ... ) == 0x0
 00705   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 00706   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00707   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00708   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\305\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\305\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\306\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\305\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\305\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\306\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\305\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\305\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\306\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00709   568   NtClose  (104, ... ) == 0x0
 00710   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 00711   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00712   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00713   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\312\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\312\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\313\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\312\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\312\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\313\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\312\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\312\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\313\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00714   568   NtClose  (104, ... ) == 0x0
 00715   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 00716   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00717   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00718   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\317\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\317\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\320\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\317\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\317\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\320\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\317\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\317\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\320\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00719   568   NtClose  (104, ... ) == 0x0
 00720   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 00721   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00722   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00723   568   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00724   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\325\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\325\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\326\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\325\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\325\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\326\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\325\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\325\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\326\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00725   568   NtClose  (104, ... ) == 0x0
 00726   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 00727   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00728   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00729   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\332\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\332\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\333\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\332\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\332\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\333\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\332\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\332\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\333\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00730   568   NtClose  (104, ... ) == 0x0
 00731   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 00732   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00733   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00734   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\337\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\337\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\340\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\337\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\337\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\340\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\337\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\337\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\340\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00735   568   NtClose  (104, ... ) == 0x0
 00736   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 00737   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00738   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00739   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\344\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\344\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\345\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\344\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\344\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\345\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\344\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\344\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08S\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\345\2\0\0\250\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\250\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\250\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00740   568   NtClose  (104, ... ) == 0x0
 00741   568   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 00742   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00743   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00744   568   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00745   568   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\352\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\352\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\353\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\2\0\0\250\1\0\08\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\354\2\0\0\250\1\0\08\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\355\2\0\0\250\1\0\08\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\250\1\0\08\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\356\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PK\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\352\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\352\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\2\0\0\250\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\353\2\0\0\250\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\2\0\0\250\1\0\08\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\354\2\0\0\250\1\0\08\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\355\2\0\0\250\1\0\08\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\250\1\0\08\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\356\2\0\0\250\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\270\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PK\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00746   568   NtClose  (104, ... ) == 0x0
 00747   568   NtClose  (100, ... ) == 0x0
 00748   568   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00749   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00750   568   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 00751   568   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00752   568   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00753   568   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00754   568   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755   568   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00756   568   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 108, ) }, ... 108, ) == 0x0
 00757   568   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 00758   568   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00759   568   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00760   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00761   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00762   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00763   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00764   568   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00765   568   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766   568   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00767   568   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00768   568   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   568   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00770   568   NtClose  (112, ... ) == 0x0
 00771   568   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 00772   568   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00773   568   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00774   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00775   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00776   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00777   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00778   568   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00779   568   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   568   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00781   568   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00782   568   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783   568   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784   568   NtClose  (112, ... ) == 0x0
 00785   568   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 00786   568   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00787   568   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00788   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00789   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00790   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00791   568   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00792   568   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00793   568   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   568   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00795   568   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00796   568   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00797   568   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00798   568   NtClose  (112, ... ) == 0x0
 00799   568   NtClose  (108, ... ) == 0x0
 00800   568   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 00801   568   NtClose  (88, ... ) == 0x0
 00802   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00803   568   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00804   568   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00805   568   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806   568   NtClose  (88, ... ) == 0x0
 00807   568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00808   568   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00809   568   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 108, {status=0x0, info=1}, ) }, 7, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00810   568   NtLockFile  (108, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 00811   568   NtQueryInformationFile  (108, 1347544, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00812   568   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 13172736, 1052672, ) == 0x0
 00813   568   NtAllocateVirtualMemory  (-1, 13172736, 0, 235, 4096, 4, ... 13172736, 4096, ) == 0x0
 00814   568   NtReadFile  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00815   568   NtFreeVirtualMemory  (-1, (0xc90000), 1052672, 32768, ... (0xc90000), 1052672, ) == 0x0
 00816   568   NtUnlockFile  (108, {0, 0}, {-1, -1}, 568, ... ) == STATUS_RANGE_NOT_LOCKED
 00817   568   NtClose  (108, ... ) == 0x0
 00818   568   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 00819   568   NtQueryInformationToken  (108, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00820   568   NtClose  (108, ... ) == 0x0
 00821   568   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00822   568   NtLockFile  (108, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 00823   568   NtQueryInformationFile  (108, 1347544, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00824   568   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 13172736, 1052672, ) == 0x0
 00825   568   NtAllocateVirtualMemory  (-1, 13172736, 0, 235, 4096, 4, ... 13172736, 4096, ) == 0x0
 00826   568   NtReadFile  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00827   568   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=26687fpxxuf527\15\12", 37, {231, 0}, 2012046884, ... {status=0x0, info=37}, ) , 37, {231, 0}, 2012046884, ... {status=0x0, info=37}, ) == 0x0
 00828   568   NtSetInformationFile  (108, 12123304, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00829   568   NtFreeVirtualMemory  (-1, (0xc90000), 1052672, 32768, ... (0xc90000), 1052672, ) == 0x0
 00830   568   NtUnlockFile  (108, {0, 0}, {-1, -1}, 568, ... ) == STATUS_RANGE_NOT_LOCKED
 00831   568   NtClose  (108, ... ) == 0x0
 00832   568   NtDelayExecution  (0, {-122880000, -1}, ...
 00681   428   NtDelayExecution  ... ) == 0x0
 00833   428   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "b1790f4c06f035c083b712e3f4f6a1a8c30c"}, 0, ... 108, ) }, 0, ... 108, ) == 0x0
 00834   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00836   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 00838   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00839   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 00840   428   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00841   428   NtClose  (112, ... ) == 0x0
 00842   428   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00843   428   NtClose  (116, ... ) == 0x0
 00844   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00845   428   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00846   428   NtClose  (116, ... ) == 0x0
 00847   428   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 116, ) == 0x0
 00848   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00849   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 120, ) }, ... 120, ) == 0x0
 00850   428   NtNotifyChangeKey  (120, 112, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00851   428   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00852   428   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 00853   428   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 00854   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 00858   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00859   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 136, ) == 0x0
 00860   428   NtQuerySection  (136, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00861   428   NtClose  (132, ... ) == 0x0
 00862   428   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00863   428   NtClose  (136, ... ) == 0x0
 00864   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == 0x0
 00868   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00869   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 132, ) == 0x0
 00870   428   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00871   428   NtClose  (136, ... ) == 0x0
 00872   428   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00873   428   NtClose  (132, ... ) == 0x0
 00874   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00875   428   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3735552, 262144, ) == 0x0
 00876   428   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 00877   428   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 00878   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00880   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 132, ) }, ... 132, ) == 0x0
 00881   428   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00882   428   NtClose  (132, ... ) == 0x0
 00883   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 132, ) }, ... 132, ) == 0x0
 00884   428   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00885   428   NtClose  (132, ... ) == 0x0
 00886   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 132, ) }, ... 132, ) == 0x0
 00887   428   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00888   428   NtClose  (132, ... ) == 0x0
 00889   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   428   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00891   428   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00892   428   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00893   428   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00894   428   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238324, 0,  (0x1f0003, {24, 52, 0x80, 1238324, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00895   428   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 132, ) }, ... 132, ) == 0x0
 00896   428   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 00897   428   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00898   428   NtQueryDefaultUILanguage  (1236560, ...
 00899   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00900   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 00901   428   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00902   428   NtClose  (-2147482052, ... ) == 0x0
 00903   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00904   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   428   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 00906   428   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   428   NtClose  (-2147482056, ... ) == 0x0
 00908   428   NtClose  (-2147482052, ... ) == 0x0
 00898   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00909   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 140, {status=0x0, info=1}, ) }, 1, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 00911   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 140, ... 144, ) == 0x0
 00912   428   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xc90000), 0x0, 593920, ) == 0x0
 00913   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   428   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00915   428   NtQueryDefaultLocale  (1, 1234596, ... ) == 0x0
 00916   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235452, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235452, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\320\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1507, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\320\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 424, 428, 1507, 0}  (24, {128, 156, new_msg, 0, 1235452, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\320\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1507, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\320\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" )  ) == 0x0
 00918   428   NtClose  (140, ... ) == 0x0
 00919   428   NtClose  (144, ... ) == 0x0
 00920   428   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 00921   428   NtUnmapViewOfSection  (-1, 0x12e0fc, ... ) == STATUS_NOT_MAPPED_VIEW
 00922   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00923   428   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00925   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00926   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233136, ... ) }, 1233136, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00928   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00929   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00930   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233728, ... ) }, 1233728, ... ) == 0x0
 00931   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 144, {status=0x0, info=1}, ) }, 3, 33, ... 144, {status=0x0, info=1}, ) == 0x0
 00932   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00933   428   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 00934   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == 0x0
 00938   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 00939   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 152, ) == 0x0
 00940   428   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00941   428   NtClose  (148, ... ) == 0x0
 00942   428   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00943   428   NtClose  (152, ... ) == 0x0
 00944   428   NtAllocateVirtualMemory  (-1, 3293184, 0, 8192, 4096, 4, ... 3293184, 8192, ) == 0x0
 00945   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00946   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 152, ) == 0x0
 00947   428   NtQueryInformationToken  (152, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00948   428   NtClose  (152, ... ) == 0x0
 00949   428   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 152, ) }, ... 152, ) == 0x0
 00950   428   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   428   NtClose  (152, ... ) == 0x0
 00952   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 152, ) }, ... 152, ) == 0x0
 00953   428   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00954   428   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00955   428   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00956   428   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00957   428   NtClose  (152, ... ) == 0x0
 00958   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 152, ) }, ... 152, ) == 0x0
 00959   428   NtQueryValueKey  (152,  (152, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00960   428   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00961   428   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00962   428   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00963   428   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00964   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00965   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 00966   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 156, ) == 0x0
 00967   428   NtClose  (148, ... ) == 0x0
 00968   428   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 135168, ) == 0x0
 00969   428   NtClose  (156, ... ) == 0x0
 00970   428   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00971   428   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00972   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 00973   428   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00974   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239184,  (0x80100080, {24, 0, 0x40, 0, 1239184, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 00975   428   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 156, ... 148, ) == 0x0
 00976   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3d0000), {0, 0}, 135168, ) == 0x0
 00977   428   NtQueryDefaultLocale  (1, 1238992, ... ) == 0x0
 00978   428   NtQueryVirtualMemory  (-1, 0x3d0000, Basic, 28, ... {BaseAddress=0x3d0000,AllocationBase=0x3d0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00979   428   NtQueryVirtualMemory  (-1, 0x3d0000, Basic, 28, ... {BaseAddress=0x3d0000,AllocationBase=0x3d0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00980   428   NtReadFile  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00981   428   NtQueryInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00982   428   NtSetInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00983   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00984   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00985   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00986   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00987   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00988   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00989   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00990   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00991   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00992   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00993   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00994   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00995   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00996   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00997   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00998   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00999   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01000   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01001   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01002   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01003   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01004   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01005   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01006   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01007   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01008   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01009   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01010   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01011   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01012   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01013   428   NtReadFile  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01014   428   NtQueryInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01015   428   NtSetInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01016   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01017   428   NtReadFile  (156, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (156, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01018   428   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01019   428   NtClose  (148, ... ) == 0x0
 01020   428   NtClose  (156, ... ) == 0x0
 01021   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01022   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01023   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 156, ... 148, ) == 0x0
 01024   428   NtClose  (156, ... ) == 0x0
 01025   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 135168, ) == 0x0
 01026   428   NtClose  (148, ... ) == 0x0
 01027   428   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01028   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238032, ... ) }, 1238032, ... ) == 0x0
 01029   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01030   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 156, ) == 0x0
 01031   428   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01032   428   NtClose  (148, ... ) == 0x0
 01033   428   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01034   428   NtClose  (156, ... ) == 0x0
 01035   428   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01036   428   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01037   428   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01038   428   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01039   428   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01040   428   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01041   428   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01042   428   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01043   428   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01044   428   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01045   428   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01046   428   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01047   428   NtAllocateVirtualMemory  (-1, 1376256, 0, 20480, 4096, 4, ... 1376256, 20480, ) == 0x0
 01048   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01049   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01050   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01051   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01052   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01053   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01054   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01055   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01056   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01057   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01058   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01059   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01060   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01061   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01062   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01063   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01064   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01065   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01066   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01067   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01068   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01069   428   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01070   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236984, ... ) }, 1236984, ... ) == 0x0
 01071   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237716,  (0x80100080, {24, 0, 0x40, 0, 1237716, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01072   428   NtQueryVolumeInformationFile  (156, 1237876, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01073   428   NtQueryInformationFile  (156, 1237768, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01074   428   NtQueryInformationFile  (156, 1238060, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01075   428   NtClose  (156, ... ) == 0x0
 01076   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236476, ... ) }, 1236476, ... ) == 0x0
 01077   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237208,  (0x80100080, {24, 0, 0x40, 0, 1237208, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01078   428   NtQueryVolumeInformationFile  (156, 1237368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01079   428   NtQueryInformationFile  (156, 1237260, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01080   428   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 156, ... 148, ) == 0x0
 01081   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3d0000), {0, 0}, 135168, ) == 0x0
 01082   428   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01083   428   NtQueryVirtualMemory  (-1, 0x3d0000, Basic, 28, ... {BaseAddress=0x3d0000,AllocationBase=0x3d0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01084   428   NtQueryVirtualMemory  (-1, 0x3d0000, Basic, 28, ... {BaseAddress=0x3d0000,AllocationBase=0x3d0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01085   428   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01086   428   NtQueryVirtualMemory  (-1, 0x3d0000, Basic, 28, ... {BaseAddress=0x3d0000,AllocationBase=0x3d0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01087   428   NtQueryVirtualMemory  (-1, 0x3d0000, Basic, 28, ... {BaseAddress=0x3d0000,AllocationBase=0x3d0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01088   428   NtReadFile  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01089   428   NtQueryInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01090   428   NtSetInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01091   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01092   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01093   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01094   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01095   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01096   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01097   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01098   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01099   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01100   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01101   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01102   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01103   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01104   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01105   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01106   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01107   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01108   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01109   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01110   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01111   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01112   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01113   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01114   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01115   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01116   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01117   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01118   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01119   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01120   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01121   428   NtReadFile  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01122   428   NtQueryInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01123   428   NtSetInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01124   428   NtQueryInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01125   428   NtSetInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01126   428   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01127   428   NtReadFile  (156, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (156, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01128   428   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01129   428   NtClose  (148, ... ) == 0x0
 01130   428   NtClose  (156, ... ) == 0x0
 01131   428   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01132   428   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 156, ) }, ... 156, ) == 0x0
 01133   428   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01134   428   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01135   428   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01136   428   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01137   428   NtClose  (156, ... ) == 0x0
 01138   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   428   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01140   428   NtOpenProcessToken  (-1, 0x8, ... 156, ) == 0x0
 01141   428   NtQueryInformationToken  (156, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01142   428   NtClose  (156, ... ) == 0x0
 01143   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 156, {status=0x0, info=0}, ) }, 7, 16, ... 156, {status=0x0, info=0}, ) == 0x0
 01144   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01145   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01146   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01147   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01148   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01149   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01150   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01151   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01152   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01153   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "0\373\332WOz\315{\350\37Q\26\30\\237\2763evg\275\257&\35\246\324\301\370\312}\371\323\367\12\354\345\310\265\21\21\312\240\244Z\5\302\253\360{k(\270\13[T\2\333\264\306{\24\320\32o\331\203\344\3568\224\223\343\5,\364}\254,\330", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "0\373\332WOz\315{\350\37Q\26\30\\237\2763evg\275\257&\35\246\324\301\370\312}\371\323\367\12\354\345\310\265\21\21\312\240\244Z\5\302\253\360{k(\270\13[T\2\333\264\306{\24\320\32o\331\203\344\3568\224\223\343\5,\364}\254,\330", 80, ... ) , 80, ... ) == 0x0
 01154   428   NtClose  (-2147482052, ... ) == 0x0
 01144   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "n\357\376\340\26\353FF\35\16\12M!\352\273\322~v\332\6\323T*\\200N\355\311\311o\17\307\343\177\263\362\79\2475\221\13!\343\326\202-!3\307\2746\244S\276 \32\304m\11.dq@\375\350\326\337\201b\2`\205-i\370\22\27\312`\234\1\375\346\330\340\323|\1\20\334\317g\304pZT\347\345\326\272\7\244$\204\13\213\12qge1/\244\3552\343\347\317\321aZ\203\352\330\201C\376\20\261s\257\10\235[*\362\342\302G\31\20M0!X9\241\264\343[9uq\303\330\211\223\373BA\326\264\311\345\373\246\363#\276\316\277\347O~\205)^"o;\234\217I[\265Py\220\320\20\236d3\241\305\270\2241Wn\374\23\270\0\324{\251J\253\207\301\340\205\366\20.\361\337t\332\265b\371\337\202#1\35\345\206\221f\17\36\206\313t\253Cm\237\23\250\274]\356U\266A\237\301\355\31\310", ) o;\234\217I[\265Py\220\320\20\236d3\241\305\270\2241Wn\374\23\270\0\324{\251J\253\207\301\340\205\366\20.\361\337t\332\265b\371\337\202#1\35\345\206\221f\17\36\206\313t\253Cm\237\23\250\274]\356U\266A\237\301\355\31\310", ) == 0x0
 01155   428   NtClose  (152, ... ) == 0x0
 01156   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\3575\374Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01157   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01158   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01159   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01160   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01161   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01162   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01163   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01164   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01165   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\225A\220\364\223,\364\245\325W\202\365\300#Y\34\1\256]\240^\213\342\251\247\336\246\35a\226\3270\252&`\326\17S\316m\211\333\270A\346\342\253^\245\264\240\3056\26\207\223Lf1M\344\226\255\222\360\321\361L\244\214(\10\13\257\11\265\4OjU", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\225A\220\364\223,\364\245\325W\202\365\300#Y\34\1\256]\240^\213\342\251\247\336\246\35a\226\3270\252&`\326\17S\316m\211\333\270A\346\342\253^\245\264\240\3056\26\207\223Lf1M\344\226\255\222\360\321\361L\244\214(\10\13\257\11\265\4OjU", 80, ... ) , 80, ... ) == 0x0
 01166   428   NtClose  (-2147482052, ... ) == 0x0
 01156   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\367\226}\266\243s\357\364\226\225\260\314DfU:\305bM\307\261\322\24\14\27\323\217\352\271\277\257\361\340#?\347^\363E\251\240\221\307\221\337\327\10\23\344\274\307V\0@\30\357\323\360\260i\\261\352\7()0s\245\333ee\264s\330\236b\343\212|\32;\37\25*\336@\301\202\264-f\346\17\344]`\351<\375\304itf9\230\275Y\303\312=\210J\343\216\302\23O\244\365Z\303\211\355\370Rx\213\343\313\200J\271Y\346\304\275F\241\15\363@8t\2638\2\300\362\317\221\223T\362x\20v\365U/\347\305\34\226O\363\343\264\360\346D\346\325\227\2617\256Y\260\22\342\33\301\246\211\330\360L\334\263\235\1\250\231\5\226\321V\36\253", ) , ) == 0x0
 01167   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\357\217\303\10|\336\251\224\33\303Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01168   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01169   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01170   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01171   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01172   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01173   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01174   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01175   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01176   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\302\243\372\23/.%D\13\241\361#\3\230\5\11\321\307\236\274\211\12y\301A\207\243\5%T\264J\266\312\246\360\325\340\16+\233\35/\331\265\3143s\350Z\326\310\342\262\3764-\234E7x\301\277%\246\26\334\263\274I\252\373e,S}f\343\277=", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\302\243\372\23/.%D\13\241\361#\3\230\5\11\321\307\236\274\211\12y\301A\207\243\5%T\264J\266\312\246\360\325\340\16+\233\35/\331\265\3143s\350Z\326\310\342\262\3764-\234E7x\301\277%\246\26\334\263\274I\252\373e,S}f\343\277=", 80, ... ) , 80, ... ) == 0x0
 01177   428   NtClose  (-2147482052, ... ) == 0x0
 01167   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "n\315\363\2z\16\27\%\322\2757\305\212h\322\200\337ax\10.\5\246\233\377\301\207\352\3033\3045{>J\325\337\24\367\242 o'y6\21\315\346\206o\244~\352\243N\244\327\11\354\222\204m\357\211g0\13\244\24\13LwAy\231\254\2024\267*)4\240\375\30\37\243\16\235h\32)\265\272\351\374Y`\32\0\221\230)'\275\20\0\202\214\275\375\315\240(\320\341\226\207i\216\321\261\277_\305\360\352\35\307\31\220V\357XeM\327\241\16\225\334\337\11\346D*k\244\351\342\225\2739.\354\3732!F!\254\351\244J/\261\306\215{*D\360\202\1\335\253\377DU\31\204"\266\3366\375\33d\277cs\220\265\205\262&,\205\203l\14\372$\236T\351ko\372\325k\313\323N\5\224\15\216rJ\260\341Qs\10\377\375\251\304\274\213E\337\321\37l\275\231?+n\1\346\207\326a\333\5\325\306q4\206", ) \266\3366\375\33d\277cs\220\265\205\262&,\205\203l\14\372$\236T\351ko\372\325k\313\323N\5\224\15\216rJ\260\341Qs\10\377\375\251\304\274\213E\337\321\37l\275\231?+n\1\346\207\326a\333\5\325\306q4\206", ) == 0x0
 01178   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\357\217\303\10|\336\251\224\241\374\10|\336\251\224\33\303Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01179   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01180   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01181   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01182   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01183   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01184   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01185   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01186   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01187   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\244\267\254\31&T\347\2\3710\343&\204\345\34\210\272\267]J\322\211\25FV\334\275\204>-YD \246\252\320\16\27\32\361i\346\271]C\235\310\363+\231\235\353.\350\321\244T\202\0D\16\177,l\376\372iz\340Y\2\362\252\\302\33\210\353\330\273", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\244\267\254\31&T\347\2\3710\343&\204\345\34\210\272\267]J\322\211\25FV\334\275\204>-YD \246\252\320\16\27\32\361i\346\271]C\235\310\363+\231\235\353.\350\321\244T\202\0D\16\177,l\376\372iz\340Y\2\362\252\\302\33\210\353\330\273", 80, ... ) , 80, ... ) == 0x0
 01188   428   NtClose  (-2147482052, ... ) == 0x0
 01178   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377\237\32\224\242\266_\273:p|\360\271_\252\11\6\225\237\270M]\210)\360<\3343r\214{\31\372j\346\325s1\264\322\256\315M\25u\365\22\300x\262\321 \262B\216,1<\355P\302}\311\265d\250\3042d|\243\360_\6\10@z\23\370\306,\10\237_\6\213\310''#Gl\232\226\253\243.&\305DoX\332\353r\233|\306\266E``\271v\320\250]t\16\372\11\3\371\270\3100\177Nh\202\214\0\350\335F\346W\22\247E\351, ) , ) == 0x0
 01189   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\357\217\303\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\33\303Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01190   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01191   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01192   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01193   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01194   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01195   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01196   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01197   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01198   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "G\346\301\354\341\216\236\34>'\355\20\15U\204*\204[\177\272h\341rZ\220\367\274\363S\0\364p\215\251\377\365\375\241l\370\16\352=\355;\366\32T, 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "G\346\301\354\341\216\236\34>'\355\20\15U\204*\204[\177\272h\341rZ\220\367\274\363S\0\364p\215\251\377\365\375\241l\370\16\352=\355;\366\32T, 80, ... ) , 80, ... ) == 0x0
 01199   428   NtClose  (-2147482052, ... ) == 0x0
 01189   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ":\205\237\235|\200\11\321\27\352\347x\303o\224\15\354\23\305\3319\315\240\3276w\363\234\374\22\222\345\260\230\236\375q|F\227\264v\205\13\212\11\267\364`W\221\365O\327\20\365\312\237\267)\320\32\377\327L\235\265#$\245\372\303>Z\214\307\301\362^\375\24\206,\343kZ\30^B%\312:,v\215\242\370m0\337*3\335\350|=\367\206$\211=\222\205\247\271\27\264\235\356\352\13\320k\356rx6\3354S\24\272\177\306\223P)\315\16\33W\312A\236\351\375\353\22\214\230\262\356)\255\210#\32\244\3155\236\223?%\240\261\35\3300J\374\2754\275\22Y\277\205a\325\1\343\212\234\365\271V\222:\324\221\232\261\272\317\261\352\16fl\215\206H\25\337\205D}\235O\213D\206"\320\312W\373\324a\321S\35\3206\13\330{?\357\30O\252A\353\333\233\226\203\377\223\315\213?\344\210\325\4\236\1\351\372N\262\3417", ) \320\312W\373\324a\321S\35\3206\13\330{?\357\30O\252A\353\333\233\226\203\377\223\315\213?\344\210\325\4\236\1\351\372N\262\3417", ) == 0x0
 01200   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\357\217\303\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\33\303Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01201   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01202   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01203   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01204   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01205   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01206   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01207   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01208   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01209   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\310.k\202\357#P1\4\341\333\271\272\301`i\362v\226\37x\251\374\335\367\250\35\336\220\345N\312\233\3\36\300\7\220\244\3638A\314GX\26\212cSO\371\20\25\364R\4\234\17S\201\6\223\315\336\320\202_\274\31\16\240\212N\15\3U\204@\314\231", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\310.k\202\357#P1\4\341\333\271\272\301`i\362v\226\37x\251\374\335\367\250\35\336\220\345N\312\233\3\36\300\7\220\244\3638A\314GX\26\212cSO\371\20\25\364R\4\234\17S\201\6\223\315\336\320\202_\274\31\16\240\212N\15\3U\204@\314\231", 80, ... ) , 80, ... ) == 0x0
 01210   428   NtClose  (-2147482052, ... ) == 0x0
 01200   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\277\204\1r\216i\334D^\237\223\213\21[t\16\320K\310\215\254~\3373\366\233\227_\363\307N9\306\225\230\3439\331\261\35\300\366\7}\342\13K\243\227\343\261\366P,\345\270\11E,\225\216\321\352\350\3634\17\235\347\216\36\201\201\323\334'\207\17\214\265t\30\21D\347QAb\306K N\310\304\206\233\301\224=&H\204\273^\R\1615\33/\36t\366\221\363V\3407Y\210%\2D\276\6Y\307s=v\351\345\21;\221\4\2050siD)3\6\240P\215\231\254;|r\1>\326B\2205dy\233\220E\337\371\3329B\201\266\356p\303vb\230\264$d\7\351\343\11|\0\334\26BkZ'\271\313\331\345p\35\237\372\0\322\11E\2665\331\361*\272\337>\36\224\207R%\260\234#\261RT\311\272\261\37\300\217\223\22\257?k\363\243\7\307\361\305\210\206\276\306\211U\262\20\331\371vS\2"\320\20", ) \320\20", ) == 0x0
 01211   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\357\217\303\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\33\303Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01212   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01213   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01214   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01215   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01216   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01217   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01218   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01219   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01220   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\207xL\201\216\255\267+\257\241;\215\257\10+\353\336i\15\235S\21\244*\226\337\213\315j\3475?o\310\4H\221\245/6\222-\313\236_\4\36\34b\2'P\377\233\376\121\7\244M\361\304\303\347\337\14\261\237\22\37\360^\4\271\2321\347a\30r", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\207xL\201\216\255\267+\257\241;\215\257\10+\353\336i\15\235S\21\244*\226\337\213\315j\3475?o\310\4H\221\245/6\222-\313\236_\4\36\34b\2'P\377\233\376\121\7\244M\361\304\303\347\337\14\261\237\22\37\360^\4\271\2321\347a\30r", 80, ... ) , 80, ... ) == 0x0
 01221   428   NtClose  (-2147482052, ... ) == 0x0
 01211   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\245\305~\273h\272A\371\232\365k\220\345\332\4y\2418\362W\354\3526\317[\250\263f\3601\346-\264\250oMk7\347l%\274a\321\206\31\246\340\335\345\23O\201\242\24\343W\211M0B\223u\350\217\266\367\10\275\374\377\312\3\233Cr[\242\25\7\327\210\206q\235\20.\235P\277U\326\16\276\343 V2\367\252\367\333\303\2055\357hz1[q\20Z\225\202\363\354@\251, ) , ) == 0x0
 01222   428   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\4\234\3405\23\30\357\217\303\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\241\374\10|\336\251\224\33\303Rw\312\313\215\245\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01223   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01224   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01225   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01226   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01227   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01228   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01229   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01230   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01231   428   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\342\311\370\272\256\214\305w\354~\36\261\304HX\373\3755\256\37\212\206\2\11f9\23\206\214lk\272%\245\371\23601\217`II\241\352wm4\232\317\314v\360&\204C\312E\226~\370\343\373\204&\232.=\234e\10\376.\311Mc5\3\243\352\313", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\342\311\370\272\256\214\305w\354~\36\261\304HX\373\3755\256\37\212\206\2\11f9\23\206\214lk\272%\245\371\23601\217`II\241\352wm4\232\317\314v\360&\204C\312E\226~\370\343\373\204&\232.=\234e\10\376.\311Mc5\3\243\352\313", 80, ... ) , 80, ... ) == 0x0
 01232   428   NtClose  (-2147482052, ... ) == 0x0
 01222   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "@\27\34*\332\326\357\242\211\1\247\352f\207h\344\251\301\216\323\30{\302\365\311\23k;\254\202\347|\364\224\213D\\223\275\244\247\273Iw\372I)\307l\202O\257\345.\217\221\220\26lE\260\361\312\334\303\7\207\326H=\303"h\362oi\3000#1x\212\366\364\265\256\262\3{\26%\340}^J\357\7!\273I\301\377\307<\3162\206\275\2355U\215d0\31\337\372m\234\307\302\342\312\237>\257\1G\17?'px\367\311\356\357T\345^#/\244\177\215\370p\322\2762\255\347\204\240l6^\324mz\321\0\340\210\231\36b\263\373\260\262/\327\245\26c\344_\34\230\35p\330\237.\332\317\270Q\267\23\220\224\233m\203\272\374uN\241\277mf/\365\370\225#\272G\326C\372\227N\3616\362rO\234\213V}\225\26\356gs^[\261\246Z\273\3\236\357\311\3420\211\3j\20\231D\222\3729\365\3235", ) h\362oi\3000#1x\212\366\364\265\256\262\3{\26%\340}^J\357\7!\273I\301\377\307<\3162\206\275\2355U\215d0\31\337\372m\234\307\302\342\312\237>\257\1G\17?'px\367\311\356\357T\345^#/\244\177\215\370p\322\2762\255\347\204\240l6^\324mz\321\0\340\210\231\36b\263\373\260\262/\327\245\26c\344_\34\230\35p\330\237.\332\317\270Q\267\23\220\224\233m\203\272\374uN\241\277mf/\365\370\225#\272G\326C\372\227N\3616\362rO\234\213V}\225\26\356gs^[\261\246Z\273\3\236\357\311\3420\211\3j\20\231D\222\3729\365\3235", ) == 0x0
 01233   428   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 152, {status=0x0, info=1}, ) }, 3, 33, ... 152, {status=0x0, info=1}, ) == 0x0
 01234   428   NtQueryVolumeInformationFile  (152, 1238964, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01235   428   NtClose  (12, ... ) == 0x0
 01236   428   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238184,  (0x80100080, {24, 0, 0x40, 0, 1238184, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01238   428   NtQueryInformationFile  (12, 1239120, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01239   428   NtQueryInformationFile  (12, 1239092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01240   428   NtQueryInformationFile  (12, 1239044, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01241   428   NtAllocateVirtualMemory  (-1, 1400832, 0, 8192, 4096, 4, ... 1400832, 8192, ) == 0x0
 01242   428   NtQueryInformationFile  (12, 1400368, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01243   428   NtQueryInformationFile  (12, 1237588, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01244   428   NtQueryInformationFile  (12, 1237432, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01245   428   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237440,  (0x40110080, {24, 0, 0x40, 0, 1237440, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01246   428   NtClose  (-2147482052, ... ) == 0x0
 01245   428   NtCreateFile  ... 148, {status=0x0, info=2}, ) == 0x0
 01247   428   NtQueryVolumeInformationFile  (148, 1236812, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01248   428   NtQueryInformationFile  (148, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01249   428   NtQueryVolumeInformationFile  (12, 1236812, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01250   428   NtQueryVolumeInformationFile  (12, 1236496, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01251   428   NtSetInformationFile  (148, 1236600, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01252   428   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 160, ) == 0x0
 01253   428   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3d0000), {0, 0}, 69632, ) == 0x0
 01254   428   NtClose  (160, ... ) == 0x0
 01255   428   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\240\32\2\0\0p\1\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0`\1\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01256   428   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\343G9\1\24\6)\243\12?AgR~\265\252'4;+\2\355\321\250\363\362\203\352ht]\6b\363\58\30@\304\242\351\340\201\13B\s\207\34\231\370\251\315B\360\210\224\300\253\15\304V\274\210:\324\327\304#F\225\254\255\306X\26^\177\17\371(\350!R=\275\15EC2~\262\314\252\320\355\335\350\341l\211\240\264!\34\231i\241\343\273\205\236\362\14\213\25\256\236R\324\5\307\363\203\322A\227\163\6\241\270\206!\333\333)\2\12\373\360\267\322\320\252W\215\225\361\327$\36\1\333v\273\376\3676=\274\32R\212\23\337|\16\303(\237\216\266\320\225\216\371S\0\261*S\3dx\351\221'Kqm6\37\357\327\214\273\34\207\357\314\342\27I)\13\250\3578\33\261>n\242B\370\337lN\232\20\34\27\360\13\350iu%b*\370g\0m\371-a#\266$P\\262EZ\3\320\273\272\315\4b\375\210\20\14.\343\347\362\252\260\363\36\316\244^oF\15\2748jl\270\350Y\340\0\227\260\306\226s\267\252\264\234\20\375\31\30=J$\372\177\356o+[\312h9{\367\217\347\331\363+\242w\360q\217B?\13h\234w\3tl\246\345\362c\241\230\3619=\234\371lJ\177@$-\305\300\222\3\271\227O\276q\31\313\337\307W\336\273=*\320@\342\255\376\225[b\352,;\271\324\372\211U\374d\332\347\216\270\240\242\220\260\206\330\24\212qtR&\257\227\210\301\3453\306}#\314B7w\365\244\272\231x\216>\243\374pBE\0\331x1*\322\333\217\205\2507Eaf\223\3\335, 4608, 0x0, 0, ... {status=0x0, info=4608}, ) , 4608, 0x0, 0, ... {status=0x0, info=4608}, ) == 0x0
 01257   428   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01258   428   NtSetInformationFile  (148, 1239044, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01259   428   NtClose  (12, ... ) == 0x0
 01260   428   NtClose  (148, ... ) == 0x0
 01261   428   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 148, {status=0x0, info=1}, ) }, 7, 2113568, ... 148, {status=0x0, info=1}, ) == 0x0
 01262   428   NtSetInformationFile  (148, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01263   428   NtClose  (148, ... ) == 0x0
 01264   428   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 148, {status=0x0, info=1}, ) }, 7, 2113568, ... 148, {status=0x0, info=1}, ) == 0x0
 01265   428   NtSetInformationFile  (148, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01266   428   NtClose  (148, ... ) == 0x0
 01267   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238948,  (0x80100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01268   428   NtQueryInformationFile  (148, 1239000, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01269   428   NtClose  (148, ... ) == 0x0
 01270   428   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238948,  (0x40100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01271   428   NtSetInformationFile  (148, 1239000, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01272   428   NtClose  (148, ... ) == 0x0
 01273   428   NtOpenFile  (0x10080, {24, 152, 0x40, 0, 0,  (0x10080, {24, 152, 0x40, 0, 0, "czdddn.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   428   NtCreateFile  (0x40100080, {24, 152, 0x40, 0, 1239196,  (0x40100080, {24, 152, 0x40, 0, 1239196, "czdddn.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 148, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 148, {status=0x0, info=2}, ) == 0x0
 01275   428   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del czdddn.bat\15\12", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01276   428   NtClose  (148, ... ) == 0x0
 01277   428   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232536, ... ) }, 1232536, ... ) == 0x0
 01279   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01280   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 12, ) == 0x0
 01281   428   NtClose  (148, ... ) == 0x0
 01282   428   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc90000), 0x0, 262144, ) == 0x0
 01283   428   NtClose  (12, ... ) == 0x0
 01284   428   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 01285   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01286   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01287   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01288   428   NtAllocateVirtualMemory  (-1, 1409024, 0, 16384, 4096, 4, ... 1409024, 16384, ) == 0x0
 01289   428   NtUserRegisterClassExWOW  (1234620, 1234700, 1234684, 1234716, 0, 384, 0, ... ) == 0x810dc038
 01290   428   NtUserGetAtomName  (49208, 1233384, ... ) == 0x15
 01291   428   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01292   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230908, ... ) }, 1230908, ... ) == 0x0
 01293   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01294   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 148, ) == 0x0
 01295   428   NtClose  (12, ... ) == 0x0
 01296   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc90000), 0x0, 204800, ) == 0x0
 01297   428   NtClose  (148, ... ) == 0x0
 01298   428   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 01299   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231224, ... ) }, 1231224, ... ) == 0x0
 01300   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01301   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 12, ) == 0x0
 01302   428   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01303   428   NtClose  (148, ... ) == 0x0
 01304   428   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01305   428   NtClose  (12, ... ) == 0x0
 01306   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01307   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01308   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01309   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01310   428   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01311   428   NtClose  (12, ... ) == 0x0
 01312   428   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01313   428   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01314   428   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 148, ) }, ... 148, ) == 0x0
 01315   428   NtQueryValueKey  (148,  (148, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   428   NtClose  (148, ... ) == 0x0
 01317   428   NtClose  (12, ... ) == 0x0
 01318   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01319   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01320   428   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01321   428   NtClose  (12, ... ) == 0x0
 01322   428   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01323   428   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 148, ) }, ... 148, ) == 0x0
 01324   428   NtQueryValueKey  (148,  (148, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   428   NtClose  (148, ... ) == 0x0
 01326   428   NtClose  (12, ... ) == 0x0
 01327   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == 0x0
 01330   428   NtUserGetProcessWindowStation  (... ) == 0x28
 01331   428   NtUserGetObjectInformation  (40, 2, 0, 0, 1233020, ... ) == 0x0
 01332   428   NtUserGetObjectInformation  (40, 2, 1364704, 16, 1233020, ... ) == 0x1
 01333   428   NtUserGetGUIThreadInfo  (428, 1232976, ... ) == 0x1
 01334   428   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01335   428   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 424, 428, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 424, 428, 1509, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 424, 428, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01336   428   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 424, 428, 1510, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 424, 428, 1510, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 424, 428, 1510, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01337   428   NtUserCallNoParam  (29, ...
 01338   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230268, ... ) }, 1230268, ... ) == 0x0
 01337   428   NtUserCallNoParam  ... ) == 0x0
 01339   428   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01340   428   NtGdiHfontCreate  (1232348, 356, 0, 0, 1373784, ... ) == 0x170a0381
 01341   428   NtGdiHfontCreate  (1232348, 356, 0, 0, 1373776, ... ) == 0x90a040b
 01342   428   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 424, 428, 1511, 0} "\0\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 424, 428, 1511, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 424, 428, 1511, 0} "\0\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01343   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xc90000), {0, 0}, 331776, ) == 0x0
 01344   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01345   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01346   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01347   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01348   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01349   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01350   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01351   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01352   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01353   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01354   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01355   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01356   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01357   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01358   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01359   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01360   428   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01361   428   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0xc1003ff
 01362   428   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01363   428   NtUserCallNoParam  (29, ...
 01364   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 01363   428   NtUserCallNoParam  ... ) == 0x0
 01365   428   NtUserCallNoParam  (29, ...
 01366   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229708, ... ) }, 1229708, ... ) == 0x0
 01365   428   NtUserCallNoParam  ... ) == 0x0
 01367   428   NtUserMessageCall  (0x200ae, WM_NCCREATE, 0x0, 0x12d194, 0, 670, 0, ... ) == 0x1
 01368   428   NtUserMessageCall  (0x200ae, WM_NCCALCSIZE, 0x0, 0x12d1bc, 0, 670, 0, ... ) == 0x0
 01369   428   NtUserSetProp  (131246, 43288, -1, ... ) == 0x1
 01291   428   NtUserCreateWindowEx  ... ) == 0x200ae
 01370   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 160, ) }, ... 160, ) == 0x0
 01371   428   NtQueryValueKey  (160,  (160, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01373   428   NtQueryValueKey  (164,  (164, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   428   NtClose  (164, ... ) == 0x0
 01375   428   NtClose  (160, ... ) == 0x0
 01376   428   NtAllocateVirtualMemory  (-1, 1425408, 0, 24576, 4096, 4, ... 1425408, 24576, ) == 0x0
 01377   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01378   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 160, ) }, ... 160, ) == 0x0
 01380   428   NtQueryValueKey  (160,  (160, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   428   NtClose  (160, ... ) == 0x0
 01382   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01384   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01385   428   NtQuerySystemTime  (... {-1796066954, 29889248}, ) == 0x0
 01386   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01387   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01389   428   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01390   428   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01391   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01392   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01393   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 180, ) }, ... 180, ) == 0x0
 01394   428   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "ActiveComputerName"}, ... 184, ) }, ... 184, ) == 0x0
 01395   428   NtQueryValueKey  (184,  (184, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (184, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (184, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01396   428   NtClose  (184, ... ) == 0x0
 01397   428   NtClose  (180, ... ) == 0x0
 01398   428   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 180, ) == 0x0
 01399   428   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 184, ) == 0x0
 01400   428   NtDuplicateObject  (-1, 180, -1, 0x0, 0, 2, ... 188, ) == 0x0
 01401   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01402   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01403   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01404   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01405   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233148,  (0xc0100080, {24, 0, 0x40, 0, 1233148, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01406   428   NtSetInformationFile  (196, 1233204, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01407   428   NtSetInformationFile  (196, 1233196, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01408   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01409   428   NtWriteFile  (196, 173, 0, 0,  (196, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01410   428   NtReadFile  (196, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01411   428   NtFsControlFile  (196, 173, 0x0, 0x0, 0x11c017,  (196, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (196, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01412   428   NtClose  (192, ... ) == 0x0
 01413   428   NtClose  (196, ... ) == 0x0
 01414   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233192, ... ) }, 1233192, ... ) == 0x0
 01415   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01416   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01417   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "czdddn.bat"}, 1233012, ... ) }, 1233012, ... ) == 0x0
 01418   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01419   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01420   428   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1373800, 0,  (0x1f0003, {24, 52, 0x80, 1373800, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 196, ) }, 0, 2147483647, ... 196, ) == STATUS_OBJECT_NAME_EXISTS
 01421   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01422   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01423   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01425   428   NtQueryValueKey  (192,  (192, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   428   NtClose  (192, ... ) == 0x0
 01427   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01428   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01429   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01431   428   NtQueryValueKey  (192,  (192, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   428   NtClose  (192, ... ) == 0x0
 01433   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01434   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01435   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01437   428   NtQueryValueKey  (192,  (192, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   428   NtClose  (192, ... ) == 0x0
 01439   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01440   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01441   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01443   428   NtQueryValueKey  (192,  (192, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   428   NtClose  (192, ... ) == 0x0
 01445   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 192, ) }, ... 192, ) == 0x0
 01446   428   NtEnumerateKey  (192, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (192, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01447   428   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 200, ) }, ... 200, ) == 0x0
 01448   428   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   428   NtClose  (200, ... ) == 0x0
 01450   428   NtEnumerateKey  (192, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (192, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01451   428   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 200, ) }, ... 200, ) == 0x0
 01452   428   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   428   NtClose  (200, ... ) == 0x0
 01454   428   NtEnumerateKey  (192, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (192, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01455   428   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 200, ) }, ... 200, ) == 0x0
 01456   428   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   428   NtClose  (200, ... ) == 0x0
 01458   428   NtEnumerateKey  (192, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (192, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01459   428   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 200, ) }, ... 200, ) == 0x0
 01460   428   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   428   NtClose  (200, ... ) == 0x0
 01462   428   NtEnumerateKey  (192, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01463   428   NtClose  (192, ... ) == 0x0
 01464   428   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   428   NtOpenProcessToken  (-1, 0x8, ... 192, ) == 0x0
 01466   428   NtQueryInformationToken  (192, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01467   428   NtClose  (192, ... ) == 0x0
 01468   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01469   428   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 192, 2, ) }, 0, 0x0, 0, ... 192, 2, ) == 0x0
 01470   428   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01471   428   NtCreateKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "SessionInfo\000000000000900e"}, 0, 0x0, 1, ... 204, 2, ) }, 0, 0x0, 1, ... 204, 2, ) == 0x0
 01472   428   NtClose  (200, ... ) == 0x0
 01473   428   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   428   NtClose  (204, ... ) == 0x0
 01475   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01476   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01477   428   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01478   428   NtClose  (204, ... ) == 0x0
 01479   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 204, ) }, ... 204, ) == 0x0
 01480   428   NtSetInformationObject  (206, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01481   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01482   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 200, ) }, ... 200, ) == 0x0
 01484   428   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01485   428   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 01486   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01487   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01488   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01489   428   NtClose  (208, ... ) == 0x0
 01490   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   428   NtQueryValueKey  (202,  (202, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   428   NtClose  (202, ... ) == 0x0
 01493   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01494   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 200, ) }, ... 200, ) == 0x0
 01496   428   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01497   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01498   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01499   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01500   428   NtClose  (208, ... ) == 0x0
 01501   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   428   NtQueryValueKey  (202,  (202, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   428   NtClose  (202, ... ) == 0x0
 01504   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01505   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 200, ) }, ... 200, ) == 0x0
 01507   428   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01508   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01509   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01510   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01511   428   NtClose  (208, ... ) == 0x0
 01512   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   428   NtQueryValueKey  (202,  (202, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01514   428   NtClose  (202, ... ) == 0x0
 01515   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01517   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01519   428   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01520   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01521   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01522   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01523   428   NtClose  (208, ... ) == 0x0
 01524   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   428   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01526   428   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01527   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01529   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530   428   NtClose  (208, ... ) == 0x0
 01531   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   428   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   428   NtClose  (202, ... ) == 0x0
 01534   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01535   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01536   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 200, ) }, ... 200, ) == 0x0
 01538   428   NtQueryValueKey  (200,  (200, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   428   NtClose  (200, ... ) == 0x0
 01540   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 200, ) }, ... 200, ) == 0x0
 01541   428   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01542   428   NtClose  (200, ... ) == 0x0
 01543   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 200, ) }, ... 200, ) == 0x0
 01544   428   NtQueryValueKey  (200,  (200, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   428   NtClose  (200, ... ) == 0x0
 01546   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01547   428   NtQueryValueKey  (200, " (200, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (200, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01548   428   NtClose  (200, ... ) == 0x0
 01549   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01550   428   NtQueryVolumeInformationFile  (200, 1233332, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01551   428   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 208, ) }, ... 208, ) == 0x0
 01552   428   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 01553   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 212, ) }, ... 212, ) == 0x0
 01554   428   NtMapViewOfSection  (212, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 57344, ) == 0x0
 01555   428   NtQueryInformationFile  (200, 1233296, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01556   428   NtQueryInformationFile  (200, 1233336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01557   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01558   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01559   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01560   428   NtClose  (216, ... ) == 0x0
 01561   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562   428   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 01563   428   NtClose  (200, ... ) == 0x0
 01564   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 200, ) }, ... 200, ) == 0x0
 01565   428   NtQueryValueKey  (200,  (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01566   428   NtClose  (200, ... ) == 0x0
 01567   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == 0x0
 01571   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01572   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 216, ) == 0x0
 01573   428   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01574   428   NtClose  (200, ... ) == 0x0
 01575   428   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01576   428   NtClose  (216, ... ) == 0x0
 01577   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == 0x0
 01581   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01582   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 200, ) == 0x0
 01583   428   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01584   428   NtClose  (216, ... ) == 0x0
 01585   428   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01586   428   NtClose  (200, ... ) == 0x0
 01587   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 200, ) }, ... 200, ) == 0x0
 01588   428   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01589   428   NtClose  (200, ... ) == 0x0
 01590   428   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 200, ) }, ... 200, ) == 0x0
 01593   428   NtQueryValueKey  (200,  (200, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   428   NtQueryValueKey  (200,  (200, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   428   NtClose  (200, ... ) == 0x0
 01596   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231112, ... ) }, 1231112, ... ) == 0x0
 01597   428   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   428   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01599   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 200, ) }, ... 200, ) == 0x0
 01600   428   NtQueryValueKey  (200,  (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01601   428   NtClose  (200, ... ) == 0x0
 01602   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 200, ) }, ... 200, ) == 0x0
 01603   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01604   428   NtNotifyChangeKey  (200, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01605   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 220, ) }, ... 220, ) == 0x0
 01606   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01607   428   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01608   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01609   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 232, ) }, ... 232, ) == 0x0
 01610   428   NtSetInformationObject  (232, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01611   428   NtNotifyChangeKey  (232, 228, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01612   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 236, ) }, ... 236, ) == 0x0
 01613   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01614   428   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01615   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01616   428   NtNotifyChangeKey  (232, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01617   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01618   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01619   428   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01620   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01621   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01622   428   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01623   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01624   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01625   428   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01626   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 272, ) }, ... 272, ) == 0x0
 01627   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01628   428   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01629   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 280, ) }, ... 280, ) == 0x0
 01630   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01631   428   NtNotifyChangeKey  (280, 284, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01632   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 288, ) == 0x0
 01633   428   NtNotifyChangeKey  (232, 288, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01634   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 292, ) }, ... 292, ) == 0x0
 01635   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 01636   428   NtNotifyChangeKey  (292, 296, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01637   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 300, ) }, ... 300, ) == 0x0
 01638   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01639   428   NtNotifyChangeKey  (300, 304, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01640   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 308, ) }, ... 308, ) == 0x0
 01641   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01642   428   NtNotifyChangeKey  (308, 312, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01643   428   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 316, ) }, ... 316, ) == 0x0
 01645   428   NtQueryValueKey  (316,  (316, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (316, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01646   428   NtClose  (316, ... ) == 0x0
 01647   428   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 01648   428   NtAllocateVirtualMemory  (-1, 3301376, 0, 4096, 4096, 4, ... 3301376, 4096, ) == 0x0
 01649   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01650   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01651   428   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 316, ) }, ... 316, ) == 0x0
 01652   428   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01653   428   NtAllocateVirtualMemory  (-1, 3305472, 0, 8192, 4096, 4, ... 3305472, 8192, ) == 0x0
 01654   428   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 320, ) }, ... 320, ) == 0x0
 01656   428   NtQueryValueKey  (320,  (320, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (320, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01657   428   NtClose  (320, ... ) == 0x0
 01658   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01659   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01660   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 4128768, 65536, ) == 0x0
 01661   428   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01662   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01663   428   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01664   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01665   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01666   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01667   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01668   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01669   428   NtClose  (324, ... ) == 0x0
 01670   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   428   NtOpenKey  (0x1, {24, 322, 0x40, 0, 0,  (0x1, {24, 322, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01672   428   NtClose  (322, ... ) == 0x0
 01673   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01674   428   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01675   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01676   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01677   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01678   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01679   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01680   428   NtClose  (324, ... ) == 0x0
 01681   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01682   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServer32"}, ... 324, ) }, ... 324, ) == 0x0
 01683   428   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ... 1458176, 4096, ) == 0x0
 01684   428   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01685   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01686   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01687   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01688   428   NtClose  (328, ... ) == 0x0
 01689   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   428   NtQueryValueKey  (326,  (326, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   428   NtClose  (326, ... ) == 0x0
 01692   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01693   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01694   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01695   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01696   428   NtClose  (324, ... ) == 0x0
 01697   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01698   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01699   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01700   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01701   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01702   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01703   428   NtClose  (324, ... ) == 0x0
 01704   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01707   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01708   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01709   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01710   428   NtClose  (324, ... ) == 0x0
 01711   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServer32"}, ... 324, ) }, ... 324, ) == 0x0
 01713   428   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01714   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01715   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01716   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01717   428   NtClose  (328, ... ) == 0x0
 01718   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01719   428   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01720   428   NtClose  (326, ... ) == 0x0
 01721   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01722   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01723   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01724   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01725   428   NtClose  (324, ... ) == 0x0
 01726   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01727   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01728   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01729   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01730   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01731   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01732   428   NtClose  (324, ... ) == 0x0
 01733   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01734   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01736   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01737   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01738   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01739   428   NtClose  (324, ... ) == 0x0
 01740   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01741   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01742   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01743   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01744   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01745   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01746   428   NtClose  (324, ... ) == 0x0
 01747   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01749   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01750   428   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01751   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 01752   428   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01753   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01754   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01755   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01756   428   NtClose  (328, ... ) == 0x0
 01757   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   428   NtQueryValueKey  (326,  (326, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   428   NtClose  (326, ... ) == 0x0
 01760   428   NtClose  (322, ... ) == 0x0
 01761   428   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {424, 0}, ... 320, ) == 0x0
 01762   428   NtQueryInformationProcess  (320, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01763   428   NtClose  (320, ... ) == 0x0
 01764   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01765   428   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01767   428   NtClose  (322, ... ) == 0x0
 01768   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01769   428   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01770   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01771   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01772   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01773   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01774   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01775   428   NtClose  (324, ... ) == 0x0
 01776   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   428   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServer32"}, ... 324, ) }, ... 324, ) == 0x0
 01778   428   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01779   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01780   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01781   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01782   428   NtClose  (328, ... ) == 0x0
 01783   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   428   NtQueryValueKey  (326,  (326, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (326, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01785   428   NtClose  (326, ... ) == 0x0
 01786   428   NtClose  (322, ... ) == 0x0
 01787   428   NtAllocateVirtualMemory  (-1, 1462272, 0, 8192, 4096, 4, ... 1462272, 8192, ) == 0x0
 01788   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01789   428   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01790   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01791   428   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01792   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01793   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01794   428   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01795   428   NtClose  (324, ... ) == 0x0
 01796   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   428   NtOpenKey  (0x1, {24, 322, 0x40, 0, 0,  (0x1, {24, 322, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   428   NtClose  (322, ... ) == 0x0
 01799   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227504, ... ) }, 1227504, ... ) == 0x0
 01800   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01801   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 01802   428   NtClose  (320, ... ) == 0x0
 01803   428   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xcf0000), 0x0, 1339392, ) == 0x0
 01804   428   NtClose  (324, ... ) == 0x0
 01805   428   NtUnmapViewOfSection  (-1, 0xcf0000, ... ) == 0x0
 01806   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 01807   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 01808   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 320, ) == 0x0
 01809   428   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01810   428   NtClose  (324, ... ) == 0x0
 01811   428   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01812   428   NtClose  (320, ... ) == 0x0
 01813   428   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01814   428   NtQueryDefaultUILanguage  (1226184, ...
 01815   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01816   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 01817   428   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01818   428   NtClose  (-2147482052, ... ) == 0x0
 01819   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 01820   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01821   428   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 01822   428   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   428   NtClose  (-2147482056, ... ) == 0x0
 01824   428   NtClose  (-2147482052, ... ) == 0x0
 01814   428   NtQueryDefaultUILanguage  ... ) == 0x0
 01825   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 320, {status=0x0, info=1}, ) }, 1, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01827   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 320, ... 324, ) == 0x0
 01828   428   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xcf0000), 0x0, 1339392, ) == 0x0
 01829   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01830   428   NtQueryDefaultLocale  (1, 1224220, ... ) == 0x0
 01831   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\332\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1512, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\332\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 424, 428, 1512, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\332\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 424, 428, 1512, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\332\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ) == 0x0
 01833   428   NtClose  (320, ... ) == 0x0
 01834   428   NtClose  (324, ... ) == 0x0
 01835   428   NtUnmapViewOfSection  (-1, 0xcf0000, ... ) == 0x0
 01836   428   NtUnmapViewOfSection  (-1, 0x12b874, ... ) == STATUS_NOT_MAPPED_VIEW
 01837   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01838   428   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01840   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01841   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222760, ... ) }, 1222760, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01843   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01844   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01845   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223352, ... ) }, 1223352, ... ) == 0x0
 01846   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 324, {status=0x0, info=1}, ) }, 3, 33, ... 324, {status=0x0, info=1}, ) == 0x0
 01847   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01848   428   NtUserFindExistingCursorIcon  (1227304, 1227320, 1227888, ... ) == 0x10011
 01849   428   NtUserRegisterClassExWOW  (1227756, 1227836, 1227820, 1227852, 0, 384, 0, ... ) == 0x810d0000
 01850   428   NtUserGetClassInfo  (1905590272, 1227920, 1227872, 1227948, 0, ... ) == 0xc05f
 01851   428   NtGdiCreateHalftonePalette  (0, ... ) == 0x8080407
 01852   428   NtGdiDoPalette  (134743047, 0, 256, 1227012, 2, 0, ... ) == 0x100
 01853   428   NtGdiDeleteObjectApp  (134743047, ... ) == 0x1
 01854   428   NtGdiCreateCompatibleDC  (0, ... ) == 0x9010407
 01855   428   NtGdiCreatePaletteInternal  (1227008, 256, ... ) == 0x9080408
 01856   428   NtGdiDeleteObjectApp  (151061511, ... ) == 0x1
 01857   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01858   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 320, ) }, ... 320, ) == 0x0
 01860   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01861   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01862   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01863   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01864   428   NtClose  (328, ... ) == 0x0
 01865   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01866   428   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01867   428   NtClose  (322, ... ) == 0x0
 01868   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01869   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 01871   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01872   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01873   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01874   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01875   428   NtClose  (328, ... ) == 0x0
 01876   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   428   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01878   428   NtClose  (322, ... ) == 0x0
 01879   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01880   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 01882   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01883   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01884   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01885   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01886   428   NtClose  (328, ... ) == 0x0
 01887   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888   428   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01889   428   NtClose  (322, ... ) == 0x0
 01890   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01891   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01892   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 01893   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01894   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01895   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01896   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01897   428   NtClose  (328, ... ) == 0x0
 01898   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899   428   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01900   428   NtClose  (322, ... ) == 0x0
 01901   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01902   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 01904   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01905   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01906   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01907   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01908   428   NtClose  (328, ... ) == 0x0
 01909   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910   428   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01911   428   NtClose  (322, ... ) == 0x0
 01912   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   428   NtAllocateVirtualMemory  (-1, 1470464, 0, 12288, 4096, 4, ... 1470464, 12288, ) == 0x0
 01914   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01915   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01916   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 01917   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01918   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01919   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01920   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01921   428   NtClose  (328, ... ) == 0x0
 01922   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   428   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01924   428   NtClose  (322, ... ) == 0x0
 01925   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01926   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01927   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 01928   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 01929   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01930   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01931   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01932   428   NtClose  (328, ... ) == 0x0
 01933   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01934   428   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   428   NtClose  (322, ... ) == 0x0
 01936   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01937   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01938   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 01939   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 01940   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01941   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01942   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01943   428   NtClose  (328, ... ) == 0x0
 01944   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01945   428   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01946   428   NtClose  (322, ... ) == 0x0
 01947   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01948   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01949   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 01950   428   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01951   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01952   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01953   428   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01954   428   NtClose  (328, ... ) == 0x0
 01955   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01956   428   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01957   428   NtClose  (322, ... ) == 0x0
 01958   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 320, ) }, ... 320, ) == 0x0
 01959   428   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01960   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01961   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 328, ) }, ... 328, ) == 0x0
 01963   428   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01964   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01965   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01966   428   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01967   428   NtClose  (332, ... ) == 0x0
 01968   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   428   NtQueryValueKey  (330, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (330, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01970   428   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01971   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01972   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01973   428   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01974   428   NtClose  (332, ... ) == 0x0
 01975   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   428   NtQueryValueKey  (330,  (330, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   428   NtClose  (330, ... ) == 0x0
 01978   428   NtEnumerateValueKey  (320, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01979   428   NtClose  (320, ... ) == 0x0
 01980   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01981   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01982   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 01983   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01984   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01985   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01986   428   NtQueryValueKey  (320,  (320, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (320, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (320, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01987   428   NtClose  (320, ... ) == 0x0
 01988   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01989   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01990   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 1233492, ... ) }, 1233492, ... ) == 0x0
 01991   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01992   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01993   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01994   428   NtQueryValueKey  (320,  (320, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01995   428   NtQueryValueKey  (320,  (320, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (320, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01996   428   NtClose  (320, ... ) == 0x0
 01997   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01999   428   NtQueryValueKey  (320,  (320, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   428   NtClose  (320, ... ) == 0x0
 02001   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02002   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02003   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02004   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02005   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02006   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02007   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02008   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02009   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02010   428   NtQueryDefaultLocale  (1, 1233780, ... ) == 0x0
 02011   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 320, ) }, ... 320, ) == 0x0
 02012   428   NtEnumerateKey  (320, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (320, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02013   428   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 328, ) }, ... 328, ) == 0x0
 02014   428   NtQueryValueKey  (328,  (328, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (328, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02015   428   NtQueryValueKey  (328,  (328, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (328, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02016   428   NtClose  (328, ... ) == 0x0
 02017   428   NtEnumerateKey  (320, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02018   428   NtClose  (320, ... ) == 0x0
 02019   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02020   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02021   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02025   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02026   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02027   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02032   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02033   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02034   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02035   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02036   428   NtClose  (320, ... ) == 0x0
 02037   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02039   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02040   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02041   428   NtClose  (320, ... ) == 0x0
 02042   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02044   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02045   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02046   428   NtClose  (320, ... ) == 0x0
 02047   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02049   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02050   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02051   428   NtClose  (320, ... ) == 0x0
 02052   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02053   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02054   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02055   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02056   428   NtClose  (320, ... ) == 0x0
 02057   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02058   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02059   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02060   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02061   428   NtClose  (320, ... ) == 0x0
 02062   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02064   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02065   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02066   428   NtClose  (320, ... ) == 0x0
 02067   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02069   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02070   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02071   428   NtClose  (320, ... ) == 0x0
 02072   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02074   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02075   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02076   428   NtClose  (320, ... ) == 0x0
 02077   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02079   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02080   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02081   428   NtClose  (320, ... ) == 0x0
 02082   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02083   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02085   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   428   NtClose  (320, ... ) == 0x0
 02087   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02089   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02090   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02091   428   NtClose  (320, ... ) == 0x0
 02092   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02094   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02095   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02096   428   NtClose  (320, ... ) == 0x0
 02097   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02099   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02100   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02101   428   NtClose  (320, ... ) == 0x0
 02102   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02104   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02105   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02106   428   NtClose  (320, ... ) == 0x0
 02107   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02108   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 02109   428   NtQueryValueKey  (320,  (320, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (320, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (320, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02110   428   NtClose  (320, ... ) == 0x0
 02111   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02112   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02113   428   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02114   428   NtClose  (320, ... ) == 0x0
 02115   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02116   428   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02117   428   NtOpenProcessToken  (-1, 0xa, ... 320, ) == 0x0
 02118   428   NtDuplicateToken  (320, 0xc, {24, 0, 0x0, 0, 1234300, 0x0}, 0, 2, ... 328, ) == 0x0
 02119   428   NtClose  (320, ... ) == 0x0
 02120   428   NtAccessCheck  (1471600, 328, 0x1, 1234428, 1234372, 56, 1234456, ... (0x1), ) == 0x0
 02121   428   NtClose  (328, ... ) == 0x0
 02122   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 328, ) }, ... 328, ) == 0x0
 02123   428   NtQueryValueKey  (328,  (328, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (328, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02124   428   NtClose  (328, ... ) == 0x0
 02125   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234316,  (0x80100080, {24, 0, 0x40, 0, 1234316, "\??\u:\work\czdddn.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02126   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 320, ) }, ... 320, ) == 0x0
 02127   428   NtQuerySymbolicLinkObject  (320, ...  (320, ... "\Device\WinDfs\U:000000000000900e", 66, ) , 66, ) == 0x0
 02128   428   NtClose  (320, ... ) == 0x0
 02129   428   NtQueryInformationFile  (328, 1232760, 528, Name, ... {status=0x0, info=72}, ) == 0x0
 02130   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02131   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02132   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\czdddn.bat"}, 1231440, ... ) }, 1231440, ... ) == 0x0
 02133   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 02134   428   NtQueryDirectoryFile  (320, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (320, 0, 0, 0, 1230800, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02135   428   NtClose  (320, ... ) == 0x0
 02136   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 02137   428   NtQueryDirectoryFile  (320, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (320, 0, 0, 0, 1230800, 616, BothDirectory, 1, "czdddn.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02138   428   NtClose  (320, ... ) == 0x0
 02139   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02140   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02141   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1232172, ... ) }, 1232172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02143   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "WINTRUST.dll"}, 1232172, ... ) }, 1232172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1232172, ... ) }, 1232172, ... ) == 0x0
 02145   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02146   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 332, ) == 0x0
 02147   428   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02148   428   NtClose  (320, ... ) == 0x0
 02149   428   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 02150   428   NtClose  (332, ... ) == 0x0
 02151   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 332, ) }, ... 332, ) == 0x0
 02152   428   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 02153   428   NtClose  (332, ... ) == 0x0
 02154   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02155   428   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13565952, 262144, ) == 0x0
 02156   428   NtAllocateVirtualMemory  (-1, 13565952, 0, 4096, 4096, 4, ... 13565952, 4096, ) == 0x0
 02157   428   NtAllocateVirtualMemory  (-1, 13570048, 0, 8192, 4096, 4, ... 13570048, 8192, ) == 0x0
 02158   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02159   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13828096, 1048576, ) == 0x0
 02160   428   NtAllocateVirtualMemory  (-1, 13828096, 0, 1048576, 4096, 4, ... 13828096, 1048576, ) == 0x0
 02161   428   NtCreateMutant  (0x1f0001, 0x0, 0, ... 332, ) == 0x0
 02162   428   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 320, ) == 0x0
 02163   428   NtCreateMutant  (0x1f0001, 0x0, 0, ... 336, ) == 0x0
 02164   428   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 340, ) == 0x0
 02165   428   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 344, ) == 0x0
 02166   428   NtSetEvent  (344, ... 0x0, ) == 0x0
 02167   428   NtSetInformationFile  (328, 1234200, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02168   428   NtReadFile  (328, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (328, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02169   428   NtWaitForSingleObject  (332, 0, 0x0, ... ) == 0x0
 02170   428   NtClearEvent  (320, ... ) == 0x0
 02171   428   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 02172   428   NtWaitForSingleObject  (332, 0, 0x0, ... ) == 0x0
 02173   428   NtSetEvent  (320, ... 0x0, ) == 0x0
 02174   428   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 02175   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02176   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02177   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02178   428   NtClose  (348, ... ) == 0x0
 02179   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02180   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02181   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02182   428   NtClose  (348, ... ) == 0x0
 02183   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02184   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02185   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02186   428   NtClose  (348, ... ) == 0x0
 02187   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02188   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02189   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02190   428   NtClose  (348, ... ) == 0x0
 02191   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02192   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02193   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02194   428   NtClose  (348, ... ) == 0x0
 02195   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02196   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02197   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02198   428   NtClose  (348, ... ) == 0x0
 02199   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02201   428   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02202   428   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02203   428   NtClose  (348, ... ) == 0x0
 02204   428   NtWaitForMultipleObjects  (2, (332, 320, ), 0, 0, 0x0, ... ) == 0x0
 02205   428   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 02206   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02207   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02208   428   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02209   428   NtClose  (348, ... ) == 0x0
 02210   428   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02211   428   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   428   NtClose  (348, ... ) == 0x0
 02213   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 348, ) }, ... 348, ) == 0x0
 02214   428   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02215   428   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02216   428   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02217   428   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02218   428   NtClose  (348, ... ) == 0x0
 02219   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 348, ) }, ... 348, ) == 0x0
 02220   428   NtQueryValueKey  (348,  (348, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02221   428   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02222   428   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02223   428   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02224   428   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02225   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231488, ... ) }, 1231488, ... ) == 0x0
 02226   428   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 352, ) }, ... 352, ) == 0x0
 02227   428   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02228   428   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02229   428   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02230   428   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02231   428   NtClose  (352, ... ) == 0x0
 02232   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   428   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02234   428   NtOpenProcessToken  (-1, 0x8, ... 352, ) == 0x0
 02235   428   NtQueryInformationToken  (352, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02236   428   NtClose  (352, ... ) == 0x0
 02237   428   NtClose  (348, ... ) == 0x0
 02238   428   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02239   428   NtOpenProcessToken  (-1, 0x8, ... 348, ) == 0x0
 02240   428   NtQueryInformationToken  (348, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02241   428   NtClose  (348, ... ) == 0x0
 02242   428   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02243   428   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 02244   428   NtClose  (348, ... ) == 0x0
 02245   428   NtQueryValueKey  (352,  (352, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02246   428   NtClose  (352, ... ) == 0x0
 02247   428   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02248   428   NtOpenProcessToken  (-1, 0x8, ... 352, ) == 0x0
 02249   428   NtQueryInformationToken  (352, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02250   428   NtClose  (352, ... ) == 0x0
 02251   428   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02252   428   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 348, ) }, ... 348, ) == 0x0
 02253   428   NtClose  (352, ... ) == 0x0
 02254   428   NtQueryValueKey  (348,  (348, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02255   428   NtClose  (348, ... ) == 0x0
 02256   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02257   428   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02258   428   NtOpenProcessToken  (-1, 0x8, ... 348, ) == 0x0
 02259   428   NtQueryInformationToken  (348, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02260   428   NtClose  (348, ... ) == 0x0
 02261   428   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02262   428   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   428   NtClose  (348, ... ) == 0x0
 02264   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   428   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 328, ... 348, ) == 0x0
 02266   428   NtMapViewOfSection  (348, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe30000), {0, 0}, 4096, ) == 0x0
 02267   428   NtClose  (348, ... ) == 0x0
 02268   428   NtQueryInformationFile  (328, 1233704, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02269   428   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02270   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 348, ) }, ... 348, ) == 0x0
 02271   428   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 0"}, ... 352, ) }, ... 352, ) == 0x0
 02272   428   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 356, ) }, ... 356, ) == 0x0
 02273   428   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02274   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 360, ) }, ... 360, ) == 0x0
 02275   428   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02276   428   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02277   428   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02278   428   NtClose  (360, ... ) == 0x0
 02279   428   NtEnumerateKey  (356, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02280   428   NtClose  (356, ... ) == 0x0
 02281   428   NtClose  (352, ... ) == 0x0
 02282   428   NtClose  (348, ... ) == 0x0
 02283   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 348, ) }, ... 348, ) == 0x0
 02284   428   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 0"}, ... 352, ) }, ... 352, ) == 0x0
 02285   428   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 356, ) }, ... 356, ) == 0x0
 02286   428   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02287   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 360, ) }, ... 360, ) == 0x0
 02288   428   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02289   428   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02290   428   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02291   428   NtClose  (360, ... ) == 0x0
 02292   428   NtEnumerateKey  (356, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (356, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02293   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 360, ) }, ... 360, ) == 0x0
 02294   428   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02295   428   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02296   428   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02297   428   NtClose  (360, ... ) == 0x0
 02298   428   NtEnumerateKey  (356, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (356, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02299   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 360, ) }, ... 360, ) == 0x0
 02300   428   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02301   428   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02302   428   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02303   428   NtClose  (360, ... ) == 0x0
 02304   428   NtEnumerateKey  (356, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (356, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02305   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 360, ) }, ... 360, ) == 0x0
 02306   428   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02307   428   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02308   428   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02309   428   NtClose  (360, ... ) == 0x0
 02310   428   NtEnumerateKey  (356, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02311   428   NtClose  (356, ... ) == 0x0
 02312   428   NtClose  (352, ... ) == 0x0
 02313   428   NtClose  (348, ... ) == 0x0
 02314   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 348, ) }, ... 348, ) == 0x0
 02315   428   NtEnumerateKey  (348, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (348, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02316   428   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 0"}, ... 352, ) }, ... 352, ) == 0x0
 02317   428   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 356, ) }, ... 356, ) == 0x0
 02318   428   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02319   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 360, ) }, ... 360, ) == 0x0
 02320   428   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02321   428   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02322   428   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02323   428   NtClose  (360, ... ) == 0x0
 02324   428   NtEnumerateKey  (356, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02325   428   NtClose  (356, ... ) == 0x0
 02326   428   NtClose  (352, ... ) == 0x0
 02327   428   NtEnumerateKey  (348, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (348, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02328   428   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 1"}, ... 352, ) }, ... 352, ) == 0x0
 02329   428   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   428   NtClose  (352, ... ) == 0x0
 02331   428   NtEnumerateKey  (348, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02332   428   NtClose  (348, ... ) == 0x0
 02333   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 02334   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02335   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 348, ... 352, ) == 0x0
 02336   428   NtClose  (348, ... ) == 0x0
 02337   428   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe30000), 0x0, 16384, ) == 0x0
 02338   428   NtClose  (352, ... ) == 0x0
 02339   428   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02340   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 02341   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02342   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 348, ) == 0x0
 02343   428   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02344   428   NtClose  (352, ... ) == 0x0
 02345   428   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02346   428   NtClose  (348, ... ) == 0x0
 02347   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230808, ... ) }, 1230808, ... ) == 0x0
 02348   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02349   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15007744, 1048576, ) == 0x0
 02350   428   NtAllocateVirtualMemory  (-1, 16048128, 0, 8192, 4096, 4, ... 16048128, 8192, ) == 0x0
 02351   428   NtProtectVirtualMemory  (-1, (0xf4e000), 4096, 260, ... (0xf4e000), 4096, 4, ) == 0x0
 02352   428   NtCreateThread  (0x1f03ff, 0x0, -1, 1232756, 1233472, 1, ... 352, {424, 920}, ) == 0x0
 02353   428   NtQueryInformationThread  (352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=424,Tid=920,}, 0x0, ) == 0x0
 02354   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0`\1\0\0\250\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 424, 428, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0`\1\0\0\250\1\0\0\230\3\0\0" )  ... {28, 56, reply, 0, 424, 428, 1513, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0`\1\0\0\250\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 424, 428, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0`\1\0\0\250\1\0\0\230\3\0\0" )  ) == 0x0
 02355   428   NtResumeThread  (352, ... 1, ) == 0x0
 02356   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 356, ) }, ... 356, ) == 0x0
 02357   920   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02358   920   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02359   920   NtTestAlert  (... ) == 0x0
 02360   920   NtContinue  (16055600, 1, ...
 02361   920   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02362   920   NtWaitForMultipleObjects  (1, (348, ), 1, 0, {-150000000, -1}, ...
 02363   428   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02364   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "EncodingType 0"}, ... 360, ) }, ... 360, ) == 0x0
 02365   428   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 364, ) }, ... 364, ) == 0x0
 02366   428   NtEnumerateKey  (364, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (364, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02367   428   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 368, ) }, ... 368, ) == 0x0
 02368   428   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02369   428   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02370   428   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02371   428   NtClose  (368, ... ) == 0x0
 02372   428   NtEnumerateKey  (364, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (364, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02373   428   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 368, ) }, ... 368, ) == 0x0
 02374   428   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02375   428   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02376   428   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02377   428   NtClose  (368, ... ) == 0x0
 02378   428   NtEnumerateKey  (364, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (364, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02379   428   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 368, ) }, ... 368, ) == 0x0
 02380   428   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02381   428   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02382   428   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02383   428   NtClose  (368, ... ) == 0x0
 02384   428   NtEnumerateKey  (364, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (364, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02385   428   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 368, ) }, ... 368, ) == 0x0
 02386   428   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02387   428   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02388   428   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02389   428   NtClose  (368, ... ) == 0x0
 02390   428   NtEnumerateKey  (364, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02391   428   NtClose  (364, ... ) == 0x0
 02392   428   NtClose  (360, ... ) == 0x0
 02393   428   NtEnumerateKey  (356, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (356, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02394   428   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "EncodingType 1"}, ... 360, ) }, ... 360, ) == 0x0
 02395   428   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396   428   NtClose  (360, ... ) == 0x0
 02397   428   NtEnumerateKey  (356, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02398   428   NtClose  (356, ... ) == 0x0
 02399   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02400   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02402   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == 0x0
 02403   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 02404   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 360, ) == 0x0
 02405   428   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02406   428   NtClose  (356, ... ) == 0x0
 02407   428   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02408   428   NtClose  (360, ... ) == 0x0
 02409   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02410   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14876672, 65536, ) == 0x0
 02411   428   NtAllocateVirtualMemory  (-1, 14876672, 0, 4096, 4096, 4, ... 14876672, 4096, ) == 0x0
 02412   428   NtAllocateVirtualMemory  (-1, 14880768, 0, 8192, 4096, 4, ... 14880768, 8192, ) == 0x0
 02413   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231128, ... ) }, 1231128, ... ) == 0x0
 02414   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02415   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 356, ) == 0x0
 02416   428   NtClose  (360, ... ) == 0x0
 02417   428   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf50000), 0x0, 262144, ) == 0x0
 02418   428   NtClose  (356, ... ) == 0x0
 02419   428   NtUnmapViewOfSection  (-1, 0xf50000, ... ) == 0x0
 02420   428   NtAllocateLocallyUniqueId  (... {66226, 0}, ) == 0x0
 02421   428   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02422   428   NtOpenProcessToken  (-1, 0x20008, ... 356, ) == 0x0
 02423   428   NtQueryInformationToken  (356, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02424   428   NtClose  (356, ... ) == 0x0
 02425   428   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232448, 0,  (0xf0007, {24, 52, 0x80, 1232448, 0, "DfSharedHeap102B2"}, {4194304, 0}, 4, 67108864, 0, ... 356, ) }, {4194304, 0}, 4, 67108864, 0, ... 356, ) == 0x0
 02426   428   NtMapViewOfSection  (356, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xf50000), {0, 0}, 4194304, ) == 0x0
 02427   428   NtAllocateVirtualMemory  (-1, 16056320, 0, 16376, 4096, 4, ... 16056320, 16384, ) == 0x0
 02428   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229964,  (0x80100080, {24, 0, 0x40, 0, 1229964, "\??\UNC\missouri\binaries\work\czdddn.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 360, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 360, {status=0x0, info=1}, ) == 0x0
 02429   428   NtReadFile  (360, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=122},  (360, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=122}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del czdddn.bat\15\12", ) , ) == 0x0
 02430   428   NtClose  (360, ... ) == 0x0
 02431   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 02432   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02433   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 364, ) == 0x0
 02434   428   NtClose  (360, ... ) == 0x0
 02435   428   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1350000), 0x0, 69632, ) == 0x0
 02436   428   NtClose  (364, ... ) == 0x0
 02437   428   NtUnmapViewOfSection  (-1, 0x1350000, ... ) == 0x0
 02438   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 02439   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02440   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 02441   428   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02442   428   NtClose  (364, ... ) == 0x0
 02443   428   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02444   428   NtClose  (360, ... ) == 0x0
 02445   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 360, ) }, ... 360, ) == 0x0
 02446   428   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02447   428   NtClose  (360, ... ) == 0x0
 02448   428   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02449   428   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02450   428   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02451   428   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02452   428   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02453   428   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02454   428   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02455   428   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02456   428   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02457   428   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02458   428   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02459   428   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02460   428   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02461   428   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02462   428   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02463   428   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02464   428   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02465   428   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02466   428   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02467   428   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02468   428   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02469   428   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02470   428   NtOpenProcessToken  (-1, 0x8, ... 360, ) == 0x0
 02471   428   NtQueryInformationToken  (360, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02472   428   NtClose  (360, ... ) == 0x0
 02473   428   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02474   428   NtReleaseMutant  (16, ...
 02475   428   NtContinue  (-130580344, 0, ...
 02474   428   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02476   428   NtQueryDefaultLocale  (1, 1230228, ... ) == 0x0
 02477   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02478   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02480   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02481   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02482   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02483   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02484   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02485   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02486   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02487   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02488   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02489   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02490   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02491   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02492   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02493   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02495   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02496   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02497   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02498   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   428   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02500   428   NtReleaseMutant  (16, ...
 02501   428   NtContinue  (-130580344, 0, ...
 02500   428   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02502   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02504   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02506   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02507   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02508   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02509   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02511   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02512   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02513   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02514   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02515   428   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02516   428   NtClose  (360, ... ) == 0x0
 02517   428   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 360, ) }, ... 360, ) == 0x0
 02518   428   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 364, ) }, ... 364, ) == 0x0
 02519   428   NtClose  (360, ... ) == 0x0
 02520   428   NtQueryValueKey  (364,  (364, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02521   428   NtQueryValueKey  (364,  (364, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (364, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02522   428   NtClose  (364, ... ) == 0x0
 02523   428   NtClose  (328, ... ) == 0x0
 02524   428   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 20250624, 4096, ) == 0x0
 02525   428   NtAllocateVirtualMemory  (-1, 20250624, 0, 4096, 4096, 4, ... 20250624, 4096, ) == 0x0
 02526   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 328, ) }, ... 328, ) == 0x0
 02527   428   NtQueryValueKey  (328,  (328, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528   428   NtClose  (328, ... ) == 0x0
 02529   428   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   428   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02531   428   NtOpenProcessToken  (-1, 0x2000a, ... 328, ) == 0x0
 02532   428   NtQueryInformationToken  (328, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02533   428   NtQueryInformationToken  (328, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02534   428   NtClose  (328, ... ) == 0x0
 02535   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02536   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 02537   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 02538   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 328, ) }, ... 328, ) == 0x0
 02540   428   NtQueryValueKey  (328,  (328, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02541   428   NtClose  (328, ... ) == 0x0
 02542   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 02543   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 02544   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02545   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 328, ) }, ... 328, ) == 0x0
 02546   428   NtQueryValueKey  (328,  (328, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02547   428   NtClose  (328, ... ) == 0x0
 02548   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02549   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02550   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 328, ) }, ... 328, ) == 0x0
 02551   428   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02552   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02553   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 02554   428   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02555   428   NtClose  (364, ... ) == 0x0
 02556   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02557   428   NtQueryValueKey  (330, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (330, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02558   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230836, ... ) }, 1230836, ... ) == 0x0
 02559   428   NtClose  (330, ... ) == 0x0
 02560   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02561   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 328, {status=0x0, info=1}, ) }, 3, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02562   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 364, ) }, ... 364, ) == 0x0
 02563   428   NtQuerySymbolicLinkObject  (364, ...  (364, ... "\Device\WinDfs\U:000000000000900e", 66, ) , 66, ) == 0x0
 02564   428   NtClose  (364, ... ) == 0x0
 02565   428   NtQueryVolumeInformationFile  (328, 1234188, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02566   428   NtClose  (328, ... ) == 0x0
 02567   428   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02568   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 328, ) }, ... 328, ) == 0x0
 02569   428   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 364, ) }, ... 364, ) == 0x0
 02570   428   NtQueryValueKey  (364,  (364, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02571   428   NtQueryValueKey  (364,  (364, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02572   428   NtClose  (364, ... ) == 0x0
 02573   428   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 364, ) }, ... 364, ) == 0x0
 02574   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02575   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02576   428   NtQueryValueKey  (364,  (364, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02577   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02578   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02579   428   NtClose  (364, ... ) == 0x0
 02580   428   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 364, ) }, ... 364, ) == 0x0
 02581   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02582   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02583   428   NtQueryValueKey  (364,  (364, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02585   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02586   428   NtClose  (364, ... ) == 0x0
 02587   428   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 364, ) }, ... 364, ) == 0x0
 02588   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02589   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02590   428   NtQueryValueKey  (364,  (364, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02591   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02592   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02593   428   NtClose  (364, ... ) == 0x0
 02594   428   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 364, ) }, ... 364, ) == 0x0
 02595   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02596   428   NtQueryValueKey  (364,  (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02597   428   NtQueryValueKey  (364,  (364, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02598   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02599   428   NtQueryValueKey  (364,  (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02600   428   NtClose  (364, ... ) == 0x0
 02601   428   NtClose  (328, ... ) == 0x0
 02602   428   NtQueryDefaultLocale  (1, 1233740, ... ) == 0x0
 02603   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 02604   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02605   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 328, ... 364, ) == 0x0
 02606   428   NtClose  (328, ... ) == 0x0
 02607   428   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1360000), 0x0, 12288, ) == 0x0
 02608   428   NtClose  (364, ... ) == 0x0
 02609   428   NtUnmapViewOfSection  (-1, 0x1360000, ... ) == 0x0
 02610   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 02611   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02612   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 328, ) == 0x0
 02613   428   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02614   428   NtClose  (364, ... ) == 0x0
 02615   428   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02616   428   NtClose  (328, ... ) == 0x0
 02617   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 02618   428   NtQueryValueKey  (328,  (328, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02619   428   NtClose  (328, ... ) == 0x0
 02620   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 02621   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02622   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 328, ... 364, ) == 0x0
 02623   428   NtClose  (328, ... ) == 0x0
 02624   428   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1360000), 0x0, 40960, ) == 0x0
 02625   428   NtClose  (364, ... ) == 0x0
 02626   428   NtUnmapViewOfSection  (-1, 0x1360000, ... ) == 0x0
 02627   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 02628   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02629   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 328, ) == 0x0
 02630   428   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02631   428   NtClose  (364, ... ) == 0x0
 02632   428   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02633   428   NtClose  (328, ... ) == 0x0
 02634   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 02636   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02637   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 364, ) == 0x0
 02638   428   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02639   428   NtClose  (328, ... ) == 0x0
 02640   428   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02641   428   NtClose  (364, ... ) == 0x0
 02642   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02643   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 02644   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02645   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 328, ) == 0x0
 02646   428   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02647   428   NtClose  (364, ... ) == 0x0
 02648   428   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02649   428   NtClose  (328, ... ) == 0x0
 02650   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02651   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 02652   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02653   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 364, ) == 0x0
 02654   428   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02655   428   NtClose  (328, ... ) == 0x0
 02656   428   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02657   428   NtClose  (364, ... ) == 0x0
 02658   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02659   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 02660   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02661   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 328, ) == 0x0
 02662   428   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02663   428   NtClose  (364, ... ) == 0x0
 02664   428   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02665   428   NtClose  (328, ... ) == 0x0
 02666   428   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02667   428   NtQueryValueKey  (328,  (328, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02668   428   NtAllocateVirtualMemory  (-1, 3313664, 0, 4096, 4096, 4, ... 3313664, 4096, ) == 0x0
 02669   428   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 364, ) == 0x0
 02670   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 02671   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02672   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 368, ) == 0x0
 02673   428   NtClose  (360, ... ) == 0x0
 02674   428   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1360000), 0x0, 24576, ) == 0x0
 02675   428   NtClose  (368, ... ) == 0x0
 02676   428   NtUnmapViewOfSection  (-1, 0x1360000, ... ) == 0x0
 02677   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 02678   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02679   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 360, ) == 0x0
 02680   428   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02681   428   NtClose  (368, ... ) == 0x0
 02682   428   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02683   428   NtClose  (360, ... ) == 0x0
 02684   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 360, ) }, ... 360, ) == 0x0
 02685   428   NtQueryValueKey  (360,  (360, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02686   428   NtClose  (360, ... ) == 0x0
 02687   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02688   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02689   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02690   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02691   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == 0x0
 02692   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02693   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 368, ) == 0x0
 02694   428   NtClose  (360, ... ) == 0x0
 02695   428   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1360000), 0x0, 122880, ) == 0x0
 02696   428   NtClose  (368, ... ) == 0x0
 02697   428   NtUnmapViewOfSection  (-1, 0x1360000, ... ) == 0x0
 02698   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02699   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02700   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02701   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02702   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == 0x0
 02703   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02704   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 360, ) == 0x0
 02705   428   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02706   428   NtClose  (368, ... ) == 0x0
 02707   428   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1360000), 0x0, 131072, ) == STATUS_IMAGE_NOT_AT_BASE
 02708   428   NtProtectVirtualMemory  (-1, (0x1361000), 81920, 4, ... (0x1361000), 81920, 32, ) == 0x0
 02709   428   NtProtectVirtualMemory  (-1, (0x1375000), 12288, 4, ... (0x1375000), 12288, 2, ) == 0x0
 02710   428   NtProtectVirtualMemory  (-1, (0x137e000), 8192, 4, ... (0x137e000), 8192, 2, ) == 0x0
 02711   428   NtMapViewOfSection  (360, -1, (0x1360000), 0, 0, 0x0, 131072, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 02712   428   NtProtectVirtualMemory  (-1, (0x1361000), 81920, 16, ... (0x1361000), 81920, 4, ) == 0x0
 02713   428   NtProtectVirtualMemory  (-1, (0x1375000), 12288, 2, ... (0x1375000), 12288, 4, ) == 0x0
 02714   428   NtProtectVirtualMemory  (-1, (0x137e000), 8192, 2, ... (0x137e000), 8192, 8, ) == 0x0
 02715   428   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 02716   428   NtClose  (360, ... ) == 0x0
 02717   428   NtProtectVirtualMemory  (-1, (0x1375000), 416, 4, ... (0x1375000), 4096, 2, ) == 0x0
 02718   428   NtProtectVirtualMemory  (-1, (0x1375000), 4096, 2, ... (0x1375000), 4096, 4, ) == 0x0
 02719   428   NtFlushInstructionCache  (-1, 20402176, 416, ... ) == 0x0
 02720   428   NtProtectVirtualMemory  (-1, (0x1375000), 416, 4, ... (0x1375000), 4096, 2, ) == 0x0
 02721   428   NtProtectVirtualMemory  (-1, (0x1375000), 4096, 2, ... (0x1375000), 4096, 4, ) == 0x0
 02722   428   NtFlushInstructionCache  (-1, 20402176, 416, ... ) == 0x0
 02723   428   NtProtectVirtualMemory  (-1, (0x1375000), 416, 4, ... (0x1375000), 4096, 2, ) == 0x0
 02724   428   NtProtectVirtualMemory  (-1, (0x1375000), 4096, 2, ... (0x1375000), 4096, 4, ) == 0x0
 02725   428   NtFlushInstructionCache  (-1, 20402176, 416, ... ) == 0x0
 02726   428   NtProtectVirtualMemory  (-1, (0x1375000), 416, 4, ... (0x1375000), 4096, 2, ) == 0x0
 02727   428   NtProtectVirtualMemory  (-1, (0x1375000), 4096, 2, ... (0x1375000), 4096, 4, ) == 0x0
 02728   428   NtFlushInstructionCache  (-1, 20402176, 416, ... ) == 0x0
 02729   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02730   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 20447232, 65536, ) == 0x0
 02731   428   NtAllocateVirtualMemory  (-1, 20447232, 0, 4096, 4096, 4, ... 20447232, 4096, ) == 0x0
 02732   428   NtAllocateVirtualMemory  (-1, 20451328, 0, 8192, 4096, 4, ... 20451328, 8192, ) == 0x0
 02733   428   NtAllocateVirtualMemory  (-1, 20459520, 0, 4096, 4096, 4, ... 20459520, 4096, ) == 0x0
 02734   428   NtQueryPerformanceCounter  (... {107404964, 0}, {3579545, 0}, ) == 0x0
 02735   428   NtRaiseException  (1231552, 1230812, 1, ...
 02736   428   NtContinue  (1229608, 0, ...
 02737   428   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 360, ) }, ... 360, ) == 0x0
 02738   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02739   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02741   428   NtRaiseException  (1221528, 1220788, 1, ...
 02742   428   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02743   428   NtContinue  (1219584, 0, ...
 02744   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02745   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02746   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02747   428   NtRaiseException  (1223288, 1222548, 1, ...
 02748   428   NtContinue  (1221344, 0, ...
 02749   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02750   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02751   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02752   428   NtRaiseException  (1223292, 1222552, 1, ...
 02753   428   NtContinue  (1221348, 0, ...
 02754   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02755   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02756   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02757   428   NtRaiseException  (1223288, 1222548, 1, ...
 02758   428   NtContinue  (1221344, 0, ...
 02759   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02760   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02761   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02762   428   NtRaiseException  (1223292, 1222552, 1, ...
 02763   428   NtContinue  (1221348, 0, ...
 02764   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02765   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02766   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02767   428   NtRaiseException  (1223288, 1222548, 1, ...
 02768   428   NtContinue  (1221344, 0, ...
 02769   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02770   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02771   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02772   428   NtRaiseException  (1223292, 1222552, 1, ...
 02773   428   NtContinue  (1221348, 0, ...
 02774   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02775   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02776   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02777   428   NtRaiseException  (1223288, 1222548, 1, ...
 02778   428   NtContinue  (1221344, 0, ...
 02779   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02780   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02781   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02782   428   NtRaiseException  (1223292, 1222552, 1, ...
 02783   428   NtContinue  (1221348, 0, ...
 02784   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02785   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02786   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02787   428   NtRaiseException  (1223288, 1222548, 1, ...
 02788   428   NtContinue  (1221344, 0, ...
 02789   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02790   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02791   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02792   428   NtRaiseException  (1223292, 1222552, 1, ...
 02793   428   NtContinue  (1221348, 0, ...
 02794   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02795   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02796   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02797   428   NtRaiseException  (1223288, 1222548, 1, ...
 02798   428   NtContinue  (1221344, 0, ...
 02799   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02800   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02801   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02802   428   NtRaiseException  (1223292, 1222552, 1, ...
 02803   428   NtContinue  (1221348, 0, ...
 02804   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02805   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02806   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02807   428   NtRaiseException  (1223288, 1222548, 1, ...
 02808   428   NtContinue  (1221344, 0, ...
 02809   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02810   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02812   428   NtRaiseException  (1223292, 1222552, 1, ...
 02813   428   NtContinue  (1221348, 0, ...
 02814   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02815   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02816   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02817   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 02818   428   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {424, 0}, ... 368, ) == 0x0
 02819   428   NtQueryInformationProcess  (368, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02820   428   NtClose  (368, ... ) == 0x0
 02821   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 02822   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02823   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 368, ) == 0x0
 02824   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02825   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02826   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 02827   428   NtSetInformationFile  (372, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02828   428   NtSetInformationFile  (372, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02829   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02830   428   NtWriteFile  (372, 173, 0, 0,  (372, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02831   428   NtReadFile  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\211\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02832   428   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\211\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\211\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02833   428   NtClose  (368, ... ) == 0x0
 02834   428   NtClose  (372, ... ) == 0x0
 02835   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02836   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 02837   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02838   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02839   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 368, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 368, {status=0x0, info=1}, ) == 0x0
 02840   428   NtSetInformationFile  (368, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02841   428   NtSetInformationFile  (368, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02842   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02843   428   NtWriteFile  (368, 173, 0, 0,  (368, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02844   428   NtReadFile  (368, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (368, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\212\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02845   428   NtFsControlFile  (368, 173, 0x0, 0x0, 0x11c017,  (368, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\212\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (368, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\212\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02846   428   NtClose  (372, ... ) == 0x0
 02847   428   NtClose  (368, ... ) == 0x0
 02848   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 02849   428   NtQueryKey  (368, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02850   428   NtQuerySecurityObject  (368, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02851   428   NtQuerySecurityObject  (368, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02852   428   NtQueryValueKey  (368,  (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02853   428   NtClose  (368, ... ) == 0x0
 02854   428   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 368, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 368, {status=0x0, info=1}, ) == 0x0
 02855   428   NtFsControlFile  (368, 0, 0x0, 0x0, 0x600bc,  (368, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (368, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02856   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02857   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 02858   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02859   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02860   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232208,  (0xc0100080, {24, 0, 0x40, 0, 1232208, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 02861   428   NtSetInformationFile  (376, 1232264, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02862   428   NtSetInformationFile  (376, 1232256, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02863   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02864   428   NtWriteFile  (376, 173, 0, 0,  (376, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02865   428   NtReadFile  (376, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02866   428   NtFsControlFile  (376, 173, 0x0, 0x0, 0x11c017,  (376, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (376, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213\37\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02867   428   NtClose  (372, ... ) == 0x0
 02868   428   NtClose  (376, ... ) == 0x0
 02869   428   NtWaitForSingleObject  (364, 0, {-70000000, -1}, ... ) == 0x0
 02870   428   NtReleaseSemaphore  (364, 1, ... 0x0, ) == 0x0
 02871   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 02872   428   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 02873   428   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 02874   428   NtClose  (376, ... ) == 0x0
 02875   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02876   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 02877   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02878   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02879   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232244,  (0xc0100080, {24, 0, 0x40, 0, 1232244, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 02880   428   NtSetInformationFile  (372, 1232300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02881   428   NtSetInformationFile  (372, 1232292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02882   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02883   428   NtWriteFile  (372, 173, 0, 0,  (372, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02884   428   NtReadFile  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20+\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02885   428   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20+\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20+\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02886   428   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0e\200v\317\323~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0e\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0e\200v\317\323~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0e\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02887   428   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0f\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0f\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0f\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0f\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02888   428   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0e\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0e\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02889   428   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0f\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0f\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02890   428   NtClose  (376, ... ) == 0x0
 02891   428   NtClose  (372, ... ) == 0x0
 02892   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02893   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02894   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02895   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02896   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == 0x0
 02897   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 372, ) }, ... 372, ) == 0x0
 02898   428   NtQueryValueKey  (372,  (372, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 02899   428   NtClose  (372, ... ) == 0x0
 02900   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 372, ) }, ... 372, ) == 0x0
 02901   428   NtQueryValueKey  (372,  (372, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 02902   428   NtClose  (372, ... ) == 0x0
 02903   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 372, ) }, ... 372, ) == 0x0
 02904   428   NtQueryValueKey  (372,  (372, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02905   428   NtClose  (372, ... ) == 0x0
 02906   428   NtRaiseException  (1222212, 1221472, 1, ...
 02907   428   NtContinue  (1220268, 0, ...
 02908   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02909   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02910   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02911   428   NtRaiseException  (1222208, 1221468, 1, ...
 02912   428   NtContinue  (1220264, 0, ...
 02913   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02914   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02915   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02916   428   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232876, 0,  (0x1f0001, {24, 52, 0x80, 1232876, 0, "HGFSMUTEX"}, 1, ... 372, ) }, 1, ... 372, ) == 0x0
 02917   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02918   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1229896, ... ) }, 1229896, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02919   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "shfolder.dll"}, 1229896, ... ) }, 1229896, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02920   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1229896, ... ) }, 1229896, ... ) == 0x0
 02921   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 376, {status=0x0, info=1}, ) }, 5, 96, ... 376, {status=0x0, info=1}, ) == 0x0
 02922   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 376, ... 380, ) == 0x0
 02923   428   NtQuerySection  (380, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02924   428   NtClose  (376, ... ) == 0x0
 02925   428   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 02926   428   NtClose  (380, ... ) == 0x0
 02927   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02928   428   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1373800, 0,  (0x1f0003, {24, 52, 0x80, 1373800, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 380, ) }, 0, 2147483647, ... 380, ) == STATUS_OBJECT_NAME_EXISTS
 02929   428   NtReleaseSemaphore  (380, 1, ... 0, ) == 0x0
 02930   428   NtWaitForSingleObject  (380, 0, {0, 0}, ... ) == 0x0
 02931   428   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 02932   428   NtQueryValueKey  (376,  (376, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 02933   428   NtClose  (376, ... ) == 0x0
 02934   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1230428, ... ) }, 1230428, ... ) == 0x0
 02935   428   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 02936   428   NtSetValueKey  (376,  (376, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (376, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 02937   428   NtClose  (376, ... ) == 0x0
 02938   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 02939   428   NtQueryDirectoryFile  (376, 0, 0, 0, 1230568, 616, BothDirectory, 1,  (376, 0, 0, 0, 1230568, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 02940   428   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 02941   428   NtRaiseException  (1221848, 1221108, 1, ...
 02942   428   NtContinue  (1219904, 0, ...
 02943   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02944   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02945   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02946   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232876, 1232452,  (0xc0100080, {24, 0, 0x40, 1232876, 1232452, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02947   428   NtRaiseException  (1221848, 1221108, 1, ...
 02948   428   NtContinue  (1219904, 0, ...
 02949   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02950   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02951   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02952   428   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232876, 0,  (0xf0007, {24, 52, 0x80, 1232876, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 384, ... 388, ) }, {27876, 0}, 4, 134217728, 384, ... 388, ) == 0x0
 02953   428   NtMapViewOfSection  (388, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1390000), {0, 0}, 28672, ) == 0x0
 02954   428   NtReleaseMutant  (372, ... 0x0, ) == 0x0
 02955   428   NtRaiseException  (1223264, 1222524, 1, ...
 02956   428   NtContinue  (1221320, 0, ...
 02957   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02958   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02959   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02960   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233920, 1233508,  (0xc0100080, {24, 0, 0x40, 1233920, 1233508, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 392, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 392, {status=0x0, info=0}, ) == 0x0
 02961   428   NtDeviceIoControlFile  (392, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (392, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 02962   428   NtClose  (392, ... ) == 0x0
 02963   428   NtRaiseException  (1223244, 1222504, 1, ...
 02964   428   NtContinue  (1221300, 0, ...
 02965   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02966   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02967   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02968   428   NtRaiseException  (1223264, 1222524, 1, ...
 02969   428   NtContinue  (1221320, 0, ...
 02970   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 02971   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02972   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 02973   428   NtAllocateVirtualMemory  (-1, 1482752, 0, 20480, 4096, 4, ... 1482752, 20480, ) == 0x0
 02974   428   NtAllocateVirtualMemory  (-1, 1503232, 0, 20480, 4096, 4, ... 1503232, 20480, ) == 0x0
 02975   428   NtWaitForSingleObject  (364, 0, {-70000000, -1}, ... ) == 0x0
 02976   428   NtReleaseSemaphore  (364, 1, ... 0x0, ) == 0x0
 02977   428   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 392, ) }, ... 392, ) == 0x0
 02978   428   NtWaitForSingleObject  (392, 0, {-1800000000, -1}, ... ) == 0x0
 02979   428   NtClose  (392, ... ) == 0x0
 02980   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02981   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 02982   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02983   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02984   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232184,  (0xc0100080, {24, 0, 0x40, 0, 1232184, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02985   428   NtSetInformationFile  (396, 1232240, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02986   428   NtSetInformationFile  (396, 1232232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02987   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02988   428   NtWriteFile  (396, 173, 0, 0,  (396, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02989   428   NtReadFile  (396, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02990   428   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02991   428   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0g\200v\317\323~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0g\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0g\200v\317\323~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0g\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02992   428   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0h\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0h\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0h\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0h\200v\317\323~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02993   428   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0g\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0g\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02994   428   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0h\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0h\200v\317\323~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02995   428   NtClose  (392, ... ) == 0x0
 02996   428   NtClose  (396, ... ) == 0x0
 02997   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02998   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02999   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03000   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03001   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232276,  (0xc0100080, {24, 0, 0x40, 0, 1232276, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 03002   428   NtSetInformationFile  (392, 1232332, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03003   428   NtSetInformationFile  (392, 1232324, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03004   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03005   428   NtWriteFile  (392, 173, 0, 0,  (392, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03006   428   NtReadFile  (392, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (392, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20,%\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03007   428   NtFsControlFile  (392, 173, 0x0, 0x0, 0x11c017,  (392, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20,%\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (392, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20,%\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03008   428   NtClose  (396, ... ) == 0x0
 03009   428   NtClose  (392, ... ) == 0x0
 03010   428   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 392, 2, ) }, 0, 0x0, 0, ... 392, 2, ) == 0x0
 03011   428   NtSetValueKey  (392,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03012   428   NtClose  (392, ... ) == 0x0
 03013   428   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 392, ) }, ... 392, ) == 0x0
 03014   428   NtQueryValueKey  (392,  (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03015   428   NtClose  (392, ... ) == 0x0
 03016   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03017   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03018   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03019   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03020   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03021   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03022   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03023   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024   428   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 392, 2, ) }, 0, 0x0, 0, ... 392, 2, ) == 0x0
 03025   428   NtSetValueKey  (392,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03026   428   NtClose  (392, ... ) == 0x0
 03027   428   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 392, ) }, ... 392, ) == 0x0
 03028   428   NtQueryValueKey  (392,  (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03029   428   NtClose  (392, ... ) == 0x0
 03030   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03031   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03032   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03033   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03034   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03035   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03036   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03037   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03038   428   NtWaitForSingleObject  (364, 0, {-70000000, -1}, ... ) == 0x0
 03039   428   NtReleaseSemaphore  (364, 1, ... 0x0, ) == 0x0
 03040   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03041   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03042   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03043   428   NtClose  (392, ... ) == 0x0
 03044   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 03045   428   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Network"}, ... 396, ) }, ... 396, ) == 0x0
 03046   428   NtClose  (392, ... ) == 0x0
 03047   428   NtQueryKey  (396, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (396, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03048   428   NtQuerySecurityObject  (396, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03049   428   NtQuerySecurityObject  (396, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03050   428   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03051   428   NtEnumerateKey  (396, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (396, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03052   428   NtOpenKey  (0x2001f, {24, 396, 0x40, 0, 0,  (0x2001f, {24, 396, 0x40, 0, 0, "f"}, ... 392, ) }, ... 392, ) == 0x0
 03053   428   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03054   428   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03055   428   NtQueryValueKey  (392,  (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03056   428   NtQueryValueKey  (392,  (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03057   428   NtQueryValueKey  (392,  (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03058   428   NtQueryValueKey  (392,  (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03059   428   NtQueryValueKey  (392,  (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03060   428   NtClose  (392, ... ) == 0x0
 03061   428   NtEnumerateKey  (396, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (396, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03062   428   NtOpenKey  (0x2001f, {24, 396, 0x40, 0, 0,  (0x2001f, {24, 396, 0x40, 0, 0, "u"}, ... 392, ) }, ... 392, ) == 0x0
 03063   428   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03064   428   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03065   428   NtQueryValueKey  (392,  (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03066   428   NtQueryValueKey  (392,  (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03067   428   NtQueryValueKey  (392,  (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03068   428   NtQueryValueKey  (392,  (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03069   428   NtQueryValueKey  (392,  (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03070   428   NtClose  (392, ... ) == 0x0
 03071   428   NtClose  (396, ... ) == 0x0
 03072   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03073   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03074   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03075   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03076   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03077   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03078   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 396, ) }, ... 396, ) == 0x0
 03079   428   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03080   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03081   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03082   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03083   428   NtClose  (392, ... ) == 0x0
 03084   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03085   428   NtEnumerateKey  (398, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (398, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03086   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03087   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03088   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 392, ) }, ... 392, ) == 0x0
 03089   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03090   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03091   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03092   428   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03093   428   NtClose  (400, ... ) == 0x0
 03094   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03095   428   NtQueryValueKey  (394,  (394, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (394, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03096   428   NtClose  (394, ... ) == 0x0
 03097   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03098   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 392, {status=0x0, info=1}, ) }, 3, 96, ... 392, {status=0x0, info=1}, ) == 0x0
 03099   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 400, ) }, ... 400, ) == 0x0
 03100   428   NtQuerySymbolicLinkObject  (400, ...  (400, ... "\Device\WinDfs\U:000000000000900e", 66, ) , 66, ) == 0x0
 03101   428   NtClose  (400, ... ) == 0x0
 03102   428   NtQueryVolumeInformationFile  (392, 1233596, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03103   428   NtClose  (392, ... ) == 0x0
 03104   428   NtEnumerateKey  (398, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03105   428   NtClose  (398, ... ) == 0x0
 03106   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 03107   428   NtQueryDirectoryFile  (396, 0, 0, 0, 1232384, 616, BothDirectory, 1,  (396, 0, 0, 0, 1232384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03108   428   NtClose  (396, ... ) == 0x0
 03109   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03110   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03111   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 396, ) }, ... 396, ) == 0x0
 03112   428   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03113   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03114   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03115   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03116   428   NtClose  (392, ... ) == 0x0
 03117   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03118   428   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03119   428   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03120   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03121   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03122   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03123   428   NtClose  (392, ... ) == 0x0
 03124   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   428   NtOpenKey  (0x2000000, {24, 398, 0x40, 0, 0, ""}, ... 392, ) == 0x0
 03126   428   NtClose  (398, ... ) == 0x0
 03127   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03128   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03129   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03130   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03131   428   NtQueryValueKey  (396,  (396, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03132   428   NtClose  (396, ... ) == 0x0
 03133   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03134   428   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0, ""}, ... 396, ) == 0x0
 03135   428   NtQueryValueKey  (396,  (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03136   428   NtQueryValueKey  (396,  (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03137   428   NtClose  (396, ... ) == 0x0
 03138   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03139   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03140   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03141   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03142   428   NtQueryValueKey  (396,  (396, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03143   428   NtClose  (396, ... ) == 0x0
 03144   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03145   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03146   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03147   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03148   428   NtQueryValueKey  (396,  (396, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03149   428   NtClose  (396, ... ) == 0x0
 03150   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03151   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03152   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03153   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03154   428   NtQueryValueKey  (396,  (396, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03155   428   NtClose  (396, ... ) == 0x0
 03156   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03157   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03158   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03160   428   NtQueryValueKey  (396,  (396, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   428   NtClose  (396, ... ) == 0x0
 03162   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03163   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03164   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03165   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03166   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03168   428   NtQueryValueKey  (396,  (396, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03169   428   NtClose  (396, ... ) == 0x0
 03170   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03171   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03172   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03174   428   NtQueryValueKey  (396,  (396, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   428   NtClose  (396, ... ) == 0x0
 03176   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03177   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03178   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03180   428   NtQueryValueKey  (396,  (396, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03181   428   NtClose  (396, ... ) == 0x0
 03182   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03183   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03184   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03185   428   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "Advanced"}, ... 396, ) }, ... 396, ) == 0x0
 03186   428   NtQueryValueKey  (396,  (396, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03187   428   NtQueryValueKey  (396,  (396, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03188   428   NtQueryValueKey  (396,  (396, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03189   428   NtQueryValueKey  (396,  (396, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03190   428   NtQueryValueKey  (396,  (396, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03191   428   NtQueryValueKey  (396,  (396, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03192   428   NtQueryValueKey  (396,  (396, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03193   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03194   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03195   428   NtQueryValueKey  (396,  (396, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03196   428   NtQueryValueKey  (396,  (396, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03197   428   NtQueryValueKey  (396,  (396, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03198   428   NtQueryValueKey  (396,  (396, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03199   428   NtQueryValueKey  (396,  (396, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03200   428   NtClose  (396, ... ) == 0x0
 03201   428   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1373800, 0,  (0x1f0003, {24, 52, 0x80, 1373800, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 396, ) }, 0, 2147483647, ... 396, ) == STATUS_OBJECT_NAME_EXISTS
 03202   428   NtReleaseSemaphore  (396, 1, ... 0, ) == 0x0
 03203   428   NtWaitForSingleObject  (396, 0, {0, 0}, ... ) == 0x0
 03204   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03205   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03206   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03207   428   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03208   428   NtClose  (400, ... ) == 0x0
 03209   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03210   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03211   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03212   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03213   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03214   428   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03215   428   NtClose  (400, ... ) == 0x0
 03216   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03217   428   NtQueryValueKey  (394,  (394, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03218   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03219   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03220   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03221   428   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03222   428   NtClose  (400, ... ) == 0x0
 03223   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03224   428   NtQueryValueKey  (394,  (394, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03225   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03226   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03227   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03228   428   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03229   428   NtClose  (400, ... ) == 0x0
 03230   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03231   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03232   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03233   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03234   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 400, ) }, ... 400, ) == 0x0
 03235   428   NtQueryKey  (402, Name, 384, ... {Name= (402, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03236   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03237   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03238   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03239   428   NtClose  (404, ... ) == 0x0
 03240   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03241   428   NtOpenKey  (0x1, {24, 402, 0x40, 0, 0,  (0x1, {24, 402, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03242   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03243   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03244   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03245   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03246   428   NtClose  (404, ... ) == 0x0
 03247   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03248   428   NtQueryValueKey  (394,  (394, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03249   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03250   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03251   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03252   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03253   428   NtClose  (404, ... ) == 0x0
 03254   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03255   428   NtQueryValueKey  (394,  (394, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (394, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03256   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03257   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03258   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03259   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03260   428   NtClose  (404, ... ) == 0x0
 03261   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03262   428   NtQueryValueKey  (394,  (394, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03263   428   NtClose  (394, ... ) == 0x0
 03264   428   NtClose  (402, ... ) == 0x0
 03265   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 400, {status=0x0, info=1}, ) }, 3, 16417, ... 400, {status=0x0, info=1}, ) == 0x0
 03266   428   NtQueryDirectoryFile  (400, 0, 0, 0, 1232308, 616, BothDirectory, 1,  (400, 0, 0, 0, 1232308, 616, BothDirectory, 1, "czdddn.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03267   428   NtClose  (400, ... ) == 0x0
 03268   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03269   428   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "FileExts"}, ... 400, ) }, ... 400, ) == 0x0
 03270   428   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03271   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03272   428   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03273   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03274   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03275   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 392, ) }, ... 392, ) == 0x0
 03276   428   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03277   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03278   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03279   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03280   428   NtClose  (404, ... ) == 0x0
 03281   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03282   428   NtQueryValueKey  (394, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (394, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03283   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03284   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03285   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 404, ) }, ... 404, ) == 0x0
 03286   428   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03287   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03288   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03289   428   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03290   428   NtClose  (408, ... ) == 0x0
 03291   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03292   428   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03293   428   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03294   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03295   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03296   428   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03297   428   NtClose  (408, ... ) == 0x0
 03298   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299   428   NtOpenKey  (0x2000000, {24, 406, 0x40, 0, 0, ""}, ... 408, ) == 0x0
 03300   428   NtClose  (406, ... ) == 0x0
 03301   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03302   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03303   428   NtReleaseSemaphore  (396, 1, ... 0, ) == 0x0
 03304   428   NtWaitForSingleObject  (396, 0, {0, 0}, ... ) == 0x0
 03305   428   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03306   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03307   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03308   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03309   428   NtClose  (404, ... ) == 0x0
 03310   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03311   428   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03312   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03313   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03314   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03315   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03316   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03317   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 404, ) }, ... 404, ) == 0x0
 03318   428   NtQueryKey  (406, Name, 392, ... {Name= (406, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03319   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03320   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03321   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03322   428   NtClose  (412, ... ) == 0x0
 03323   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03324   428   NtQueryValueKey  (406,  (406, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03325   428   NtClose  (406, ... ) == 0x0
 03326   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03327   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03328   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03329   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03330   428   NtClose  (404, ... ) == 0x0
 03331   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03332   428   NtQueryValueKey  (410,  (410, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03333   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03334   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03335   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03336   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03337   428   NtClose  (404, ... ) == 0x0
 03338   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03339   428   NtQueryValueKey  (410,  (410, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340   428   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03341   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03342   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03343   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03344   428   NtClose  (404, ... ) == 0x0
 03345   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03346   428   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03347   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03348   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03349   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 404, ) }, ... 404, ) == 0x0
 03350   428   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03351   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03352   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03353   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03354   428   NtClose  (412, ... ) == 0x0
 03355   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03356   428   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03357   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03358   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03359   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03360   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03361   428   NtClose  (412, ... ) == 0x0
 03362   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03363   428   NtQueryValueKey  (410,  (410, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03364   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03365   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03366   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03367   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03368   428   NtClose  (412, ... ) == 0x0
 03369   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03370   428   NtQueryValueKey  (410,  (410, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03371   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03372   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03373   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03374   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03375   428   NtClose  (412, ... ) == 0x0
 03376   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03377   428   NtQueryValueKey  (410,  (410, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03378   428   NtClose  (394, ... ) == 0x0
 03379   428   NtClose  (410, ... ) == 0x0
 03380   428   NtClose  (406, ... ) == 0x0
 03381   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03382   428   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03383   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03384   428   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03385   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03386   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03387   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 404, ) }, ... 404, ) == 0x0
 03388   428   NtQueryKey  (406, Name, 392, ... {Name= (406, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03389   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03390   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03391   428   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03392   428   NtClose  (408, ... ) == 0x0
 03393   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03394   428   NtQueryValueKey  (406, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (406, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03395   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03396   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03397   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 408, ) }, ... 408, ) == 0x0
 03398   428   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03399   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03400   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03401   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03402   428   NtClose  (392, ... ) == 0x0
 03403   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03404   428   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03405   428   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03406   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03407   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03408   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03409   428   NtClose  (392, ... ) == 0x0
 03410   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03411   428   NtOpenKey  (0x2000000, {24, 410, 0x40, 0, 0, ""}, ... 392, ) == 0x0
 03412   428   NtClose  (410, ... ) == 0x0
 03413   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03414   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03415   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03416   428   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03417   428   NtClose  (408, ... ) == 0x0
 03418   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03419   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03420   428   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03421   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03422   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03423   428   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03424   428   NtClose  (408, ... ) == 0x0
 03425   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03426   428   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03427   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03428   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03429   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03430   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03431   428   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03432   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 408, ) }, ... 408, ) == 0x0
 03433   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03434   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03435   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03436   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03437   428   NtClose  (412, ... ) == 0x0
 03438   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03439   428   NtQueryValueKey  (410,  (410, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03440   428   NtClose  (410, ... ) == 0x0
 03441   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03442   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03443   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 408, ) }, ... 408, ) == 0x0
 03444   428   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03445   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03446   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03447   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03448   428   NtClose  (412, ... ) == 0x0
 03449   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03450   428   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03451   428   NtClose  (406, ... ) == 0x0
 03452   428   NtClose  (394, ... ) == 0x0
 03453   428   NtClose  (410, ... ) == 0x0
 03454   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03455   428   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03456   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03457   428   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03458   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03459   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03460   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 408, ) }, ... 408, ) == 0x0
 03461   428   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03462   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03463   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03464   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03465   428   NtClose  (392, ... ) == 0x0
 03466   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03467   428   NtQueryValueKey  (410, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (410, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03468   428   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03469   428   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03470   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 392, ) }, ... 392, ) == 0x0
 03471   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03472   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03473   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03474   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03475   428   NtClose  (404, ... ) == 0x0
 03476   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03477   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03478   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03479   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03480   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03481   428   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03482   428   NtClose  (404, ... ) == 0x0
 03483   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03484   428   NtOpenKey  (0x2000000, {24, 394, 0x40, 0, 0, ""}, ... 404, ) == 0x0
 03485   428   NtClose  (394, ... ) == 0x0
 03486   428   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03487   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03488   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03489   428   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03490   428   NtClose  (392, ... ) == 0x0
 03491   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03492   428   NtOpenKey  (0x2000000, {24, 406, 0x40, 0, 0,  (0x2000000, {24, 406, 0x40, 0, 0, "shell\open"}, ... 392, ) }, ... 392, ) == 0x0
 03493   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03494   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03495   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03496   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03497   428   NtClose  (412, ... ) == 0x0
 03498   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03499   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03500   428   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03501   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03502   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03503   428   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03504   428   NtClose  (416, ... ) == 0x0
 03505   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506   428   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03507   428   NtClose  (414, ... ) == 0x0
 03508   428   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03509   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03510   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03511   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03512   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03513   428   NtClose  (412, ... ) == 0x0
 03514   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03515   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03516   428   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03517   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03518   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03519   428   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03520   428   NtClose  (416, ... ) == 0x0
 03521   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03522   428   NtQueryValueKey  (414,  (414, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03523   428   NtClose  (414, ... ) == 0x0
 03524   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\czdddn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03526   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03527   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03528   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03529   428   NtClose  (412, ... ) == 0x0
 03530   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03531   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03532   428   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03533   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03534   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03535   428   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03536   428   NtClose  (416, ... ) == 0x0
 03537   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03538   428   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03539   428   NtClose  (414, ... ) == 0x0
 03540   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03541   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03542   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03543   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03544   428   NtClose  (412, ... ) == 0x0
 03545   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03546   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03547   428   NtUserGetForegroundWindow  (... ) == 0x20064
 03548   428   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03549   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03550   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03551   428   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03552   428   NtClose  (412, ... ) == 0x0
 03553   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03554   428   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03555   428   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03556   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03557   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03558   428   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03559   428   NtClose  (416, ... ) == 0x0
 03560   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03561   428   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03562   428   NtClose  (414, ... ) == 0x0
 03563   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03564   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03565   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03566   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 412, ) }, ... 412, ) == 0x0
 03567   428   NtQueryValueKey  (412,  (412, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03568   428   NtClose  (412, ... ) == 0x0
 03569   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03570   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03571   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03572   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 412, ) }, ... 412, ) == 0x0
 03573   428   NtQueryValueKey  (412,  (412, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03574   428   NtClose  (412, ... ) == 0x0
 03575   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\czdddn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03576   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03577   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\czdddn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03578   428   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03579   428   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03580   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03581   428   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 412, ) }, ... 412, ) == 0x0
 03582   428   NtQueryValueKey  (412,  (412, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03583   428   NtClose  (412, ... ) == 0x0
 03584   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\czdddn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03585   428   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03586   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 1228792, ... ) }, 1228792, ... ) == 0x0
 03587   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 03588   428   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03589   428   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 412, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03590   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 416, ) }, ... 416, ) == 0x0
 03591   428   NtQueryValueKey  (416,  (416, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03592   428   NtClose  (416, ... ) == 0x0
 03593   428   NtQueryVolumeInformationFile  (412, 1228792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03594   428   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03595   428   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03596   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226776, ... ) }, 1226776, ... ) == 0x0
 03597   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03598   428   NtQueryInformationFile  (416, 1227380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03599   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 416, ... 420, ) == 0x0
 03600   428   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x13a0000), 0x0, 1028096, ) == 0x0
 03601   428   NtQueryInformationFile  (416, 1227476, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03602   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03603   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03604   428   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03605   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03606   428   NtQueryDirectoryFile  (424, 0, 0, 0, 1225040, 616, BothDirectory, 1,  (424, 0, 0, 0, 1225040, 616, BothDirectory, 1, "czdddn.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03607   428   NtClose  (424, ... ) == 0x0
 03608   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03609   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03610   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 1224428, ... ) }, 1224428, ... ) == 0x0
 03611   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03612   428   NtQueryDirectoryFile  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03613   428   NtClose  (424, ... ) == 0x0
 03614   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03615   428   NtQueryDirectoryFile  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1, "czdddn.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03616   428   NtClose  (424, ... ) == 0x0
 03617   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03618   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03619   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03620   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 424, {status=0x0, info=1}, ) }, 3, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 03621   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 428, ) }, ... 428, ) == 0x0
 03622   428   NtQuerySymbolicLinkObject  (428, ...  (428, ... "\Device\WinDfs\U:000000000000900e", 66, ) , 66, ) == 0x0
 03623   428   NtClose  (428, ... ) == 0x0
 03624   428   NtQueryVolumeInformationFile  (424, 1225180, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03625   428   NtClose  (424, ... ) == 0x0
 03626   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03627   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 424, ) == 0x0
 03628   428   NtQueryInformationToken  (424, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03629   428   NtClose  (424, ... ) == 0x0
 03630   428   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03631   428   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\czdddn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03632   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03633   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03634   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\czdddn.bat"}, 1226708, ... ) }, 1226708, ... ) == 0x0
 03635   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03636   428   NtQueryDirectoryFile  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03637   428   NtClose  (424, ... ) == 0x0
 03638   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03639   428   NtQueryDirectoryFile  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1, "czdddn.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03640   428   NtClose  (424, ... ) == 0x0
 03641   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03642   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03643   428   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03644   428   NtQueryVolumeInformationFile  (412, 1227352, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03645   428   NtQueryInformationFile  (412, 1227332, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03646   428   NtQueryInformationFile  (412, 1227372, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03647   428   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03648   428   NtUnmapViewOfSection  (-1, 0x13a0000, ... ) == 0x0
 03649   428   NtClose  (420, ... ) == 0x0
 03650   428   NtClose  (416, ... ) == 0x0
 03651   428   NtClose  (412, ... ) == 0x0
 03652   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03653   428   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03654   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == 0x0
 03655   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 03656   428   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03657   428   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 412, ... 416, ) == 0x0
 03658   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03659   428   NtQuerySection  (416, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03660   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03661   428   NtCreateProcessEx  (1231420, 2035711, 0, -1, 0, 416, 0, 0, 0, ... ) == 0x0
 03662   428   NtSetInformationProcess  (420, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03663   428   NtQueryInformationProcess  (420, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=924,ParentPid=424,}, 0x0, ) == 0x0
 03664   428   NtReadVirtualMemory  (420, 0x7ffdf008, 4, ...  (420, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03665   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03666   428   NtReadVirtualMemory  (420, 0x4ad00000, 4096, ...  (420, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03667   428   NtReadVirtualMemory  (420, 0x4ad3b000, 256, ...  (420, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03668   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03669   428   NtQueryInformationProcess  (420, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=924,ParentPid=424,}, 0x0, ) == 0x0
 03670   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 03671   428   NtAllocateVirtualMemory  (-1, 0, 0, 1644, 4096, 4, ... 20578304, 4096, ) == 0x0
 03672   428   NtAllocateVirtualMemory  (420, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03673   428   NtWriteVirtualMemory  (420, 0x10000,  (420, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03674   428   NtAllocateVirtualMemory  (420, 0, 0, 1644, 4096, 4, ... 131072, 4096, ) == 0x0
 03675   428   NtWriteVirtualMemory  (420, 0x20000,  (420, 0x20000, "\0\20\0\0l\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0<\0>\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\20\6\0\0\36\0 \0H\6\0\0\0\0\2\0h\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1644, ... 0x0, ) , 1644, ... 0x0, ) == 0x0
 03676   428   NtWriteVirtualMemory  (420, 0x7ffdf010,  (420, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03677   428   NtWriteVirtualMemory  (420, 0x7ffdf1e8,  (420, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03678   428   NtFreeVirtualMemory  (-1, (0x13a0000), 0, 32768, ... (0x13a0000), 4096, ) == 0x0
 03679   428   NtAllocateVirtualMemory  (420, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03680   428   NtAllocateVirtualMemory  (420, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03681   428   NtCreateThread  (0x1f03ff, 0x0, 420, 1229684, 1230404, 1, ... 424, {924, 928}, ) == 0x0
 03682   428   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 424, 428, 1515, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 424, 428, 1515, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 424, 428, 1515, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03683   428   NtResumeThread  (424, ... 1, ) == 0x0
 03684   428   NtClose  (412, ... ) == 0x0
 03685   428   NtClose  (416, ... ) == 0x0
 03686   428   NtClose  (394, ... ) == 0x0
 03687   428   NtClose  (410, ... ) == 0x0
 03688   428   NtClose  (406, ... ) == 0x0
 03689   428   NtClose  (420, ... ) == 0x0
 03690   428   NtClose  (424, ... ) == 0x0
 03691   428   NtGdiDeleteObjectApp  (151520264, ... ) == 0x1
 03692   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03693   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03694   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03695   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03696   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03697   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03698   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03699   428   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03700   428   NtUnmapViewOfSection  (-1, 0xe40000, ... ) == 0x0
 03701   428   NtClose  (324, ... ) == 0x0
 03702   428   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03703   428   NtUserDestroyWindow  (131246, ...
 03704   428   NtUserRemoveProp  (131246, 43288, ... ) == 0xffffffff
 03705   428   NtUserRemoveProp  (131246, 43282, ... ) == 0x0
 03706   428   NtUserRemoveProp  (131246, 43287, ... ) == 0x0
 03703   428   NtUserDestroyWindow  ... ) == 0x1
 03707   428   NtUserUnregisterClass  (1234864, 1998258176, 1234852, ... ) == 0x1
 03708   428   NtFreeVirtualMemory  (-1, (0x157000), 8192, 16384, ... (0x157000), 8192, ) == 0x0
 03709   428   NtClose  (228, ... ) == 0x0
 03710   428   NtClose  (220, ... ) == 0x0
 03711   428   NtClose  (224, ... ) == 0x0
 03712   428   NtClose  (200, ... ) == 0x0
 03713   428   NtClose  (216, ... ) == 0x0
 03714   428   NtClose  (248, ... ) == 0x0
 03715   428   NtClose  (252, ... ) == 0x0
 03716   428   NtClose  (244, ... ) == 0x0
 03717   428   NtClose  (236, ... ) == 0x0
 03718   428   NtClose  (240, ... ) == 0x0
 03719   428   NtClose  (264, ... ) == 0x0
 03720   428   NtClose  (268, ... ) == 0x0
 03721   428   NtClose  (256, ... ) == 0x0
 03722   428   NtClose  (260, ... ) == 0x0
 03723   428   NtClose  (288, ... ) == 0x0
 03724   428   NtClose  (280, ... ) == 0x0
 03725   428   NtClose  (284, ... ) == 0x0
 03726   428   NtClose  (272, ... ) == 0x0
 03727   428   NtClose  (276, ... ) == 0x0
 03728   428   NtClose  (292, ... ) == 0x0
 03729   428   NtClose  (296, ... ) == 0x0
 03730   428   NtClose  (308, ... ) == 0x0
 03731   428   NtClose  (312, ... ) == 0x0
 03732   428   NtClose  (300, ... ) == 0x0
 03733   428   NtClose  (304, ... ) == 0x0
 03734   428   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03735   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1235740, ... ) }, 1235740, ... ) == 0x0
 03736   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1236432, ... ) }, 1236432, ... ) == 0x0
 03737   428   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 03738   428   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 304, ... 300, ) == 0x0
 03739   428   NtQueryVolumeInformationFile  (304, 1235740, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03740   428   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03741   428   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03742   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 03743   428   NtQueryInformationFile  (312, 1234328, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03744   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 312, ... 308, ) == 0x0
 03745   428   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x13a0000), 0x0, 1028096, ) == 0x0
 03746   428   NtQueryInformationFile  (312, 1234424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03747   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03748   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03749   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1231988, 616, BothDirectory, 1,  (296, 0, 0, 0, 1231988, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03750   428   NtClose  (296, ... ) == 0x0
 03751   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03752   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03753   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1231376, ... ) }, 1231376, ... ) == 0x0
 03754   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03755   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03756   428   NtClose  (296, ... ) == 0x0
 03757   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03758   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03759   428   NtClose  (296, ... ) == 0x0
 03760   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03761   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03762   428   NtClose  (296, ... ) == 0x0
 03763   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03764   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03765   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03766   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03767   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 03768   428   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03769   428   NtClose  (296, ... ) == 0x0
 03770   428   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03771   428   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\lssas.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03772   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03773   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03774   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1233656, ... ) }, 1233656, ... ) == 0x0
 03775   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03776   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03777   428   NtClose  (296, ... ) == 0x0
 03778   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03779   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03780   428   NtClose  (296, ... ) == 0x0
 03781   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03782   428   NtQueryDirectoryFile  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03783   428   NtClose  (296, ... ) == 0x0
 03784   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03785   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03786   428   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03787   428   NtQueryVolumeInformationFile  (304, 1234300, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03788   428   NtQueryInformationFile  (304, 1234280, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03789   428   NtQueryInformationFile  (304, 1234320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03790   428   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03791   428   NtUnmapViewOfSection  (-1, 0x13a0000, ... ) == 0x0
 03792   428   NtClose  (308, ... ) == 0x0
 03793   428   NtClose  (312, ... ) == 0x0
 03794   428   NtQuerySection  (300, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03795   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lssas.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03796   428   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03797   428   NtOpenProcessToken  (-1, 0xa, ... 312, ) == 0x0
 03798   428   NtQueryInformationToken  (312, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03799   428   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03800   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 308, ) }, ... 308, ) == 0x0
 03801   428   NtQueryValueKey  (308,  (308, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (308, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03802   428   NtQueryValueKey  (308,  (308, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (308, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03803   428   NtClose  (308, ... ) == 0x0
 03804   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 308, ) }, ... 308, ) == 0x0
 03805   428   NtQueryValueKey  (308,  (308, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03806   428   NtQueryValueKey  (308,  (308, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (308, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03807   428   NtClose  (308, ... ) == 0x0
 03808   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 308, ) }, ... 308, ) == 0x0
 03809   428   NtQuerySymbolicLinkObject  (308, ...  (308, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03810   428   NtClose  (308, ... ) == 0x0
 03811   428   NtQueryInformationFile  (304, 1234092, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 03812   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03813   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03814   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 1232772, ... ) }, 1232772, ... ) == 0x0
 03815   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03816   428   NtQueryDirectoryFile  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03817   428   NtClose  (308, ... ) == 0x0
 03818   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03819   428   NtQueryDirectoryFile  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03820   428   NtClose  (308, ... ) == 0x0
 03821   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03822   428   NtQueryDirectoryFile  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1, "lssas.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03823   428   NtClose  (308, ... ) == 0x0
 03824   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03825   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03826   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 308, ) }, ... 308, ) == 0x0
 03827   428   NtQueryValueKey  (308,  (308, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03828   428   NtClose  (308, ... ) == 0x0
 03829   428   NtQueryInformationToken  (312, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03830   428   NtQueryInformationToken  (312, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03831   428   NtClose  (312, ... ) == 0x0
 03832   428   NtCreateProcessEx  (1238368, 2035711, 0, -1, 4, 300, 0, 0, 0, ... ) == 0x0
 03833   428   NtSetInformationProcess  (312, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03834   428   NtQueryInformationProcess  (312, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=932,ParentPid=424,}, 0x0, ) == 0x0
 03835   428   NtReadVirtualMemory  (312, 0x7ffdf008, 4, ...  (312, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03836   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03837   428   NtReadVirtualMemory  (312, 0x400000, 4096, ...  (312, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\240\32\2\0\0p\1\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0`\1\0", 4096, ) , 4096, ) == 0x0
 03838   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03839   428   NtQueryInformationProcess  (312, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=932,ParentPid=424,}, 0x0, ) == 0x0
 03840   428   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 14942208, 4096, ) == 0x0
 03841   428   NtAllocateVirtualMemory  (312, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03842   428   NtWriteVirtualMemory  (312, 0x10000,  (312, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03843   428   NtAllocateVirtualMemory  (312, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03844   428   NtWriteVirtualMemory  (312, 0x20000,  (312, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0\233\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03845   428   NtWriteVirtualMemory  (312, 0x7ffdf010,  (312, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03846   428   NtWriteVirtualMemory  (312, 0x7ffdf1e8,  (312, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03847   428   NtFreeVirtualMemory  (-1, (0xe40000), 0, 32768, ... (0xe40000), 4096, ) == 0x0
 03848   428   NtAllocateVirtualMemory  (312, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03849   428   NtAllocateVirtualMemory  (312, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03850   428   NtProtectVirtualMemory  (312, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03851   428   NtCreateThread  (0x1f03ff, 0x0, 312, 1236632, 1237352, 1, ... 308, {932, 936}, ) == 0x0
 03852   428   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1459848, 1238452}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1459848, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w;\1\0\04\1\0\0\244\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 424, 428, 1539, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w8\1\0\04\1\0\0\244\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 424, 428, 1539, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1459848, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w;\1\0\04\1\0\0\244\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 424, 428, 1539, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w8\1\0\04\1\0\0\244\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03853   428   NtResumeThread  (308, ... 1, ) == 0x0
 03854   428   NtClose  (304, ... ) == 0x0
 03855   428   NtClose  (300, ... ) == 0x0
 03856   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 300, ) == 0x0
 03857   428   NtYieldExecution  (... ) == 0x0
 03858   428   NtClose  (96, ... ) == 0x0
 03859   428   NtClose  (92, ... ) == 0x0
 03860   428   NtYieldExecution  (... ) == 0x0
 03861   428   NtClose  (104, ... ) == 0x0
 03862   428   NtClose  (100, ... ) == 0x0
 03863   428   NtTerminateProcess  (0, 0, ...
 00680   380   NtDelayExecution  ... ) == 0xc0
 00832   568   NtDelayExecution  ... ) == 0xc0
 00666   572   NtDelayExecution  ... ) == 0xc0
 02362   920   NtWaitForMultipleObjects  ... ) == 0xc0
 03863   428   NtTerminateProcess  ... ) == 0x0
 03864   428   NtRaiseException  (1238116, 1237376, 1, ...
 03865   428   NtContinue  (1236172, 0, ...
 03866   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 03867   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03868   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 03869   428   NtRaiseException  (1228092, 1227352, 1, ...
 03870   428   NtContinue  (1226148, 0, ...
 03871   428   NtWaitForSingleObject  (360, 0, 0x0, ... ) == 0x0
 03872   428   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03873   428   NtReleaseMutant  (360, ... 0x0, ) == 0x0
 03874   428   NtUnmapViewOfSection  (-1, 0x1390000, ... ) == 0x0
 03875   428   NtClose  (388, ... ) == 0x0
 03876   428   NtClose  (384, ... ) == 0x0
 03877   428   NtClose  (372, ... ) == 0x0
 03878   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03879   428   NtFreeVirtualMemory  (-1, (0x1380000), 0, 32768, ... (0x1380000), 65536, ) == 0x0
 03880   428   NtClose  (364, ... ) == 0x0
 03881   428   NtClose  (368, ... ) == 0x0
 03882   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03883   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 03884   428   NtQueryValueKey  (368,  (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03885   428   NtClose  (368, ... ) == 0x0
 03886   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03887   428   NtFreeVirtualMemory  (-1, (0xe30000), 0, 32768, ... (0xe30000), 65536, ) == 0x0
 03888   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03889   428   NtFreeVirtualMemory  (-1, (0xcf0000), 0, 32768, ... (0xcf0000), 262144, ) == 0x0
 03890   428   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 03891   428   NtClose  (316, ... ) == 0x0
 03892   428   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 16384, ... (0x3f0000), 4096, ) == 0x0
 03893   428   NtFreeVirtualMemory  (-1, (0x3f0000), 0, 32768, ... (0x3f0000), 65536, ) == 0x0
 03894   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03895   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03896   428   NtUnmapViewOfSection  (-1, 0xc90000, ... ) == 0x0
 03897   428   NtClose  (148, ... ) == 0x0
 03898   428   NtGdiDeleteObjectApp  (202376191, ... ) == 0x1
 03899   428   NtUserGetProcessWindowStation  (... ) == 0x28
 03900   428   NtUserBuildNameList  (40, 256, 1329096, 1238756, ... ) == 0x0
 03901   428   NtUserGetProcessWindowStation  (... ) == 0x28
 03902   428   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x94
 03903   428   NtUserBuildHwndList  (148, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3003e, 0x10066, 0x30040, 0x30030, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100c6, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50044, 0x40048, 0x50042, 0x1007e, 0x10076, 0x1, ), 35, ) == 0x0
 03904   428   NtUserQueryWindow  (65706, 0, ... ) == 0x7e4
 03905   428   NtUserQueryWindow  (65706, 1, ... ) == 0x7e8
 03906   428   NtUserQueryWindow  (65704, 0, ... ) == 0x7e4
 03907   428   NtUserQueryWindow  (65704, 1, ... ) == 0x7e8
 03908   428   NtUserQueryWindow  (65702, 0, ... ) == 0x7e4
 03909   428   NtUserQueryWindow  (65702, 1, ... ) == 0x7e8
 03910   428   NtUserQueryWindow  (131168, 0, ... ) == 0x7e4
 03911   428   NtUserQueryWindow  (131168, 1, ... ) == 0x7e8
 03912   428   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 03913   428   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 03914   428   NtUserQueryWindow  (65664, 0, ... ) == 0x774
 03915   428   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 03916   428   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 03917   428   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 03918   428   NtUserQueryWindow  (65666, 1, ... ) == 0x784
 03919   428   NtUserQueryWindow  (65670, 0, ... ) == 0x774
 03920   428   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 03921   428   NtUserQueryWindow  (65672, 0, ... ) == 0x774
 03922   428   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 03923   428   NtUserQueryWindow  (65674, 0, ... ) == 0x774
 03924   428   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 03925   428   NtUserQueryWindow  (65678, 0, ... ) == 0x774
 03926   428   NtUserQueryWindow  (65678, 1, ... ) == 0x784
 03927   428   NtUserQueryWindow  (65680, 0, ... ) == 0x774
 03928   428   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 03929   428   NtUserQueryWindow  (65682, 0, ... ) == 0x774
 03930   428   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 03931   428   NtUserQueryWindow  (65684, 0, ... ) == 0x774
 03932   428   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 03933   428   NtUserQueryWindow  (65686, 0, ... ) == 0x774
 03934   428   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 03935   428   NtUserQueryWindow  (65690, 0, ... ) == 0x774
 03936   428   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 03937   428   NtUserQueryWindow  (65692, 0, ... ) == 0x774
 03938   428   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 03939   428   NtUserQueryWindow  (65694, 0, ... ) == 0x774
 03940   428   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 03941   428   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 03942   428   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 03943   428   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 03944   428   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 03945   428   NtUserQueryWindow  (196670, 0, ... ) == 0x774
 03946   428   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 03947   428   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 03948   428   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 03949   428   NtUserQueryWindow  (196672, 0, ... ) == 0x774
 03950   428   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 03951   428   NtUserQueryWindow  (196656, 0, ... ) == 0x774
 03952   428   NtUserQueryWindow  (196656, 1, ... ) == 0x784
 03953   428   NtUserBuildHwndList  (0, 196656, 1, 0, 64, ... (0x30032, 0x30036, 0x30034, 0x30038, 0x3003a, 0x3003c, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 03954   428   NtUserQueryWindow  (196658, 0, ... ) == 0x774
 03955   428   NtUserQueryWindow  (196658, 1, ... ) == 0x784
 03956   428   NtUserQueryWindow  (196662, 0, ... ) == 0x774
 03957   428   NtUserQueryWindow  (196662, 1, ... ) == 0x784
 03958   428   NtUserQueryWindow  (196660, 0, ... ) == 0x774
 03959   428   NtUserQueryWindow  (196660, 1, ... ) == 0x784
 03960   428   NtUserQueryWindow  (196664, 0, ... ) == 0x774
 03961   428   NtUserQueryWindow  (196664, 1, ... ) == 0x784
 03962   428   NtUserQueryWindow  (196666, 0, ... ) == 0x774
 03963   428   NtUserQueryWindow  (196666, 1, ... ) == 0x784
 03964   428   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 03965   428   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 03966   428   NtUserQueryWindow  (65642, 0, ... ) == 0x774
 03967   428   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 03968   428   NtUserQueryWindow  (65646, 0, ... ) == 0x774
 03969   428   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 03970   428   NtUserQueryWindow  (65650, 0, ... ) == 0x774
 03971   428   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 03972   428   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 03973   428   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 03974   428   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 03975   428   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 03976   428   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 03977   428   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 03978   428   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03979   428   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 03980   428   NtUserQueryWindow  (65734, 0, ... ) == 0x39c
 03981   428   NtUserQueryWindow  (65734, 1, ... ) == 0x3a0
 03982   428   NtUserQueryWindow  (65726, 0, ... ) == 0x7ec
 03983   428   NtUserQueryWindow  (65726, 1, ... ) == 0x7f0
 03984   428   NtUserQueryWindow  (65724, 0, ... ) == 0x7ec
 03985   428   NtUserQueryWindow  (65724, 1, ... ) == 0x7f0
 03986   428   NtUserQueryWindow  (65722, 0, ... ) == 0x7ec
 03987   428   NtUserQueryWindow  (65722, 1, ... ) == 0x7f0
 03988   428   NtUserQueryWindow  (65720, 0, ... ) == 0x7ec
 03989   428   NtUserQueryWindow  (65720, 1, ... ) == 0x7f0
 03990   428   NtUserQueryWindow  (65718, 0, ... ) == 0x7ec
 03991   428   NtUserQueryWindow  (65718, 1, ... ) == 0x7f0
 03992   428   NtUserQueryWindow  (65716, 0, ... ) == 0x7ec
 03993   428   NtUserQueryWindow  (65716, 1, ... ) == 0x7f0
 03994   428   NtUserQueryWindow  (65714, 0, ... ) == 0x7ec
 03995   428   NtUserQueryWindow  (65714, 1, ... ) == 0x7f0
 03996   428   NtUserQueryWindow  (65712, 0, ... ) == 0x7ec
 03997   428   NtUserQueryWindow  (65712, 1, ... ) == 0x7f0
 03998   428   NtUserQueryWindow  (131172, 0, ... ) == 0x7f8
 03999   428   NtUserQueryWindow  (131172, 1, ... ) == 0x7fc
 04000   428   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 04001   428   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 04002   428   NtUserQueryWindow  (131170, 0, ... ) == 0x7dc
 04003   428   NtUserQueryWindow  (131170, 1, ... ) == 0x7e0
 04004   428   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 04005   428   NtUserQueryWindow  (65644, 1, ... ) == 0x7a0
 04006   428   NtUserQueryWindow  (327748, 0, ... ) == 0x774
 04007   428   NtUserQueryWindow  (327748, 1, ... ) == 0x778
 04008   428   NtUserQueryWindow  (262216, 0, ... ) == 0x774
 04009   428   NtUserQueryWindow  (262216, 1, ... ) == 0x778
 04010   428   NtUserQueryWindow  (327746, 0, ... ) == 0x774
 04011   428   NtUserQueryWindow  (327746, 1, ... ) == 0x778
 04012   428   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 04013   428   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 04014   428   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 04015   428   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 04016   428   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04017   428   NtUserQueryWindow  (65656, 0, ... ) == 0x774
 04018   428   NtUserQueryWindow  (65656, 1, ... ) == 0x778
 04019   428   NtUserQueryWindow  (65658, 0, ... ) == 0x774
 04020   428   NtUserQueryWindow  (65658, 1, ... ) == 0x778
 04021   428   NtUserCloseDesktop  (148, ...
 04022   428   NtClose  (148, ... ) == 0x0
 04021   428   NtUserCloseDesktop  ... ) == 0x1
 04023   428   NtUserGetProcessWindowStation  (... ) == 0x28
 04024   428   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04025   428   NtUserGetProcessWindowStation  (... ) == 0x28
 04026   428   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04027   428   NtGdiDeleteObjectApp  (386532225, ... ) == 0x1
 04028   428   NtGdiDeleteObjectApp  (151651339, ... ) == 0x1
 04029   428   NtClose  (12, ... ) == 0x0
 04030   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 04031   428   NtFreeVirtualMemory  (-1, (0x150000), 16384, 16384, ... (0x150000), 16384, ) == 0x0
 04032   428   NtClose  (140, ... ) == 0x0
 04033   428   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 04034   428   NtClose  (144, ... ) == 0x0
 04035   428   NtClose  (136, ... ) == 0x0
 04036   428   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 262144, ) == 0x0
 04037   428   NtUserUnregisterClass  (1238716, 1991376896, 1238704, ... ) == 0x0
 04038   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04039   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04040   428   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 04041   428   NtUserUnhookWindowsHookEx  (131217, ... ) == 0x1
 04042   428   NtTerminateThread  (80, 0, ... ) == 0x0
 04043   428   NtTerminateThread  (76, 0, ... ) == 0x0
 04044   428   NtTerminateThread  (68, 0, ... ) == 0x0
 04045   428   NtUserKillTimer  (0, 32761, ... ) == 0x1
 04046   428   NtClose  (84, ... ) == 0x0
 04047   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04048   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04049   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04050   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04051   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04052   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04053   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04054   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04055   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04056   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04057   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04058   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04059   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04060   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04061   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04062   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04063   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04064   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04065   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04066   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04067   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04068   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04069   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04070   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04071   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04072   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04073   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04074   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04075   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04076   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04077   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04078   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04079   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04080   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04081   428   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04082   428   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04083   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04084   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04085   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04086   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04087   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04088   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04089   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04090   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04091   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04092   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04093   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04094   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04095   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04096   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04097   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04098   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04099   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04100   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04101   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04102   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04103   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04104   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04105   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04106   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04107   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04108   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04109   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04110   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04111   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04112   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04113   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04114   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04115   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04116   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04117   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04118   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04119   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc017
 04120   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04121   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc019
 04122   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04123   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc018
 04124   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04125   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01a
 04126   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04127   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01c
 04128   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04129   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01e
 04130   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04131   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01b
 04132   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04133   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc068
 04134   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04135   428   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc06a
 04136   428   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04137   428   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 04138   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04139   428   NtClose  (380, ... ) == 0x0
 04140   428   NtClose  (196, ... ) == 0x0
 04141   428   NtClose  (396, ... ) == 0x0
 04142   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04143   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04144   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04145   428   NtClose  (192, ... ) == 0x0
 04146   428   NtClose  (400, ... ) == 0x0
 04147   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 04148   428   NtUnmapViewOfSection  (-1, 0xf50000, ... ) == 0x0
 04149   428   NtClose  (356, ... ) == 0x0
 04150   428   NtClose  (156, ... ) == 0x0
 04151   428   NtFreeVirtualMemory  (-1, (0x1350000), 4096, 32768, ... (0x1350000), 4096, ) == 0x0
 04152   428   NtClose  (328, ... ) == 0x0
 04153   428   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 424, 428, 1655, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 424, 428, 1655, 0}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 424, 428, 1655, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04154   428   NtTerminateProcess  (-1, 0, ...
 04155   428   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtSetInformationProcess(>)	29
NtAllocateLocallyUniqueId(>)	1	NtGdiHfontCreate(>)	2	NtQuerySymbolicLinkObject(>)	6	NtEnumerateKey(>)	31
NtCallbackReturn(>)	1	NtLockFile(>)	2	NtResumeThread(>)	6	NtContinue(>)	32
NtClearEvent(>)	1	NtOpenDirectoryObject(>)	2	NtSetEventBoostPriority(>)	6	NtCreateFile(>)	33
NtConnectPort(>)	1	NtQueryInformationJobObject(>)	2	NtCreateSemaphore(>)	7	NtOpenThreadToken(>)	33
NtDuplicateToken(>)	1	NtQueryInstallUILanguage(>)	2	NtTestAlert(>)	7	NtSetInformationFile(>)	33
NtGdiCreateBitmap(>)	1	NtSetEvent(>)	2	NtUserCallNoParam(>)	7	NtCreateEvent(>)	35
NtGdiCreateHalftonePalette(>)	1	NtUnlockFile(>)	2	NtDelayExecution(>)	8	NtQueryInformationFile(>)	37
NtGdiCreatePaletteInternal(>)	1	NtUserCloseDesktop(>)	2	NtQueryVirtualMemory(>)	8	NtReleaseMutant(>)	39
NtGdiCreatePatternBrushInternal(>)	1	NtUserCreateWindowEx(>)	2	NtRegisterThreadTerminatePort(>)	8	NtQueryDefaultLocale(>)	42
NtGdiDoPalette(>)	1	NtUserDestroyWindow(>)	2	NtWriteVirtualMemory(>)	8	NtUnmapViewOfSection(>)	42
NtGdiInit(>)	1	NtUserGetObjectInformation(>)	2	NtQueryDefaultUILanguage(>)	10	NtQueryInformationProcess(>)	47
NtGdiQueryFontAssocInfo(>)	1	NtUserMessageCall(>)	2	NtUserGetWindowDC(>)	10	NtUserUnregisterClass(>)	47
NtGdiSelectBitmap(>)	1	NtYieldExecution(>)	2	NtSetValueKey(>)	11	NtUserFindExistingCursorIcon(>)	49
NtOpenKeyedEvent(>)	1	NtOpenMutant(>)	3	NtUserCallOneParam(>)	11	NtCreateSection(>)	59
NtQueryFullAttributesFile(>)	1	NtOpenProcess(>)	3	NtUserSystemParametersInfo(>)	11	NtUserRegisterClassExWOW(>)	65
NtQueryObject(>)	1	NtTerminateProcess(>)	3	NtWriteFile(>)	14	NtProtectVirtualMemory(>)	67
NtQueryPerformanceCounter(>)	1	NtTerminateThread(>)	3	NtFreeVirtualMemory(>)	15	NtWaitForSingleObject(>)	75
NtQuerySystemTime(>)	1	NtUserOpenDesktop(>)	3	NtOpenProcessToken(>)	15	NtOpenSection(>)	76
NtSecureConnectPort(>)	1	NtUserRemoveProp(>)	3	NtCreateKey(>)	17	NtReadFile(>)	82
NtUserBuildNameList(>)	1	NtWaitForMultipleObjects(>)	3	NtDeviceIoControlFile(>)	17	NtMapViewOfSection(>)	86
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtFsControlFile(>)	17	NtOpenFile(>)	91
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtNotifyChangeKey(>)	17	NtQuerySystemInformation(>)	91
NtUserGetForegroundWindow(>)	1	NtQueryInformationThread(>)	4	NtQueryVolumeInformationFile(>)	17	NtUserGetClassInfo(>)	91
NtUserGetGUIThreadInfo(>)	1	NtQuerySecurityObject(>)	4	NtRequestWaitReplyPort(>)	17	NtAllocateVirtualMemory(>)	97
NtUserGetThreadDesktop(>)	1	NtUserBuildHwndList(>)	4	NtUserRegisterWindowMessage(>)	19	NtOpenProcessTokenEx(>)	110
NtUserKillTimer(>)	1	NtCreateMutant(>)	5	NtQueryDirectoryFile(>)	20	NtOpenThreadTokenEx(>)	110
NtUserSetProp(>)	1	NtDuplicateObject(>)	5	NtEnumerateValueKey(>)	23	NtUserQueryWindow(>)	114
NtUserSetTimer(>)	1	NtGdiGetStockObject(>)	5	NtQueryDebugFilterState(>)	24	NtQueryInformationToken(>)	127
NtUserSetWindowsHookEx(>)	1	NtReadVirtualMemory(>)	5	NtRaiseException(>)	25	NtQueryKey(>)	129
NtUserUnhookWindowsHookEx(>)	1	NtSetInformationObject(>)	5	NtSetInformationThread(>)	27	NtQueryAttributesFile(>)	152
NtAccessCheck(>)	2	NtUserGetProcessWindowStation(>)	5	NtReleaseSemaphore(>)	28	NtQueryValueKey(>)	302
NtCreateIoCompletion(>)	2	NtCreateThread(>)	6	NtFlushInstructionCache(>)	29	NtOpenKey(>)	498
NtCreateProcessEx(>)	2	NtGdiDeleteObjectApp(>)	6	NtQuerySection(>)	29	NtClose(>)	607