Summary:


NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtReadVirtualMemory(>)  32 

NtAllocateLocallyUniqueId(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserGetWindowDC(>)  10 
NtOpenThreadToken(>)  33 

NtClearEvent(>)  1 
NtQueryInformationJobObject(>)  2 
NtWriteFile(>)  10 
NtQueryInformationThread(>)  34 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetValueKey(>)  11 
NtUnmapViewOfSection(>)  38 

NtDelayExecution(>)  1 
NtUserCloseDesktop(>)  2 
NtUserCallOneParam(>)  11 
NtQueryInformationProcess(>)  39 

NtDuplicateToken(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserSystemParametersInfo(>)  11 
NtReleaseMutant(>)  41 

NtGdiCreateBitmap(>)  1 
NtUserDestroyWindow(>)  2 
NtOpenProcessToken(>)  14 
NtQueryDefaultLocale(>)  45 

NtGdiCreateHalftonePalette(>)  1 
NtUserGetObjectInformation(>)  2 
NtTerminateThread(>)  14 
NtUserUnregisterClass(>)  47 

NtGdiCreatePaletteInternal(>)  1 
NtUserMessageCall(>)  2 
NtNotifyChangeKey(>)  15 
NtSetInformationThread(>)  49 

NtGdiCreatePatternBrushInternal(>)  1 
NtOpenMutant(>)  3 
NtQueryVolumeInformationFile(>)  15 
NtCreateEvent(>)  50 

NtGdiDoPalette(>)  1 
NtTerminateProcess(>)  3 
NtRegisterThreadTerminatePort(>)  16 
NtContinue(>)  51 

NtGdiInit(>)  1 
NtUserOpenDesktop(>)  3 
NtTestAlert(>)  16 
NtCreateSection(>)  56 

NtGdiQueryFontAssocInfo(>)  1 
NtUserRemoveProp(>)  3 
NtCreateKey(>)  17 
NtProtectVirtualMemory(>)  65 

NtGdiSelectBitmap(>)  1 
NtWaitForMultipleObjects(>)  3 
NtCreateThread(>)  17 
NtUserFindExistingCursorIcon(>)  68 

NtOpenKeyedEvent(>)  1 
NtCallbackReturn(>)  4 
NtDeviceIoControlFile(>)  17 
NtOpenSection(>)  77 

NtQueryFullAttributesFile(>)  1 
NtCreateMutant(>)  4 
NtFsControlFile(>)  17 
NtReadFile(>)  77 

NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtFlushInstructionCache(>)  18 
NtMapViewOfSection(>)  80 

NtQueryPerformanceCounter(>)  1 
NtOpenEvent(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtOpenFile(>)  88 

NtQuerySystemTime(>)  1 
NtQuerySecurityObject(>)  4 
NtQueryDirectoryFile(>)  20 
NtQuerySystemInformation(>)  89 

NtSecureConnectPort(>)  1 
NtUserFindWindowEx(>)  4 
NtResumeThread(>)  21 
NtUserGetClassInfo(>)  91 

NtSetSecurityObject(>)  1 
NtDuplicateObject(>)  5 
NtSetInformationProcess(>)  21 
NtUserRegisterClassExWOW(>)  94 

NtUserBuildNameList(>)  1 
NtGdiGetStockObject(>)  5 
NtEnumerateValueKey(>)  23 
NtWaitForSingleObject(>)  95 

NtUserGetAtomName(>)  1 
NtSetInformationObject(>)  5 
NtQueryDebugFilterState(>)  24 
NtAllocateVirtualMemory(>)  102 

NtUserGetDC(>)  1 
NtUserGetProcessWindowStation(>)  5 
NtSetInformationFile(>)  25 
NtOpenProcessTokenEx(>)  110 

NtUserGetForegroundWindow(>)  1 
NtGdiDeleteObjectApp(>)  6 
NtSetEvent(>)  26 
NtOpenThreadTokenEx(>)  110 

NtUserGetGUIThreadInfo(>)  1 
NtOpenSymbolicLinkObject(>)  6 
NtCreateFile(>)  27 
NtQueryInformationToken(>)  126 

NtUserGetThreadDesktop(>)  1 
NtQuerySymbolicLinkObject(>)  6 
NtRaiseException(>)  27 
NtQueryKey(>)  129 

NtUserGetThreadState(>)  1 
NtCreateSemaphore(>)  7 
NtFreeVirtualMemory(>)  28 
NtQueryAttributesFile(>)  147 

NtUserSetProp(>)  1 
NtUserBuildHwndList(>)  7 
NtQuerySection(>)  28 
NtQueryValueKey(>)  227 

NtAccessCheck(>)  2 
NtWriteVirtualMemory(>)  8 
NtReleaseSemaphore(>)  28 
NtUserQueryWindow(>)  302 

NtCreateIoCompletion(>)  2 
NtQueryVirtualMemory(>)  9 
NtRequestWaitReplyPort(>)  28 
NtOpenKey(>)  482 

NtCreateProcessEx(>)  2 
NtUserCallNoParam(>)  9 
NtQueryInformationFile(>)  30 
NtClose(>)  620 

NtGdiCreateSolidBrush(>)  2 
NtOpenProcess(>)  10 
NtEnumerateKey(>)  31 

Trace:
 00001   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   484   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   484   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   484   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   484   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   484   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   484   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   484   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   484   NtClose  (12, ... ) == 0x0
 00014   484   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   484   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   484   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   484   NtClose  (16, ... ) == 0x0
 00021   484   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   484   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   484   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   484   NtClose  (16, ... ) == 0x0
 00026   484   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   484   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   484   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   484   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 476, 484, 1527, 0} "\320\231\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 476, 484, 1527, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 476, 484, 1527, 0} "\320\231\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   484   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   484   NtClose  (16, ... ) == 0x0
 00036   484   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   484   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   484   NtClose  (28, ... ) == 0x0
 00041   484   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   484   NtClose  (28, ... ) == 0x0
 00045   484   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   484   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   484   NtClose  (28, ... ) == 0x0
 00049   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   484   NtClose  (28, ... ) == 0x0
 00052   484   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 476, 484, 1531, 0} "\30E\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 476, 484, 1531, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 476, 484, 1531, 0} "\30E\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   484   NtProtectVirtualMemory  (-1, (0x420000), 4096, 4, ... (0x420000), 4096, 128, ) == 0x0
 00057   484   NtProtectVirtualMemory  (-1, (0x420000), 4096, 128, ... (0x420000), 4096, 4, ) == 0x0
 00058   484   NtFlushInstructionCache  (-1, 4325376, 4096, ... ) == 0x0
 00059   484   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   484   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   484   NtClose  (28, ... ) == 0x0
 00062   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   484   NtClose  (28, ... ) == 0x0
 00065   484   NtTestAlert  (... ) == 0x0
 00066   484   NtContinue  (1244464, 1, ...
 00067   484   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4254c6,}, 4, ... ) == 0x0
 00068   484   NtQueryVirtualMemory  (-1, 0x42a49a, Basic, 28, ... {BaseAddress=0x42a000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x3000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00069   484   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00070   484   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00071   484   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00072   484   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00073   484   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00074   484   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00075   484   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00076   484   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00077   484   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00078   484   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00079   484   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00080   484   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00081   484   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00082   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00083   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4390912, 1048576, ) == 0x0
 00084   484   NtAllocateVirtualMemory  (-1, 5431296, 0, 8192, 4096, 4, ... 5431296, 8192, ) == 0x0
 00085   484   NtProtectVirtualMemory  (-1, (0x52e000), 4096, 260, ... (0x52e000), 4096, 4, ) == 0x0
 00086   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 32, {476, 884}, ) == 0x0
 00087   484   NtQueryInformationThread  (32, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=476,Tid=884,}, 0x0, ) == 0x0
 00088   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 65973, 4128831}  (24, {28, 56, new_msg, 0, 0, 0, 65973, 4128831} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \0\0\0\334\1\0\0t\3\0\0" ... {28, 56, reply, 0, 476, 484, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \0\0\0\334\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1546, 0}  (24, {28, 56, new_msg, 0, 0, 0, 65973, 4128831} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \0\0\0\334\1\0\0t\3\0\0" ... {28, 56, reply, 0, 476, 484, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \0\0\0\334\1\0\0t\3\0\0" )  ) == 0x0
 00089   484   NtResumeThread  (32, ... 1, ) == 0x0
 00090   484   NtClose  (32, ... ) == 0x0
 00091   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00092   884   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0
 00093   884   NtQueryValueKey  (32,  (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   884   NtClose  (32, ... ) == 0x0
 00095   884   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00096   884   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00097   884   NtClose  (32, ... ) == 0x0
 00098   884   NtAllocateVirtualMemory  (-1, 5427200, 0, 4096, 4096, 260, ... 5427200, 4096, ) == 0x0
 00099   884   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00100   884   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00101   884   NtClose  (32, ... ) == 0x0
 00102   884   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00103   884   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00104   884   NtClose  (32, ... ) == 0x0
 00105   884   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00106   884   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00107   884   NtClose  (32, ... ) == 0x0
 00108   884   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00109   884   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00110   884   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00111   884   NtClose  (32, ... ) == 0x0
 00112   884   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00113   884   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   884   NtClose  (32, ... ) == 0x0
 00115   884   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00116   884   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00117   884   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   884   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00119   884   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147343352, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 476, 884, 1565, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 476, 884, 1565, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 476, 884, 1565, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00120   884   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121   884   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x530000), 0x0, 1060864, ) == 0x0
 00122   884   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00123   884   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00124   884   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00125   884   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00126   884   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00127   884   NtClose  (-2147482020, ... ) == 0x0
 00128   884   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00129   884   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00130   884   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00131   884   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00132   884   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   884   NtClose  (-2147482020, ... ) == 0x0
 00134   884   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00135   884   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136   884   NtClose  (-2147482020, ... ) == 0x0
 00137   884   NtQueryDefaultLocale  (0, -136443380, ... ) == 0x0
 00138   884   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00139   884   NtUserCallNoParam  (24, ... ) == 0x0
 00140   884   NtGdiCreateCompatibleDC  (0, ...
 00141   884   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00140   884   NtGdiCreateCompatibleDC  ... ) == 0xe010473
 00142   884   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00143   884   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00144   884   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05047a
 00145   884   NtGdiCreateSolidBrush  (0, 0, ...
 00146   884   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9699328, 4096, ) == 0x0
 00145   884   NtGdiCreateSolidBrush  ... ) == 0x810047d
 00147   884   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00148   884   NtGdiCreateCompatibleDC  (0, ... ) == 0x601047e
 00149   884   NtGdiSelectBitmap  (100729982, 184878202, ... ) == 0x185000f
 00150   884   NtUserGetThreadDesktop  (884, 0, ... ) == 0x30
 00151   884   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00152   884   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00153   884   NtClose  (56, ... ) == 0x0
 00154   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00155   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 673, 128, 0, ... ) == 0x810cc017
 00156   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00157   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 674, 128, 0, ... ) == 0x810cc01c
 00158   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00159   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 675, 128, 0, ... ) == 0x810cc01e
 00160   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00161   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 676, 128, 0, ... ) == 0x810c8002
 00162   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10013
 00163   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 677, 128, 0, ... ) == 0x810cc018
 00164   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00165   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 678, 128, 0, ... ) == 0x810cc01a
 00166   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00167   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 679, 128, 0, ... ) == 0x810cc01d
 00168   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00169   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 681, 128, 0, ... ) == 0x810cc026
 00170   884   NtUserFindExistingCursorIcon  (5434084, 5434100, 5434668, ... ) == 0x10011
 00171   884   NtUserRegisterClassExWOW  (5434604, 5434684, 5434668, 5434700, 680, 128, 0, ... ) == 0x810cc019
 00172   884   NtUserRegisterClassExWOW  (5434556, 5434636, 5434620, 5434652, 0, 128, 0, ... ) == 0x810cc020
 00173   884   NtUserRegisterClassExWOW  (5434556, 5434632, 5434648, 5434620, 0, 130, 0, ... ) == 0x810cc022
 00174   884   NtUserRegisterClassExWOW  (5434556, 5434636, 5434620, 5434652, 0, 128, 0, ...
 00175   884   NtAllocateVirtualMemory  (-1, 6664192, 0, 4096, 4096, 32, ... 6664192, 4096, ) == 0x0
 00174   884   NtUserRegisterClassExWOW  ... ) == 0x810cc023
 00176   884   NtUserRegisterClassExWOW  (5434556, 5434632, 5434648, 5434620, 0, 130, 0, ... ) == 0x810cc024
 00177   884   NtUserRegisterClassExWOW  (5434556, 5434636, 5434620, 5434652, 0, 128, 0, ... ) == 0x810cc025
 00178   884   NtCallbackReturn  (0, 0, 0, ...
 00179   884   NtGdiInit  (... ) == 0x1
 00180   884   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00181   884   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00182   884   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00183   884   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00184   884   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100ea, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x100a4, 0x10084, 0x10078, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x10090, 0x10080, 0x10026, 0x100e6, 0x100dc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100c0, 0x100bc, 0x100ba, 0x100ac, 0x100d8, 0x100ce, 0x100cc, 0x100b8, 0x100a6, 0x10070, 0x50050, 0x40054, 0x5004e, 0x10082, 0x1007a, 0x1, ), 40, ) == 0x0
 00185   884   NtUserQueryWindow  (196684, 0, ... ) == 0x778
 00186   884   NtUserQueryWindow  (196684, 1, ... ) == 0x7a0
 00187   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1912, 0}, ... 56, ) == 0x0
 00188   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00189   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...
 00190   884   NtContinue  (-136446820, 0, ...
 00189   884   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00191   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...
 00192   884   NtContinue  (-136446820, 0, ...
 00191   884   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00193   884   NtClose  (56, ... ) == 0x0
 00194   884   NtUserQueryWindow  (65770, 0, ... ) == 0x778
 00195   884   NtUserQueryWindow  (65770, 1, ... ) == 0x7a0
 00196   884   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 00197   884   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 00198   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 56, ) == 0x0
 00199   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00200   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...  (56, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00201   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...  (56, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00202   884   NtClose  (56, ... ) == 0x0
 00203   884   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 00204   884   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 00205   884   NtUserQueryWindow  (65714, 0, ... ) == 0x7e8
 00206   884   NtUserQueryWindow  (65714, 1, ... ) == 0x7ec
 00207   884   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 00208   884   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 00209   884   NtUserQueryWindow  (65700, 0, ... ) == 0x778
 00210   884   NtUserQueryWindow  (65700, 1, ... ) == 0x7a0
 00211   884   NtUserQueryWindow  (65668, 0, ... ) == 0x778
 00212   884   NtUserQueryWindow  (65668, 1, ... ) == 0x7a0
 00213   884   NtUserQueryWindow  (65656, 0, ... ) == 0x778
 00214   884   NtUserQueryWindow  (65656, 1, ... ) == 0x7a0
 00215   884   NtUserQueryWindow  (65640, 0, ... ) == 0x778
 00216   884   NtUserQueryWindow  (65640, 1, ... ) == 0x7a0
 00217   884   NtUserQueryWindow  (196682, 0, ... ) == 0x778
 00218   884   NtUserQueryWindow  (196682, 1, ... ) == 0x7a0
 00219   884   NtUserQueryWindow  (65638, 0, ... ) == 0x778
 00220   884   NtUserQueryWindow  (65638, 1, ... ) == 0x7a0
 00221   884   NtUserQueryWindow  (196668, 0, ... ) == 0x778
 00222   884   NtUserQueryWindow  (196668, 1, ... ) == 0x7a0
 00223   884   NtUserQueryWindow  (65692, 0, ... ) == 0x778
 00224   884   NtUserQueryWindow  (65692, 1, ... ) == 0x7a0
 00225   884   NtUserQueryWindow  (65680, 0, ... ) == 0x778
 00226   884   NtUserQueryWindow  (65680, 1, ... ) == 0x7a0
 00227   884   NtUserQueryWindow  (65664, 0, ... ) == 0x778
 00228   884   NtUserQueryWindow  (65664, 1, ... ) == 0x77c
 00229   884   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00230   884   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00231   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 56, ) == 0x0
 00232   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00233   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...  (56, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00234   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...  (56, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00235   884   NtClose  (56, ... ) == 0x0
 00236   884   NtUserQueryWindow  (65766, 0, ... ) == 0x170
 00237   884   NtUserQueryWindow  (65766, 1, ... ) == 0x184
 00238   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {368, 0}, ... 56, ) == 0x0
 00239   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00240   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...
 00241   884   NtContinue  (-136446820, 0, ...
 00240   884   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00242   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...
 00243   884   NtContinue  (-136446820, 0, ...
 00242   884   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00244   884   NtClose  (56, ... ) == 0x0
 00245   884   NtUserQueryWindow  (65756, 0, ... ) == 0x170
 00246   884   NtUserQueryWindow  (65756, 1, ... ) == 0x184
 00247   884   NtUserQueryWindow  (65738, 0, ... ) == 0x7f0
 00248   884   NtUserQueryWindow  (65738, 1, ... ) == 0x7f4
 00249   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2032, 0}, ... 56, ) == 0x0
 00250   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00251   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...  (56, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00252   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...  (56, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00253   884   NtClose  (56, ... ) == 0x0
 00254   884   NtUserQueryWindow  (65736, 0, ... ) == 0x7f0
 00255   884   NtUserQueryWindow  (65736, 1, ... ) == 0x7f4
 00256   884   NtUserQueryWindow  (65734, 0, ... ) == 0x7f0
 00257   884   NtUserQueryWindow  (65734, 1, ... ) == 0x7f4
 00258   884   NtUserQueryWindow  (65732, 0, ... ) == 0x7f0
 00259   884   NtUserQueryWindow  (65732, 1, ... ) == 0x7f4
 00260   884   NtUserQueryWindow  (65730, 0, ... ) == 0x7f0
 00261   884   NtUserQueryWindow  (65730, 1, ... ) == 0x7f4
 00262   884   NtUserQueryWindow  (65728, 0, ... ) == 0x7f0
 00263   884   NtUserQueryWindow  (65728, 1, ... ) == 0x7f4
 00264   884   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 00265   884   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 00266   884   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 00267   884   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 00268   884   NtUserQueryWindow  (65708, 0, ... ) == 0x7fc
 00269   884   NtUserQueryWindow  (65708, 1, ... ) == 0x70
 00270   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2044, 0}, ... 56, ) == 0x0
 00271   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00272   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...  (56, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00273   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...  (56, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00274   884   NtClose  (56, ... ) == 0x0
 00275   884   NtUserQueryWindow  (65752, 0, ... ) == 0x778
 00276   884   NtUserQueryWindow  (65752, 1, ... ) == 0x190
 00277   884   NtUserQueryWindow  (65742, 0, ... ) == 0x778
 00278   884   NtUserQueryWindow  (65742, 1, ... ) == 0x190
 00279   884   NtUserQueryWindow  (65740, 0, ... ) == 0x778
 00280   884   NtUserQueryWindow  (65740, 1, ... ) == 0x7a0
 00281   884   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 00282   884   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 00283   884   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 00284   884   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 00285   884   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 56, ) == 0x0
 00286   884   NtReadVirtualMemory  (56, 0x400000, 64, ...  (56, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00287   884   NtReadVirtualMemory  (56, 0x4b1c86, 4, ...
 00288   884   NtContinue  (-136446820, 0, ...
 00287   884   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00289   884   NtReadVirtualMemory  (56, 0x4c91a0, 256, ...
 00290   884   NtContinue  (-136446820, 0, ...
 00289   884   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00291   884   NtClose  (56, ... ) == 0x0
 00292   884   NtUserQueryWindow  (65648, 0, ... ) == 0x778
 00293   884   NtUserQueryWindow  (65648, 1, ... ) == 0x7c8
 00294   884   NtUserQueryWindow  (327760, 0, ... ) == 0x778
 00295   884   NtUserQueryWindow  (327760, 1, ... ) == 0x77c
 00296   884   NtUserQueryWindow  (262228, 0, ... ) == 0x778
 00297   884   NtUserQueryWindow  (262228, 1, ... ) == 0x77c
 00298   884   NtUserQueryWindow  (327758, 0, ... ) == 0x778
 00299   884   NtUserQueryWindow  (327758, 1, ... ) == 0x77c
 00300   884   NtUserQueryWindow  (65666, 0, ... ) == 0x778
 00301   884   NtUserQueryWindow  (65666, 1, ... ) == 0x77c
 00302   884   NtUserQueryWindow  (65658, 0, ... ) == 0x778
 00303   884   NtUserQueryWindow  (65658, 1, ... ) == 0x77c
 00304   884   NtRaiseException  (5437520, 5436780, 1, ...
 00305   884   NtContinue  (5435576, 0, ...
 00306   884   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00307   884   NtOpenMutant  (0x120001, {24, 56, 0x2, 0, 0,  (0x120001, {24, 56, 0x2, 0, 0, "DBWinMutex"}, ... 60, ) }, ... 60, ) == 0x0
 00308   884   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 00309   884   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   884   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 00311   884   NtDuplicateObject  (-1, 2950, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00312   884   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00313   884   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00314   884   NtTestAlert  (... ) == 0x0
 00315   884   NtContinue  (5438768, 1, ...
 00316   884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00317   884   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00318   884   NtSetEvent  (28, ...
 00091   484   NtWaitForSingleObject  ... ) == 0x0
 00319   484   NtClose  (28, ... ) == 0x0
 00320   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00321   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9764864, 1048576, ) == 0x0
 00322   484   NtAllocateVirtualMemory  (-1, 10805248, 0, 8192, 4096, 4, ... 10805248, 8192, ) == 0x0
 00323   484   NtProtectVirtualMemory  (-1, (0xa4e000), 4096, 260, ... (0xa4e000), 4096, 4, ) == 0x0
 00324   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 956}, ) == 0x0
 00325   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=476,Tid=956,}, 0x0, ) == 0x0
 00326   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1546, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\274\3\0\0" ... {28, 56, reply, 0, 476, 484, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\274\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1576, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\274\3\0\0" ... {28, 56, reply, 0, 476, 484, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\274\3\0\0" )  ) == 0x0
 00327   484   NtResumeThread  (64, ... 1, ) == 0x0
 00328   484   NtClose  (64, ... ) == 0x0
 00329   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00330   956   NtTestAlert  (... ) == 0x0
 00331   956   NtContinue  (10812720, 1, ...
 00332   956   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00333   956   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00334   956   NtSetEvent  (28, ...
 00329   484   NtWaitForSingleObject  ... ) == 0x0
 00335   484   NtClose  (28, ... ) == 0x0
 00336   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00337   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10813440, 1048576, ) == 0x0
 00338   484   NtAllocateVirtualMemory  (-1, 11853824, 0, 8192, 4096, 4, ... 11853824, 8192, ) == 0x0
 00339   484   NtProtectVirtualMemory  (-1, (0xb4e000), 4096, 260, ... (0xb4e000), 4096, 4, ) == 0x0
 00340   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 960}, ) == 0x0
 00341   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=476,Tid=960,}, 0x0, ) == 0x0
 00342   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1576, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 476, 484, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\300\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1577, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 476, 484, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\300\3\0\0" )  ) == 0x0
 00343   484   NtResumeThread  (64, ... 1, ) == 0x0
 00344   484   NtClose  (64, ... ) == 0x0
 00345   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00346   960   NtTestAlert  (... ) == 0x0
 00347   960   NtContinue  (11861296, 1, ...
 00348   960   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00349   960   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00350   960   NtSetEvent  (28, ...
 00345   484   NtWaitForSingleObject  ... ) == 0x0
 00351   484   NtClose  (28, ... ) == 0x0
 00352   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00353   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11862016, 1048576, ) == 0x0
 00354   484   NtAllocateVirtualMemory  (-1, 12902400, 0, 8192, 4096, 4, ... 12902400, 8192, ) == 0x0
 00355   484   NtProtectVirtualMemory  (-1, (0xc4e000), 4096, 260, ... (0xc4e000), 4096, 4, ) == 0x0
 00356   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 964}, ) == 0x0
 00357   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=476,Tid=964,}, 0x0, ) == 0x0
 00358   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1577, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 476, 484, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\304\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1578, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 476, 484, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\304\3\0\0" )  ) == 0x0
 00359   484   NtResumeThread  (64, ... 1, ) == 0x0
 00360   484   NtClose  (64, ... ) == 0x0
 00361   964   NtTestAlert  (... ) == 0x0
 00362   964   NtContinue  (12909872, 1, ...
 00363   964   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00364   964   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00365   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00350   960   NtSetEvent  ... 0x0, ) == 0x0
 00334   956   NtSetEvent  ... 0x0, ) == 0x0
 00366   956   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00367   956   NtTerminateThread  (0, 0, ...
 00318   884   NtSetEvent  ... 0x0, ) == 0x0
 00364   964   NtSetInformationThread  ... ) == 0x0
 00368   960   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00369   884   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00370   964   NtSetEvent  (28, ...
 00368   960   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00369   884   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00365   484   NtWaitForSingleObject  ... ) == 0x0
 00370   964   NtSetEvent  ... 0x0, ) == 0x0
 00371   960   NtTerminateThread  (0, 0, ...
 00372   484   NtClose  (28, ...
 00373   884   NtTerminateThread  (0, 0, ...
 00374   964   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00372   484   NtClose  ... ) == 0x0
 00375   960   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ...
 00376   956   NtFreeVirtualMemory  (-1, (0x950000), 0, 32768, ...
 00375   960   NtFreeVirtualMemory  ... (0xa50000), 1048576, ) == 0x0
 00376   956   NtFreeVirtualMemory  ... (0x950000), 1048576, ) == 0x0
 00377   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00378   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9764864, 1048576, ) == 0x0
 00379   484   NtAllocateVirtualMemory  (-1, 10805248, 0, 8192, 4096, 4, ... 10805248, 8192, ) == 0x0
 00380   484   NtProtectVirtualMemory  (-1, (0xa4e000), 4096, 260, ... (0xa4e000), 4096, 4, ) == 0x0
 00381   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 968}, ) == 0x0
 00382   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=476,Tid=968,}, 0x0, ) == 0x0
 00383   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1578, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 476, 484, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1581, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 476, 484, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\310\3\0\0" )  ) == 0x0
 00384   484   NtResumeThread  (64, ... 1, ) == 0x0
 00385   484   NtClose  (64, ... ) == 0x0
 00386   968   NtTestAlert  (... ) == 0x0
 00387   968   NtContinue  (10812720, 1, ...
 00388   968   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00389   968   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00390   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00374   964   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00391   964   NtTerminateThread  (0, 0, ...
 00392   964   NtFreeVirtualMemory  (-1, (0xb50000), 0, 32768, ... (0xb50000), 1048576, ) == 0x0
 00393   884   NtFreeVirtualMemory  (-1, (0x430000), 0, 32768, ... (0x430000), 1048576, ) == 0x0
 00389   968   NtSetInformationThread  ... ) == 0x0
 00394   968   NtSetEvent  (28, ...
 00390   484   NtWaitForSingleObject  ... ) == 0x0
 00395   484   NtClose  (28, ... ) == 0x0
 00396   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00397   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4390912, 1048576, ) == 0x0
 00398   484   NtAllocateVirtualMemory  (-1, 5431296, 0, 8192, 4096, 4, ... 5431296, 8192, ) == 0x0
 00399   484   NtProtectVirtualMemory  (-1, (0x52e000), 4096, 260, ... (0x52e000), 4096, 4, ) == 0x0
 00400   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 40, {476, 972}, ) == 0x0
 00401   484   NtQueryInformationThread  (40, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=476,Tid=972,}, 0x0, ) == 0x0
 00402   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1581, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\0\0\0\334\1\0\0\314\3\0\0" ... {28, 56, reply, 0, 476, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\0\0\0\334\1\0\0\314\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1584, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\0\0\0\334\1\0\0\314\3\0\0" ... {28, 56, reply, 0, 476, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\0\0\0\334\1\0\0\314\3\0\0" )  ) == 0x0
 00403   484   NtResumeThread  (40, ... 1, ) == 0x0
 00404   484   NtClose  (40, ... ) == 0x0
 00405   972   NtTestAlert  (... ) == 0x0
 00406   972   NtContinue  (5438768, 1, ...
 00407   972   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00408   972   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00409   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00394   968   NtSetEvent  ... 0x0, ) == 0x0
 00410   968   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00411   968   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... }, ...
 00408   972   NtSetInformationThread  ... ) == 0x0
 00412   972   NtSetEvent  (28, ...
 00409   484   NtWaitForSingleObject  ... ) == 0x0
 00413   484   NtClose  (28, ... ) == 0x0
 00414   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00415   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10813440, 1048576, ) == 0x0
 00416   484   NtAllocateVirtualMemory  (-1, 11853824, 0, 8192, 4096, 4, ... 11853824, 8192, ) == 0x0
 00417   484   NtProtectVirtualMemory  (-1, (0xb4e000), 4096, 260, ... (0xb4e000), 4096, 4, ) == 0x0
 00418   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 976}, ) == 0x0
 00419   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=476,Tid=976,}, 0x0, ) == 0x0
 00420   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1584, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\320\3\0\0" ... {28, 56, reply, 0, 476, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\320\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1585, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\320\3\0\0" ... {28, 56, reply, 0, 476, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\320\3\0\0" )  ) == 0x0
 00421   484   NtResumeThread  (64, ... 1, ) == 0x0
 00422   484   NtClose  (64, ... ) == 0x0
 00423   976   NtTestAlert  (... ) == 0x0
 00424   976   NtContinue  (11861296, 1, ...
 00425   976   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00426   976   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00427   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00412   972   NtSetEvent  ... 0x0, ) == 0x0
 00428   972   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00429   972   NtTerminateThread  (0, 0, ...
 00430   972   NtFreeVirtualMemory  (-1, (0x430000), 0, 32768, ... (0x430000), 1048576, ) == 0x0
 00411   968   NtOpenKey  ... -2147482020, ) == 0x0
 00431   968   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00432   968   NtClose  (-2147482020, ... ) == 0x0
 00433   968   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... }, ...
 00426   976   NtSetInformationThread  ... ) == 0x0
 00434   976   NtSetEvent  (28, ...
 00427   484   NtWaitForSingleObject  ... ) == 0x0
 00435   484   NtClose  (28, ... ) == 0x0
 00436   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00437   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4390912, 1048576, ) == 0x0
 00438   484   NtAllocateVirtualMemory  (-1, 5431296, 0, 8192, 4096, 4, ... 5431296, 8192, ) == 0x0
 00439   484   NtProtectVirtualMemory  (-1, (0x52e000), 4096, 260, ... (0x52e000), 4096, 4, ) == 0x0
 00440   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 980}, ) == 0x0
 00441   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=476,Tid=980,}, 0x0, ) == 0x0
 00442   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1585, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\324\3\0\0" ... {28, 56, reply, 0, 476, 484, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\324\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1587, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\324\3\0\0" ... {28, 56, reply, 0, 476, 484, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\324\3\0\0" )  ) == 0x0
 00443   484   NtResumeThread  (64, ... 1, ) == 0x0
 00444   484   NtClose  (64, ... ) == 0x0
 00445   980   NtTestAlert  (... ) == 0x0
 00446   980   NtContinue  (5438768, 1, ...
 00447   980   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00448   980   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00449   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00434   976   NtSetEvent  ... 0x0, ) == 0x0
 00450   976   NtAllocateVirtualMemory  (-1, 11849728, 0, 4096, 4096, 260, ... 11849728, 4096, ) == 0x0
 00451   976   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 11860900}, ... ) == 0x0
 00452   976   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00453   976   NtTerminateThread  (0, 0, ...
 00454   976   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 1048576, ) == 0x0
 00433   968   NtOpenKey  ... -2147482020, ) == 0x0
 00455   968   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00456   968   NtClose  (-2147482020, ... ) == 0x0
 00457   968   NtQueryDefaultLocale  (0, -136574452, ...
 00448   980   NtSetInformationThread  ... ) == 0x0
 00458   980   NtSetEvent  (28, ...
 00449   484   NtWaitForSingleObject  ... ) == 0x0
 00459   484   NtClose  (28, ... ) == 0x0
 00460   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00461   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10813440, 1048576, ) == 0x0
 00462   484   NtAllocateVirtualMemory  (-1, 11853824, 0, 8192, 4096, 4, ... 11853824, 8192, ) == 0x0
 00463   484   NtProtectVirtualMemory  (-1, (0xb4e000), 4096, 260, ... (0xb4e000), 4096, 4, ) == 0x0
 00464   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 984}, ) == 0x0
 00465   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=476,Tid=984,}, 0x0, ) == 0x0
 00466   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1587, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\330\3\0\0" ... {28, 56, reply, 0, 476, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\330\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1589, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\330\3\0\0" ... {28, 56, reply, 0, 476, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\330\3\0\0" )  ) == 0x0
 00467   484   NtResumeThread  (64, ... 1, ) == 0x0
 00468   484   NtClose  (64, ... ) == 0x0
 00469   984   NtTestAlert  (... ) == 0x0
 00470   984   NtContinue  (11861296, 1, ...
 00471   984   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00472   984   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00473   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00458   980   NtSetEvent  ... 0x0, ) == 0x0
 00474   980   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00475   980   NtTerminateThread  (0, 0, ...
 00476   980   NtFreeVirtualMemory  (-1, (0x430000), 0, 32768, ... (0x430000), 1048576, ) == 0x0
 00457   968   NtQueryDefaultLocale  ... ) == 0x0
 00477   968   NtUserCallNoParam  (24, ... ) == 0x0
 00478   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00479   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 673, 128, 0, ...
 00472   984   NtSetInformationThread  ... ) == 0x0
 00480   984   NtSetEvent  (28, ...
 00473   484   NtWaitForSingleObject  ... ) == 0x0
 00481   484   NtClose  (28, ... ) == 0x0
 00482   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00483   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4390912, 1048576, ) == 0x0
 00484   484   NtAllocateVirtualMemory  (-1, 5431296, 0, 8192, 4096, 4, ... 5431296, 8192, ) == 0x0
 00485   484   NtProtectVirtualMemory  (-1, (0x52e000), 4096, 260, ... (0x52e000), 4096, 4, ) == 0x0
 00486   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1244272, 1244988, 1, ... 64, {476, 1008}, ) == 0x0
 00487   484   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=476,Tid=1008,}, 0x0, ) == 0x0
 00488   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 484, 1589, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\360\3\0\0" ... {28, 56, reply, 0, 476, 484, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\360\3\0\0" )  ... {28, 56, reply, 0, 476, 484, 1591, 0}  (24, {28, 56, new_msg, 0, 476, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\360\3\0\0" ... {28, 56, reply, 0, 476, 484, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\0\0\0\334\1\0\0\360\3\0\0" )  ) == 0x0
 00489   484   NtResumeThread  (64, ... 1, ) == 0x0
 00490   484   NtClose  (64, ... ) == 0x0
 00491  1008   NtTestAlert  (... ) == 0x0
 00492  1008   NtContinue  (5438768, 1, ...
 00493  1008   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00494  1008   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00495   484   NtWaitForSingleObject  (28, 0, 0x0, ...
 00480   984   NtSetEvent  ... 0x0, ) == 0x0
 00496   984   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00497   984   NtTerminateThread  (0, 0, ...
 00498   984   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 1048576, ) == 0x0
 00479   968   NtUserRegisterClassExWOW  ... ) == 0x810bc017
 00499   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00500   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 674, 128, 0, ... ) == 0x810bc01c
 00501   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ...
 00494  1008   NtSetInformationThread  ... ) == 0x0
 00502  1008   NtSetEvent  (28, ...
 00495   484   NtWaitForSingleObject  ... ) == 0x0
 00503   484   NtClose  (28, ... ) == 0x0
 00504   484   NtAllocateVirtualMemory  (-1, 1327104, 0, 45056, 4096, 4, ... 1327104, 45056, ) == 0x0
 00502  1008   NtSetEvent  ... 0x0, ) == 0x0
 00505  1008   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00506  1008   NtTerminateThread  (0, 0, ...
 00507  1008   NtFreeVirtualMemory  (-1, (0x430000), 0, 32768, ... (0x430000), 1048576, ) == 0x0
 00501   968   NtUserFindExistingCursorIcon  ... ) == 0x10011
 00508   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 675, 128, 0, ... ) == 0x810bc01e
 00509   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00510   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 676, 128, 0, ... ) == 0x810b8002
 00511   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10013
 00512   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 677, 128, 0, ... ) == 0x810bc018
 00513   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00514   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 678, 128, 0, ... ) == 0x810bc01a
 00515   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00516   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 679, 128, 0, ... ) == 0x810bc01d
 00517   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00518   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 681, 128, 0, ... ) == 0x810bc026
 00519   968   NtUserFindExistingCursorIcon  (10812152, 10812168, 10812736, ... ) == 0x10011
 00520   968   NtUserRegisterClassExWOW  (10812672, 10812752, 10812736, 10812768, 680, 128, 0, ... ) == 0x810bc019
 00521   968   NtUserRegisterClassExWOW  (10812624, 10812704, 10812688, 10812720, 0, 128, 0, ... ) == 0x810bc020
 00522   968   NtUserRegisterClassExWOW  (10812624, 10812700, 10812716, 10812688, 0, 130, 0, ... ) == 0x810bc022
 00523   968   NtUserRegisterClassExWOW  (10812624, 10812704, 10812688, 10812720, 0, 128, 0, ... ) == 0x810bc023
 00524   968   NtUserRegisterClassExWOW  (10812624, 10812700, 10812716, 10812688, 0, 130, 0, ... ) == 0x810bc024
 00525   968   NtUserRegisterClassExWOW  (10812624, 10812704, 10812688, 10812720, 0, 128, 0, ... ) == 0x810bc025
 00526   968   NtCallbackReturn  (0, 0, 0, ...
 00527   968   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00528   968   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00529   968   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00530   968   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4390912, 1048576, ) == 0x0
 00531   968   NtAllocateVirtualMemory  (-1, 5431296, 0, 8192, 4096, 4, ... 5431296, 8192, ) == 0x0
 00532   968   NtProtectVirtualMemory  (-1, (0x52e000), 4096, 260, ... (0x52e000), 4096, 4, ) == 0x0
 00533   968   NtCreateThread  (0x1f03ff, 0x0, -1, 10812468, 10813184, 1, ... 64, {476, 1016}, ) == 0x0
 00534   968   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=476,Tid=1016,}, 0x0, ) == 0x0
 00535   968   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\370\3\0\0" ... {28, 56, reply, 0, 476, 968, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\370\3\0\0" )  ... {28, 56, reply, 0, 476, 968, 1594, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\370\3\0\0" ... {28, 56, reply, 0, 476, 968, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\370\3\0\0" )  ) == 0x0
 00536   968   NtResumeThread  (64, ...
 00537  1016   NtTestAlert  (... ) == 0x0
 00538  1016   NtContinue  (5438768, 1, ...
 00539  1016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00540  1016   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00541  1016   NtSetEvent  (28, ... 0x0, ) == 0x0
 00542  1016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 68, ) == 0x0
 00543  1016   NtCallbackReturn  (0, 0, 0, ...
 00536   968   NtResumeThread  ... 1, ) == 0x0
 00544   968   NtClose  (64, ... ) == 0x0
 00545   968   NtWaitForSingleObject  (28, 0, 0x0, ... ) == 0x0
 00546   968   NtClose  (28, ... ) == 0x0
 00547  1016   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100ea, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x100a4, 0x10084, 0x10078, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x10090, 0x10080, 0x10026, 0x100e6, 0x100dc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100c0, 0x100bc, 0x100ba, 0x100ac, 0x100d8, 0x100ce, 0x100cc, 0x100b8, 0x100a6, 0x10070, 0x50050, 0x40054, 0x5004e, 0x10082, 0x1007a, 0x1, ), 40, ) == 0x0
 00548  1016   NtUserQueryWindow  (196684, 0, ... ) == 0x778
 00549  1016   NtUserQueryWindow  (196684, 1, ... ) == 0x7a0
 00550  1016   NtUserQueryWindow  (65770, 0, ... ) == 0x778
 00551  1016   NtUserQueryWindow  (65770, 1, ... ) == 0x7a0
 00552  1016   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 00553   968   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00554   968   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10813440, 1048576, ) == 0x0
 00555   968   NtAllocateVirtualMemory  (-1, 11853824, 0, 8192, 4096, 4, ... 11853824, 8192, ) == 0x0
 00556   968   NtProtectVirtualMemory  (-1, (0xb4e000), 4096, 260, ... (0xb4e000), 4096, 4, ) == 0x0
 00557   968   NtCreateThread  (0x1f03ff, 0x0, -1, 10812468, 10813184, 1, ... 64, {476, 1032}, ) == 0x0
 00558   968   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=476,Tid=1032,}, 0x0, ) == 0x0
 00559  1016   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 00560  1016   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 00561  1016   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 00562  1016   NtUserQueryWindow  (65714, 0, ... ) == 0x7e8
 00563  1016   NtUserQueryWindow  (65714, 1, ... ) == 0x7ec
 00564  1016   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 00565   968   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 968, 1594, 0}  (24, {28, 56, new_msg, 0, 476, 968, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\10\4\0\0" ... {28, 56, reply, 0, 476, 968, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\10\4\0\0" )  ... {28, 56, reply, 0, 476, 968, 1595, 0}  (24, {28, 56, new_msg, 0, 476, 968, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\10\4\0\0" ... {28, 56, reply, 0, 476, 968, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\10\4\0\0" )  ) == 0x0
 00566   968   NtResumeThread  (64, ...
 00567  1032   NtTestAlert  (... ) == 0x0
 00568  1032   NtContinue  (11861296, 1, ...
 00569  1032   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00570  1032   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 00566   968   NtResumeThread  ... 1, ) == 0x0
 00571   968   NtClose  (64, ... ) == 0x0
 00572   968   NtWaitForSingleObject  (28, 0, 0x0, ...
 00573  1016   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 00574  1016   NtUserQueryWindow  (65700, 0, ... ) == 0x778
 00575  1016   NtUserQueryWindow  (65700, 1, ... ) == 0x7a0
 00570  1032   NtSetInformationThread  ... ) == 0x0
 00576  1032   NtSetEvent  (28, ... 0x0, ) == 0x0
 00577  1032   NtRaiseException  (11861112, 11860372, 1, ...
 00578  1032   NtContinue  (11859168, 0, ...
 00579  1032   NtWaitForSingleObject  (60, 0, 0x0, ...
 00572   968   NtWaitForSingleObject  ... ) == 0x0
 00580  1016   NtUserQueryWindow  (65668, 0, ...
 00581   968   NtClose  (28, ...
 00580  1016   NtUserQueryWindow  ... ) == 0x778
 00581   968   NtClose  ... ) == 0x0
 00582  1016   NtUserQueryWindow  (65668, 1, ...
 00579  1032   NtWaitForSingleObject  ... ) == 0x0
 00582  1016   NtUserQueryWindow  ... ) == 0x7a0
 00583  1032   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... }, ...
 00584  1016   NtUserQueryWindow  (65656, 0, ...
 00583  1032   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584  1016   NtUserQueryWindow  ... ) == 0x778
 00585  1032   NtReleaseMutant  (60, ...
 00586   968   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00585  1032   NtReleaseMutant  ... 0x0, ) == 0x0
 00586   968   NtCreateEvent  ... 28, ) == 0x0
 00587  1016   NtUserQueryWindow  (65656, 1, ...
 00588   968   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00587  1016   NtUserQueryWindow  ... ) == 0x7a0
 00588   968   NtAllocateVirtualMemory  ... 11862016, 1048576, ) == 0x0
 00589  1016   NtUserQueryWindow  (65640, 0, ...
 00590   968   NtAllocateVirtualMemory  (-1, 12902400, 0, 8192, 4096, 4, ...
 00589  1016   NtUserQueryWindow  ... ) == 0x778
 00590   968   NtAllocateVirtualMemory  ... 12902400, 8192, ) == 0x0
 00591  1016   NtUserQueryWindow  (65640, 1, ...
 00592  1032   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00591  1016   NtUserQueryWindow  ... ) == 0x7a0
 00592  1032   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00593   968   NtProtectVirtualMemory  (-1, (0xc4e000), 4096, 260, ...
 00594  1032   NtTerminateThread  (0, 0, ...
 00593   968   NtProtectVirtualMemory  ... (0xc4e000), 4096, 4, ) == 0x0
 00595  1032   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 1048576, ) == 0x0
 00596   968   NtCreateThread  (0x1f03ff, 0x0, -1, 10812468, 10813184, 1, ... 64, {476, 1036}, ) == 0x0
 00597   968   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=476,Tid=1036,}, 0x0, ) == 0x0
 00598   968   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 968, 1595, 0}  (24, {28, 56, new_msg, 0, 476, 968, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\14\4\0\0" ... {28, 56, reply, 0, 476, 968, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 476, 968, 1597, 0}  (24, {28, 56, new_msg, 0, 476, 968, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\14\4\0\0" ... {28, 56, reply, 0, 476, 968, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\14\4\0\0" )  ) == 0x0
 00599   968   NtResumeThread  (64, ...
 00600  1036   NtTestAlert  (... ) == 0x0
 00601  1036   NtContinue  (12909872, 1, ...
 00602  1036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00603  1036   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00604  1036   NtSetEvent  (28, ... 0x0, ) == 0x0
 00605  1036   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00606  1036   NtTerminateThread  (0, 0, ...
 00599   968   NtResumeThread  ... 1, ) == 0x0
 00607  1016   NtUserQueryWindow  (196682, 0, ...
 00608   968   NtClose  (64, ...
 00607  1016   NtUserQueryWindow  ... ) == 0x778
 00609  1036   NtFreeVirtualMemory  (-1, (0xb50000), 0, 32768, ... (0xb50000), 1048576, ) == 0x0
 00610  1016   NtUserQueryWindow  (196682, 1, ... ) == 0x7a0
 00611  1016   NtUserQueryWindow  (65638, 0, ... ) == 0x778
 00612  1016   NtUserQueryWindow  (65638, 1, ... ) == 0x7a0
 00613  1016   NtUserQueryWindow  (196668, 0, ... ) == 0x778
 00614  1016   NtUserQueryWindow  (196668, 1, ... ) == 0x7a0
 00608   968   NtClose  ... ) == 0x0
 00615   968   NtWaitForSingleObject  (28, 0, 0x0, ... ) == 0x0
 00616   968   NtClose  (28, ... ) == 0x0
 00617   968   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 28, ) == 0x0
 00618   968   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10813440, 1048576, ) == 0x0
 00619   968   NtAllocateVirtualMemory  (-1, 11853824, 0, 8192, 4096, 4, ... 11853824, 8192, ) == 0x0
 00620  1016   NtUserQueryWindow  (65692, 0, ... ) == 0x778
 00621  1016   NtUserQueryWindow  (65692, 1, ... ) == 0x7a0
 00622  1016   NtUserQueryWindow  (65680, 0, ... ) == 0x778
 00623  1016   NtUserQueryWindow  (65680, 1, ... ) == 0x7a0
 00624  1016   NtUserQueryWindow  (65664, 0, ... ) == 0x778
 00625  1016   NtUserQueryWindow  (65664, 1, ... ) == 0x77c
 00626   968   NtProtectVirtualMemory  (-1, (0xb4e000), 4096, 260, ... (0xb4e000), 4096, 4, ) == 0x0
 00627   968   NtCreateThread  (0x1f03ff, 0x0, -1, 10812468, 10813184, 1, ... 64, {476, 1020}, ) == 0x0
 00628   968   NtQueryInformationThread  (64, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=476,Tid=1020,}, 0x0, ) == 0x0
 00629   968   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 476, 968, 1597, 0}  (24, {28, 56, new_msg, 0, 476, 968, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\374\3\0\0" ... {28, 56, reply, 0, 476, 968, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 476, 968, 1599, 0}  (24, {28, 56, new_msg, 0, 476, 968, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\374\3\0\0" ... {28, 56, reply, 0, 476, 968, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0X\30\365w@\0\0\0\334\1\0\0\374\3\0\0" )  ) == 0x0
 00630   968   NtResumeThread  (64, ...
 00631  1020   NtTestAlert  (... ) == 0x0
 00632  1020   NtContinue  (11861296, 1, ...
 00633  1020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00634  1020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00635  1020   NtSetEvent  (28, ... 0x0, ) == 0x0
 00636  1020   NtDuplicateObject  (-1, 3104, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00637  1020   NtClose  (0, ...
 00630   968   NtResumeThread  ... 1, ) == 0x0
 00638  1016   NtUserQueryWindow  (65574, 0, ...
 00639   968   NtClose  (64, ...
 00638  1016   NtUserQueryWindow  ... ) == 0x268
 00637  1020   NtClose  ... ) == STATUS_INVALID_HANDLE
 00640  1016   NtUserQueryWindow  (65574, 1, ...
 00641  1020   NtClose  (0, ...
 00640  1016   NtUserQueryWindow  ... ) == 0x2c4
 00641  1020   NtClose  ... ) == STATUS_INVALID_HANDLE
 00642  1016   NtUserQueryWindow  (65766, 0, ...
 00643  1020   NtQueryInformationThread  (-2, AmILastThread, 4, ...
 00642  1016   NtUserQueryWindow  ... ) == 0x170
 00643  1020   NtQueryInformationThread  ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00639   968   NtClose  ... ) == 0x0
 00644  1020   NtTerminateThread  (0, 0, ...
 00645   968   NtWaitForSingleObject  (28, 0, 0x0, ...
 00646  1016   NtUserQueryWindow  (65766, 1, ...
 00645   968   NtWaitForSingleObject  ... ) == 0x0
 00646  1016   NtUserQueryWindow  ... ) == 0x184
 00647   968   NtClose  (28, ...
 00648  1016   NtUserQueryWindow  (65756, 0, ...
 00647   968   NtClose  ... ) == 0x0
 00648  1016   NtUserQueryWindow  ... ) == 0x170
 00649  1020   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 1048576, ) == 0x0
 00650  1016   NtUserQueryWindow  (65756, 1, ... ) == 0x184
 00651  1016   NtUserQueryWindow  (65738, 0, ... ) == 0x7f0
 00652  1016   NtUserQueryWindow  (65738, 1, ... ) == 0x7f4
 00653  1016   NtUserQueryWindow  (65736, 0, ... ) == 0x7f0
 00654   968   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00655   968   NtTerminateThread  (0, 0, ...
 00656   968   NtFreeVirtualMemory  (-1, (0x950000), 0, 32768, ... (0x950000), 1048576, ) == 0x0
 00657  1016   NtUserQueryWindow  (65736, 1, ... ) == 0x7f4
 00658  1016   NtUserQueryWindow  (65734, 0, ... ) == 0x7f0
 00659  1016   NtUserQueryWindow  (65734, 1, ... ) == 0x7f4
 00660  1016   NtUserQueryWindow  (65732, 0, ... ) == 0x7f0
 00661  1016   NtUserQueryWindow  (65732, 1, ... ) == 0x7f4
 00662  1016   NtUserQueryWindow  (65730, 0, ... ) == 0x7f0
 00663  1016   NtUserQueryWindow  (65730, 1, ... ) == 0x7f4
 00664  1016   NtUserQueryWindow  (65728, 0, ... ) == 0x7f0
 00665  1016   NtUserQueryWindow  (65728, 1, ... ) == 0x7f4
 00666  1016   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 00667  1016   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 00668  1016   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 00669  1016   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 00670  1016   NtUserQueryWindow  (65708, 0, ... ) == 0x7fc
 00671  1016   NtUserQueryWindow  (65708, 1, ... ) == 0x70
 00672  1016   NtUserQueryWindow  (65752, 0, ... ) == 0x778
 00673  1016   NtUserQueryWindow  (65752, 1, ... ) == 0x190
 00674  1016   NtUserQueryWindow  (65742, 0, ... ) == 0x778
 00675  1016   NtUserQueryWindow  (65742, 1, ... ) == 0x190
 00676  1016   NtUserQueryWindow  (65740, 0, ... ) == 0x778
 00677  1016   NtUserQueryWindow  (65740, 1, ... ) == 0x7a0
 00678  1016   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 00679  1016   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 00680  1016   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 00681  1016   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 00682  1016   NtUserQueryWindow  (65648, 0, ... ) == 0x778
 00683  1016   NtUserQueryWindow  (65648, 1, ... ) == 0x7c8
 00684  1016   NtUserQueryWindow  (327760, 0, ... ) == 0x778
 00685  1016   NtUserQueryWindow  (327760, 1, ... ) == 0x77c
 00686  1016   NtUserQueryWindow  (262228, 0, ... ) == 0x778
 00687  1016   NtUserQueryWindow  (262228, 1, ... ) == 0x77c
 00688  1016   NtUserQueryWindow  (327758, 0, ... ) == 0x778
 00689  1016   NtUserQueryWindow  (327758, 1, ... ) == 0x77c
 00690  1016   NtUserQueryWindow  (65666, 0, ... ) == 0x778
 00691  1016   NtUserQueryWindow  (65666, 1, ... ) == 0x77c
 00692  1016   NtUserQueryWindow  (65658, 0, ... ) == 0x778
 00693  1016   NtUserQueryWindow  (65658, 1, ... ) == 0x77c
 00694  1016   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00695  1016   NtTerminateThread  (0, 0, ...
 00696  1016   NtFreeVirtualMemory  (-1, (0x430000), 0, 32768, ... (0x430000), 1048576, ) == 0x0
 00697   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00698   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00699   484   NtClose  (68, ... ) == 0x0
 00700   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00701   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4390912, 65536, ) == 0x0
 00702   484   NtAllocateVirtualMemory  (-1, 4390912, 0, 4096, 4096, 4, ... 4390912, 4096, ) == 0x0
 00703   484   NtAllocateVirtualMemory  (-1, 4395008, 0, 8192, 4096, 4, ... 4395008, 8192, ) == 0x0
 00704   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 68, ) }, ... 68, ) == 0x0
 00705   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 12288, ) == 0x0
 00706   484   NtClose  (68, ... ) == 0x0
 00707   484   NtAllocateVirtualMemory  (-1, 4403200, 0, 4096, 4096, 4, ... 4403200, 4096, ) == 0x0
 00708   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243064, ... ) }, 1243064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00710   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243064, ... ) }, 1243064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00712   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00713   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 40, ) == 0x0
 00714   484   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00715   484   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00716   484   NtQueryInformationToken  (28, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00717   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00719   484   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00720   484   NtClose  (64, ... ) == 0x0
 00721   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00722   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00723   484   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00724   484   NtClose  (64, ... ) == 0x0
 00725   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726   484   NtClose  (28, ... ) == 0x0
 00727   484   NtClose  (68, ... ) == 0x0
 00728   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00729   484   NtClose  (40, ... ) == 0x0
 00730   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00731   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242260, ... ) }, 1242260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242260, ... ) }, 1242260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242260, ... ) }, 1242260, ... ) == 0x0
 00734   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00735   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 68, ) == 0x0
 00736   484   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00737   484   NtClose  (40, ... ) == 0x0
 00738   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00739   484   NtClose  (68, ... ) == 0x0
 00740   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00741   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00742   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00743   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00744   484   NtClose  (68, ... ) == 0x0
 00745   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00746   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00747   484   NtClose  (68, ... ) == 0x0
 00748   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 68, ) }, ... 68, ) == 0x0
 00750   484   NtQueryValueKey  (68,  (68, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00751   484   NtClose  (68, ... ) == 0x0
 00752   484   NtQueryDefaultUILanguage  (1241420, ...
 00753   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00754   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00755   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00756   484   NtClose  (-2147482020, ... ) == 0x0
 00757   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00758   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00760   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   484   NtClose  (-2147482032, ... ) == 0x0
 00762   484   NtClose  (-2147482020, ... ) == 0x0
 00752   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00763   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   484   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00765   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00766   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 40, ) == 0x0
 00767   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 8323072, ) == 0x0
 00768   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769   484   NtQueryDefaultUILanguage  (2013024600, ...
 00770   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00771   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00772   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00773   484   NtClose  (-2147482020, ... ) == 0x0
 00774   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00775   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00777   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   484   NtClose  (-2147482032, ... ) == 0x0
 00779   484   NtClose  (-2147482020, ... ) == 0x0
 00769   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00780   484   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00781   484   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00782   484   NtQueryDefaultLocale  (1, 1239456, ... ) == 0x0
 00783   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240312, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240312, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\370\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1603, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\370\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 476, 484, 1603, 0}  (24, {128, 156, new_msg, 0, 1240312, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\370\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1603, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\370\363\22\0\0\0\0\0" )  ) == 0x0
 00785   484   NtClose  (68, ... ) == 0x0
 00786   484   NtClose  (40, ... ) == 0x0
 00787   484   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00788   484   NtUnmapViewOfSection  (-1, 0x12f3f8, ... ) == STATUS_NOT_MAPPED_VIEW
 00789   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00790   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00792   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00793   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238540, ... ) }, 1238540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00795   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00796   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00797   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239132, ... ) }, 1239132, ... ) == 0x0
 00798   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 40, {status=0x0, info=1}, ) }, 3, 33, ... 40, {status=0x0, info=1}, ) == 0x0
 00799   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00800   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00801   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 28, ) == 0x0
 00802   484   NtClose  (68, ... ) == 0x0
 00803   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x950000), 0x0, 921600, ) == 0x0
 00804   484   NtClose  (28, ... ) == 0x0
 00805   484   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00806   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00807   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 68, ) == 0x0
 00808   484   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00809   484   NtClose  (28, ... ) == 0x0
 00810   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00811   484   NtClose  (68, ... ) == 0x0
 00812   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00813   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00814   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00815   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00816   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00817   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00818   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00819   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00820   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00821   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00822   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00823   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00824   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00825   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00826   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00827   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00828   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00829   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00830   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00831   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00832   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00833   484   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240316, ... ) , 42, 1240316, ... ) == 0x0
 00834   484   NtQueryDefaultUILanguage  (1239032, ...
 00835   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00836   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00837   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00838   484   NtClose  (-2147482020, ... ) == 0x0
 00839   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00840   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00842   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   484   NtClose  (-2147482032, ... ) == 0x0
 00844   484   NtClose  (-2147482020, ... ) == 0x0
 00834   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00845   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237884, ... ) }, 1237884, ... ) == 0x0
 00847   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00848   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 28, ) == 0x0
 00849   484   NtClose  (68, ... ) == 0x0
 00850   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x460000), 0x0, 4096, ) == 0x0
 00851   484   NtClose  (28, ... ) == 0x0
 00852   484   NtUnmapViewOfSection  (-1, 0x460000, ... ) == 0x0
 00853   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237524, ... ) }, 1237524, ... ) == 0x0
 00854   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238224,  (0x80100080, {24, 0, 0x40, 0, 1238224, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 28, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 28, {status=0x0, info=1}, ) == 0x0
 00855   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 28, ... 68, ) == 0x0
 00856   484   NtClose  (28, ... ) == 0x0
 00857   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x460000), {0, 0}, 4096, ) == 0x0
 00858   484   NtClose  (68, ... ) == 0x0
 00859   484   NtUnmapViewOfSection  (-1, 0x460000, ... ) == 0x0
 00860   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00861   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 28, ) == 0x0
 00862   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x460000), 0x0, 4096, ) == 0x0
 00863   484   NtQueryInformationFile  (68, 1237844, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00864   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237924, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237924, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\244\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1604, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\244\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 476, 484, 1604, 0}  (24, {128, 156, new_msg, 0, 1237924, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\244\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1604, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\244\352\22\0\0\0\0\0" )  ) == 0x0
 00866   484   NtClose  (68, ... ) == 0x0
 00867   484   NtClose  (28, ... ) == 0x0
 00868   484   NtUnmapViewOfSection  (-1, 0x460000, ... ) == 0x0
 00869   484   NtUnmapViewOfSection  (-1, 0x12eaa4, ... ) == STATUS_NOT_MAPPED_VIEW
 00870   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00871   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 28, ) == 0x0
 00872   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00873   484   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   484   NtClose  (-2147482020, ... ) == 0x0
 00875   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00876   484   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   484   NtClose  (-2147482020, ... ) == 0x0
 00878   484   NtQueryDefaultLocale  (0, -104158708, ... ) == 0x0
 00879   484   NtUserCallNoParam  (24, ... ) == 0x0
 00880   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00881   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 673, 128, 0, ... ) == 0x810cc017
 00882   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00883   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 674, 128, 0, ... ) == 0x810cc01c
 00884   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00885   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 675, 128, 0, ... ) == 0x810cc01e
 00886   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00887   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 676, 128, 0, ... ) == 0x810c8002
 00888   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10013
 00889   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 677, 128, 0, ... ) == 0x810cc018
 00890   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00891   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 678, 128, 0, ... ) == 0x810cc01a
 00892   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00893   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 679, 128, 0, ... ) == 0x810cc01d
 00894   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00895   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 681, 128, 0, ... ) == 0x810cc026
 00896   484   NtUserFindExistingCursorIcon  (1238696, 1238712, 1239280, ... ) == 0x10011
 00897   484   NtUserRegisterClassExWOW  (1239216, 1239296, 1239280, 1239312, 680, 128, 0, ... ) == 0x810cc019
 00898   484   NtUserRegisterClassExWOW  (1239168, 1239248, 1239232, 1239264, 0, 128, 0, ... ) == 0x810cc020
 00899   484   NtUserRegisterClassExWOW  (1239168, 1239244, 1239260, 1239232, 0, 130, 0, ... ) == 0x810cc022
 00900   484   NtUserRegisterClassExWOW  (1239168, 1239248, 1239232, 1239264, 0, 128, 0, ... ) == 0x810cc023
 00901   484   NtUserRegisterClassExWOW  (1239168, 1239244, 1239260, 1239232, 0, 130, 0, ... ) == 0x810cc024
 00902   484   NtUserRegisterClassExWOW  (1239168, 1239248, 1239232, 1239264, 0, 128, 0, ... ) == 0x810cc025
 00903   484   NtCallbackReturn  (0, 0, 0, ...
 00904   484   NtUserGetThreadState  (18, ... ) == 0x1
 00905   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00906   484   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00907   484   NtUserGetDC  (0, ... ) == 0x1010054
 00908   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00909   484   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00910   484   NtUserSystemParametersInfo  (66, 12, 1240336, 0, ... ) == 0x1
 00911   484   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00912   484   NtAccessCheck  (1330336, 68, 0x1, 1239740, 1239684, 56, 1239768, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00913   484   NtClose  (68, ... ) == 0x0
 00914   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00915   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00916   484   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00917   484   NtClose  (68, ... ) == 0x0
 00918   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00919   484   NtSetInformationObject  (68, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00920   484   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00921   484   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   484   NtClose  (64, ... ) == 0x0
 00923   484   NtUserSystemParametersInfo  (41, 500, 1239836, 0, ... ) == 0x1
 00924   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00925   484   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 72, ) }, ... 72, ) == 0x0
 00927   484   NtQueryValueKey  (72,  (72, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   484   NtClose  (72, ... ) == 0x0
 00929   484   NtClose  (64, ... ) == 0x0
 00930   484   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00931   484   NtUserSystemParametersInfo  (4130, 0, 1240360, 0, ... ) == 0x1
 00932   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00933   484   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00934   484   NtClose  (64, ... ) == 0x0
 00935   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00936   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc03b
 00937   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc03d
 00938   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00939   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc03f
 00940   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00941   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc041
 00942   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00943   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc043
 00944   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc045
 00945   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00946   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc047
 00947   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00948   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc049
 00949   484   NtUserGetClassInfo  (1905590272, 1240256, 1240208, 1240284, 0, ... ) == 0xc049
 00950   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00951   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc04b
 00952   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00953   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc04d
 00954   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00955   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc04f
 00956   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc051
 00957   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00958   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc053
 00959   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00960   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc055
 00961   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc057
 00962   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00963   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc059
 00964   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10013
 00965   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc05b
 00966   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00967   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc05d
 00968   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00969   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc05f
 00970   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00971   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc017
 00972   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00973   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc019
 00974   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10013
 00975   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc018
 00976   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00977   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc01a
 00978   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00979   484   NtUserRegisterClassExWOW  (1240092, 1240172, 1240156, 1240188, 0, 384, 0, ... ) == 0x810cc01c
 00980   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00981   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc01e
 00982   484   NtUserFindExistingCursorIcon  (1239640, 1239656, 1240224, ... ) == 0x10011
 00983   484   NtUserRegisterClassExWOW  (1240152, 1240232, 1240216, 1240248, 0, 384, 0, ... ) == 0x810cc01b
 00984   484   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00985   484   NtUserRegisterClassExWOW  (1240148, 1240228, 1240212, 1240244, 0, 384, 0, ... ) == 0x810cc068
 00986   484   NtUserFindExistingCursorIcon  (1239644, 1239660, 1240228, ... ) == 0x10011
 00987   484   NtUserRegisterClassExWOW  (1240096, 1240176, 1240160, 1240192, 0, 384, 0, ... ) == 0x810cc06a
 00988   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00989   484   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00990   484   NtClose  (64, ... ) == 0x0
 00991   484   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {476, 0}, ... 64, ) == 0x0
 00992   484   NtQueryInformationProcess  (64, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00993   484   NtClose  (64, ... ) == 0x0
 00994   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00995   484   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00996   484   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00997   484   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00998   484   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   484   NtClose  (64, ... ) == 0x0
 01000   484   NtUserSystemParametersInfo  (41, 500, 1240996, 0, ... ) == 0x1
 01001   484   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 01002   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01003   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01004   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ...
 01005   484   NtAllocateVirtualMemory  (-1, 6668288, 0, 4096, 4096, 32, ... 6668288, 4096, ) == 0x0
 01004   484   NtUserRegisterClassExWOW  ... ) == 0x810cc03b
 01006   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01007   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc03d
 01008   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01009   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01010   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc03f
 01011   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01012   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01013   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc041
 01014   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01015   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01016   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc043
 01017   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01018   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc045
 01019   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01020   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01021   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc047
 01022   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01023   484   NtUserFindExistingCursorIcon  (1240784, 1240800, 1241368, ... ) == 0x10011
 01024   484   NtUserRegisterClassExWOW  (1241236, 1241316, 1241300, 1241332, 0, 384, 0, ... ) == 0x810cc049
 01025   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01026   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01027   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc04b
 01028   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01029   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01030   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc04d
 01031   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01032   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01033   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc04f
 01034   484   NtUserGetClassInfo  (1999896576, 1241408, 1241360, 1241436, 0, ... ) == 0x0
 01035   484   NtUserRegisterClassExWOW  (1241244, 1241324, 1241308, 1241340, 0, 384, 0, ... ) == 0x810cc051
 01036   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01037   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01038   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc053
 01039   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01040   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01041   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc055
 01042   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc057
 01043   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01044   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01045   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc059
 01046   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01047   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10013
 01048   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc05b
 01049   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01050   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01051   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc05d
 01052   484   NtUserGetClassInfo  (1999896576, 1241404, 1241356, 1241432, 0, ... ) == 0x0
 01053   484   NtUserFindExistingCursorIcon  (1240788, 1240804, 1241372, ... ) == 0x10011
 01054   484   NtUserRegisterClassExWOW  (1241240, 1241320, 1241304, 1241336, 0, 384, 0, ... ) == 0x810cc05f
 01055   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc03b
 01056   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc03d
 01057   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc03f
 01058   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc041
 01059   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc043
 01060   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc045
 01061   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc047
 01062   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc049
 01063   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc04b
 01064   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc04d
 01065   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc04f
 01066   484   NtUserGetClassInfo  (1999896576, 1243160, 1243112, 1243188, 0, ... ) == 0xc051
 01067   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc053
 01068   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc055
 01069   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc059
 01070   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc05b
 01071   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc05d
 01072   484   NtUserGetClassInfo  (1999896576, 1243156, 1243108, 1243184, 0, ... ) == 0xc05f
 01073   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 01074   484   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 01075   484   NtClose  (64, ... ) == 0x0
 01076   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 64, ) }, ... 64, ) == 0x0
 01077   484   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 01078   484   NtClose  (64, ... ) == 0x0
 01079   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01080   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01081   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 01082   484   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 01083   484   NtClose  (64, ... ) == 0x0
 01084   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01085   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01086   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01087   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01088   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 01089   484   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   484   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   484   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   484   NtClose  (64, ... ) == 0x0
 01093   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 01094   484   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   484   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   484   NtClose  (64, ... ) == 0x0
 01097   484   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   484   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 01099   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   484   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01103   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01104   484   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 01105   484   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 0, 0,  (0x1f0001, {24, 56, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 01106   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 01110   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 01111   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 01112   484   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01113   484   NtClose  (72, ... ) == 0x0
 01114   484   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01115   484   NtClose  (76, ... ) == 0x0
 01116   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 76, ) }, ... 76, ) == 0x0
 01117   484   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01118   484   NtClose  (76, ... ) == 0x0
 01119   484   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 76, ) == 0x0
 01120   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 01121   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 80, ) }, ... 80, ) == 0x0
 01122   484   NtNotifyChangeKey  (80, 72, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01123   484   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01124   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 01125   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 01126   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 01130   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01131   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 96, ) == 0x0
 01132   484   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01133   484   NtClose  (92, ... ) == 0x0
 01134   484   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01135   484   NtClose  (96, ... ) == 0x0
 01136   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 01140   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 01141   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 92, ) == 0x0
 01142   484   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01143   484   NtClose  (96, ... ) == 0x0
 01144   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01145   484   NtClose  (92, ... ) == 0x0
 01146   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01147   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 4718592, 262144, ) == 0x0
 01148   484   NtAllocateVirtualMemory  (-1, 4718592, 0, 4096, 4096, 4, ... 4718592, 4096, ) == 0x0
 01149   484   NtAllocateVirtualMemory  (-1, 4722688, 0, 8192, 4096, 4, ... 4722688, 8192, ) == 0x0
 01150   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01151   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01152   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01153   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01154   484   NtClose  (92, ... ) == 0x0
 01155   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01156   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01157   484   NtClose  (92, ... ) == 0x0
 01158   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01159   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01160   484   NtClose  (92, ... ) == 0x0
 01161   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   484   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1238328, 0,  (0x1f0003, {24, 56, 0x80, 1238328, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01163   484   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 01164   484   NtCreateKey  (0xf003f, {24, 68, 0x40, 0, 0,  (0xf003f, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 01165   484   NtQueryDefaultUILanguage  (1236564, ...
 01166   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01167   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01168   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01169   484   NtClose  (-2147482020, ... ) == 0x0
 01170   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01171   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01173   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   484   NtClose  (-2147482032, ... ) == 0x0
 01175   484   NtClose  (-2147482020, ... ) == 0x0
 01165   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01176   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 100, {status=0x0, info=1}, ) }, 1, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01178   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 104, ) == 0x0
 01179   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 593920, ) == 0x0
 01180   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   484   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01182   484   NtQueryDefaultLocale  (1, 1234600, ... ) == 0x0
 01183   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1d\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1614, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1d\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 476, 484, 1614, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1d\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1614, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1d\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ) == 0x0
 01185   484   NtClose  (100, ... ) == 0x0
 01186   484   NtClose  (104, ... ) == 0x0
 01187   484   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 01188   484   NtUnmapViewOfSection  (-1, 0x12e100, ... ) == STATUS_NOT_MAPPED_VIEW
 01189   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01190   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01192   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01193   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233140, ... ) }, 1233140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01195   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01196   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01197   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 01198   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 104, {status=0x0, info=1}, ) }, 3, 33, ... 104, {status=0x0, info=1}, ) == 0x0
 01199   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01200   484   NtCreateKey  (0x2001f, {24, 68, 0x40, 0, 0,  (0x2001f, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 01201   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01202   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 01205   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01206   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 112, ) == 0x0
 01207   484   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01208   484   NtClose  (108, ... ) == 0x0
 01209   484   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01210   484   NtClose  (112, ... ) == 0x0
 01211   484   NtAllocateVirtualMemory  (-1, 4407296, 0, 8192, 4096, 4, ... 4407296, 8192, ) == 0x0
 01212   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01213   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 01214   484   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01215   484   NtClose  (112, ... ) == 0x0
 01216   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 112, ) }, ... 112, ) == 0x0
 01217   484   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01218   484   NtClose  (112, ... ) == 0x0
 01219   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 112, ) }, ... 112, ) == 0x0
 01220   484   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01221   484   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01222   484   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01223   484   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01224   484   NtClose  (112, ... ) == 0x0
 01225   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 112, ) }, ... 112, ) == 0x0
 01226   484   NtQueryValueKey  (112,  (112, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01227   484   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01228   484   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01229   484   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01230   484   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01231   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237776, ... ) }, 1237776, ... ) == 0x0
 01232   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01233   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 116, ) == 0x0
 01234   484   NtClose  (108, ... ) == 0x0
 01235   484   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4c0000), 0x0, 135168, ) == 0x0
 01236   484   NtClose  (116, ... ) == 0x0
 01237   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01238   484   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01239   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 01240   484   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239332, ... ) }, 1239332, ... ) == 0x0
 01241   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239188,  (0x80100080, {24, 0, 0x40, 0, 1239188, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01242   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 116, ... 108, ) == 0x0
 01243   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x4c0000), {0, 0}, 135168, ) == 0x0
 01244   484   NtQueryDefaultLocale  (1, 1238996, ... ) == 0x0
 01245   484   NtQueryVirtualMemory  (-1, 0x4c0000, Basic, 28, ... {BaseAddress=0x4c0000,AllocationBase=0x4c0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01246   484   NtQueryVirtualMemory  (-1, 0x4c0000, Basic, 28, ... {BaseAddress=0x4c0000,AllocationBase=0x4c0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01247   484   NtReadFile  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01248   484   NtQueryInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01249   484   NtSetInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01250   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01251   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01252   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01253   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01254   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01255   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01256   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01257   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01258   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01259   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01260   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01261   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01262   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01263   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01264   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01265   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01266   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01267   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01268   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01269   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01270   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01271   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01272   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01273   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01274   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01275   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01276   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01277   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01278   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01279   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01280   484   NtReadFile  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01281   484   NtQueryInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01282   484   NtSetInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01283   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01284   484   NtReadFile  (116, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (116, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01285   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01286   484   NtClose  (108, ... ) == 0x0
 01287   484   NtClose  (116, ... ) == 0x0
 01288   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237720, ... ) }, 1237720, ... ) == 0x0
 01289   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01290   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 108, ) == 0x0
 01291   484   NtClose  (116, ... ) == 0x0
 01292   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4c0000), 0x0, 135168, ) == 0x0
 01293   484   NtClose  (108, ... ) == 0x0
 01294   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01295   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238036, ... ) }, 1238036, ... ) == 0x0
 01296   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01297   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 116, ) == 0x0
 01298   484   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01299   484   NtClose  (108, ... ) == 0x0
 01300   484   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01301   484   NtClose  (116, ... ) == 0x0
 01302   484   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01303   484   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01304   484   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01305   484   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01306   484   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01307   484   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01308   484   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01309   484   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01310   484   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01311   484   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01312   484   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01313   484   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01314   484   NtAllocateVirtualMemory  (-1, 1372160, 0, 20480, 4096, 4, ... 1372160, 20480, ) == 0x0
 01315   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01316   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01317   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01318   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01319   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01320   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01321   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01322   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01323   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01324   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01325   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01326   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01327   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01328   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01329   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01330   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01331   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01332   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01333   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01334   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01335   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01336   484   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01337   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236988, ... ) }, 1236988, ... ) == 0x0
 01338   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237720,  (0x80100080, {24, 0, 0x40, 0, 1237720, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01339   484   NtQueryVolumeInformationFile  (116, 1237880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01340   484   NtQueryInformationFile  (116, 1237772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01341   484   NtQueryInformationFile  (116, 1238064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01342   484   NtClose  (116, ... ) == 0x0
 01343   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236480, ... ) }, 1236480, ... ) == 0x0
 01344   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237212,  (0x80100080, {24, 0, 0x40, 0, 1237212, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01345   484   NtQueryVolumeInformationFile  (116, 1237372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01346   484   NtQueryInformationFile  (116, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01347   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 116, ... 108, ) == 0x0
 01348   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x4c0000), {0, 0}, 135168, ) == 0x0
 01349   484   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01350   484   NtQueryVirtualMemory  (-1, 0x4c0000, Basic, 28, ... {BaseAddress=0x4c0000,AllocationBase=0x4c0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01351   484   NtQueryVirtualMemory  (-1, 0x4c0000, Basic, 28, ... {BaseAddress=0x4c0000,AllocationBase=0x4c0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01352   484   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01353   484   NtQueryVirtualMemory  (-1, 0x4c0000, Basic, 28, ... {BaseAddress=0x4c0000,AllocationBase=0x4c0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01354   484   NtQueryVirtualMemory  (-1, 0x4c0000, Basic, 28, ... {BaseAddress=0x4c0000,AllocationBase=0x4c0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01355   484   NtReadFile  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01356   484   NtQueryInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01357   484   NtSetInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01358   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01359   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01360   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01361   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01362   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01363   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01364   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01365   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01366   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01367   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01368   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01369   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01370   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01371   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01372   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01373   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01374   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01375   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01376   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01377   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01378   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01379   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01380   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01381   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01382   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01383   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01384   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01385   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01386   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01387   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01388   484   NtReadFile  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01389   484   NtQueryInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01390   484   NtSetInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01391   484   NtQueryInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01392   484   NtSetInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01393   484   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01394   484   NtReadFile  (116, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (116, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01395   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01396   484   NtClose  (108, ... ) == 0x0
 01397   484   NtClose  (116, ... ) == 0x0
 01398   484   NtOpenKey  (0x20119, {24, 32, 0x40, 0, 0,  (0x20119, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 116, ) }, ... 116, ) == 0x0
 01399   484   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01400   484   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01401   484   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01402   484   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01403   484   NtClose  (116, ... ) == 0x0
 01404   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   484   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01406   484   NtOpenProcessToken  (-1, 0x8, ... 116, ) == 0x0
 01407   484   NtQueryInformationToken  (116, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01408   484   NtClose  (116, ... ) == 0x0
 01409   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 116, {status=0x0, info=0}, ) }, 7, 16, ... 116, {status=0x0, info=0}, ) == 0x0
 01410   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01411   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01412   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01413   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01414   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01415   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01416   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01417   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01418   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01419   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\272?J`\30]\361\324\367 \15\15\246\6\211\12\31\12\21\367\201\245\205\371\263\304f&\301\320\5J\367jB\220KyL"\255\331|,F\237\322\231\350u\361\317Oc]\3163\5\200\30\336\346\211\372\253|\237\312\232dy\345\38\337\11&\24\261r", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\272?J`\30]\361\324\367 \15\15\246\6\211\12\31\12\21\367\201\245\205\371\263\304f&\301\320\5J\367jB\220KyL"\255\331|,F\237\322\231\350u\361\317Oc]\3163\5\200\30\336\346\211\372\253|\237\312\232dy\345\38\337\11&\24\261r", 80, ... ) \255\331|,F\237\322\231\350u\361\317Oc]\3163\5\200\30\336\346\211\372\253|\237\312\232dy\345\38\337\11&\24\261r", 80, ... ) == 0x0
 01420   484   NtClose  (-2147482020, ... ) == 0x0
 01410   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "2\220~\331WL|\1{\16\355\12\263\36\267-#2\4\4\225\275\374\242\266\320\341\36\240\377a\336v\326\344\33\214\372\214-RFr\36/7\203 T\314\316\272\330J\322.\234\355\263"?\257\27+\302\350\263\26\3507\320\372\337\35\212\22\376\312\242/z\23+%P\33\250=\17\14\237\25k\32\267e<\277\316\326\303\260\304\201\373\373~\301I\241r~\376\233Pl\364a`UC\225\332\264\267@\273i&\363\241\323X\225\211\330\232\336~\334\330\30>7\263\231\263\253,\216Y\273\226\200\311\25\245\13@\320\12O\344\274\317\232\345VU\376l\277\254\6\241\21C\254\327\306\323\213b\362\223x\245^\252\372\233\337\274gg\367Tp\304\272\204\335\272\2057\22,\237\234v"^\247\301\333\271/\341\241\300\315|\211-0m5\247\244]\352w\263\10c8\3078\272\271V\211\327\244\34X\210Ec\244\245\360\310", ) ?\257\27+\302\350\263\26\3507\320\372\337\35\212\22\376\312\242/z\23+%P\33\250=\17\14\237\25k\32\267e<\277\316\326\303\260\304\201\373\373~\301I\241r~\376\233Pl\364a`UC\225\332\264\267@\273i&\363\241\323X\225\211\330\232\336~\334\330\30>7\263\231\263\253,\216Y\273\226\200\311\25\245\13@\320\12O\344\274\317\232\345VU\376l\277\254\6\241\21C\254\327\306\323\213b\362\223x\245^\252\372\233\337\274gg\367Tp\304\272\204\335\272\2057\22,\237\234v ... {status=0x0, info=256}, "2\220~\331WL|\1{\16\355\12\263\36\267-#2\4\4\225\275\374\242\266\320\341\36\240\377a\336v\326\344\33\214\372\214-RFr\36/7\203 T\314\316\272\330J\322.\234\355\263"?\257\27+\302\350\263\26\3507\320\372\337\35\212\22\376\312\242/z\23+%P\33\250=\17\14\237\25k\32\267e<\277\316\326\303\260\304\201\373\373~\301I\241r~\376\233Pl\364a`UC\225\332\264\267@\273i&\363\241\323X\225\211\330\232\336~\334\330\30>7\263\231\263\253,\216Y\273\226\200\311\25\245\13@\320\12O\344\274\317\232\345VU\376l\277\254\6\241\21C\254\327\306\323\213b\362\223x\245^\252\372\233\337\274gg\367Tp\304\272\204\335\272\2057\22,\237\234v"^\247\301\333\271/\341\241\300\315|\211-0m5\247\244]\352w\263\10c8\3078\272\271V\211\327\244\34X\210Ec\244\245\360\310", ) , ) == 0x0
 01421   484   NtClose  (112, ... ) == 0x0
 01422   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325w\247\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01423   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01424   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01425   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01426   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01427   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01428   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01429   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01430   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01431   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\370\2\276'\344\240s\226Z\17:\14\356\361\277=\233\212\221&\253\225\250\235m\177\310U\2677\362\16\223\237\224!>\370\334W\307\34\367\\237\214\276\275&0\300\364L|\354\320\273\261n\177E\377\220\15\365Vw^?\313\11b5w1p\333H\315p", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\370\2\276'\344\240s\226Z\17:\14\356\361\277=\233\212\221&\253\225\250\235m\177\310U\2677\362\16\223\237\224!>\370\334W\307\34\367\\237\214\276\275&0\300\364L|\354\320\273\261n\177E\377\220\15\365Vw^?\313\11b5w1p\333H\315p", 80, ... ) , 80, ... ) == 0x0
 01432   484   NtClose  (-2147482020, ... ) == 0x0
 01422   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "*\\213y8\245\261xd\362E\344[T\374\371\33\17\274\265\232\361\257\311A\362\305t\26b\331\346\271\235\242V\13\352%\303\3511\361e\10\230\39I\202y\316\332r?=\22dH\232\301\323\244;\200I\303q\347*j\375R\266\323\361I\234\365\230\321\2N}=\372\205\5\237\343.\327\224\315\207\223\347\227\314X\240\313,\241\10\245\37\200\262\350U:\363F\235\233\257{i\306\350\304<\6W\255\234h\276\203p<\203)*\301Q\13\3630_GaJ\200[\355|'\215\344J\256\220\323y\15\205@\344\300\210\35\30\344\311%\376\304\201P\334\37H\2l\225\341\323A5\260\12M\240I\10\222\23-f\361\352\2030p<\14+`\227\302\326\13\214\331h\340\321\32\253\21\202CNT\250\2493uW\302i\37\276\251&!\267\305r\361\27\24\250\362\373\251\260\262['\370K\3\330\231\36\376W"\13\356x\324", ) \13\356x\324", ) == 0x0
 01433   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325\300\271\217@\204GQ-}\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01434   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01435   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01436   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01437   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01438   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01439   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01440   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01441   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01442   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "p6D\33\252\3315\7[\35\277\231\376\247tz~\202\373\330\31\13\203\202\10\222\25\371u\270):i0\271\250#\332c\2451\34\217b\375j\7)\4\351?]\314\33\214\225\273=p\337\270\225\213]\2L0x\313\164\210_tm\315\304)\3022", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "p6D\33\252\3315\7[\35\277\231\376\247tz~\202\373\330\31\13\203\202\10\222\25\371u\270):i0\271\250#\332c\2451\34\217b\375j\7)\4\351?]\314\33\214\225\273=p\337\270\225\213]\2L0x\313\164\210_tm\315\304)\3022", 80, ... ) , 80, ... ) == 0x0
 01443   484   NtClose  (-2147482020, ... ) == 0x0
 01433   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\22\352x'\263F\306\23tVo\232\267\362\261dD\336\371?\6S\15\273FhN\212qn1 \317p2=O\267\321\33\26\342#m\246\254\25\37\205\3l\202h\12:)\10\245e.\220h\217\227\4\230\35\362(\256r*^\177\303E\275\331\361\16\251JzV\362U\333\234\262\374\27\234\363\242\275t\271\245\367\355\335`\\320\221I\304u\257\213/\7\343*%\217\343o\10\224\204\11\236mT \330\34\332\2651I\311\14\242\364Ww\242WBr\263\254\11JeCQ\371\335\4\37\272\327S\234 \266[H\346\336\4\1\15\317\2666\347\266:\377\240mV\354\317\232\223v\356\262\271\240\357r:\203\270\361\24\12\3\262\303>\331Z0\341\220/\377\2653", ) , ) == 0x0
 01444   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325\300\271\217@\204GQ\232c\217@\204GQ-}\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01445   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01446   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01447   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01448   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01449   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01450   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01451   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01452   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01453   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "]\212\200\263\336[\16\367\265Ii\2044\3426\377\371\303\212\367>t\36u:\204\304\377\203\214\352\262w\242A"\21\262\233\2\266\277\245\300|\344\201\31H\245Q\322\206\365[\326!\367\205\261"\233\366G\216\223\34\350\352GU\311C0N\240\205?4<", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "]\212\200\263\336[\16\367\265Ii\2044\3426\377\371\303\212\367>t\36u:\204\304\377\203\214\352\262w\242A"\21\262\233\2\266\277\245\300|\344\201\31H\245Q\322\206\365[\326!\367\205\261"\233\366G\216\223\34\350\352GU\311C0N\240\205?4<", 80, ... ) \21\262\233\2\266\277\245\300|\344\201\31H\245Q\322\206\365[\326!\367\205\261 (-2147482020, "Seed", 0, 3, "]\212\200\263\336[\16\367\265Ii\2044\3426\377\371\303\212\367>t\36u:\204\304\377\203\214\352\262w\242A"\21\262\233\2\266\277\245\300|\344\201\31H\245Q\322\206\365[\326!\367\205\261"\233\366G\216\223\34\350\352GU\311C0N\240\205?4<", 80, ... ) , 80, ... ) == 0x0
 01454   484   NtClose  (-2147482020, ... ) == 0x0
 01444   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\363$\33!\27\2745\321\14Z\342I3\31^\257\265\6KZ\332R\216\315\310\335XK\230\235\221\207\275\215\354\251\337=\355\2442y\321g\252\376~\14\33\2222\203.\345j\252f3 \1C\261\226H\200\27\216\353\306\355\300q\4\301D\353\265\242\255\262\21\253$\2414\364D\243P\272\200\356\327\223\226\306\200\337S\331\260d\7\373\356\326_C\251\243\260\234\245\3564;\235\272\266\1t\326\340Z\321z:\212)/\304]\243\25\21\263M\223\311e\263\346\314\5X\242$\242M\253\242\25~\267\32\31\340\246\366\23\3772y4\220\224\327=\33\370c\2206\255\276\305J\12\3g\341\2242\266\367C\261j\306'x(,y\274\32e}\228j\364@\376e)a`\2316k]\264Qs\337i\20'Aj}\373\315\255\216\332\3\36~1\377\211l!\237:\227?\13\321\276\177_\224\31\314\225A\247\31r\37:%\4", ) , ) == 0x0
 01455   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325\300\271\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ-}\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01456   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01457   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01458   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01459   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01460   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01461   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01462   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01463   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01464   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "L\342\23\305\7\33\177\232\242\353\3\314\14\243\235N\234\23\324\203K\216\14\363QU\271Y\367:h$\314\270i2\260~\335\332c\214\15\2029J\315\7V\300\23\321h\344\224\302\243\12\275\224?4-\274,\250W1v.:h4>\263\353\302\256\12\214", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "L\342\23\305\7\33\177\232\242\353\3\314\14\243\235N\234\23\324\203K\216\14\363QU\271Y\367:h$\314\270i2\260~\335\332c\214\15\2029J\315\7V\300\23\321h\344\224\302\243\12\275\224?4-\274,\250W1v.:h4>\263\353\302\256\12\214", 80, ... ) , 80, ... ) == 0x0
 01465   484   NtClose  (-2147482020, ... ) == 0x0
 01455   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302|HTt\323\12\371\4M\377\242\312\12\300p\212Y\221\255\340\231\217\34(~\356Hc\34\366\20\360w\327\6\327l\34\270]\31La\213'\367O6.H.T\370\344\314\276#f\17l\230\225\350y\227\14k\352\202\354\231\363\216\4n\37\246\266J\324\231QW\20\31)&*`\241,\307j\217\2358\232\267\245\321\205y0\244\3414\256^\315\210\261\266\365\317\225\0\4K\221\316\334Z\366b]|y\273\317iZ\276*A\352w\5\10h'i\345\23D\3521p\205\6\312\14\244\253\32#{\375\222\265mz\237\211\204\316t^\306J\177\347\243\313\1\261\227+F\356\332\355i\336\334\260\234\247\312N\7\223\234\270\276\15\3456\332z-\251;U\206I\200\210\6\374\221\353t\357\233,s\241\255\6\344T\263\216K\233\267i\26b*\257\256\207z\26,\277\314\34\261\33\345\246\210\263\270\270\3703l\336QNn'", ) , ) == 0x0
 01466   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325\300\271\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ-}\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01467   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01468   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01469   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01470   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01471   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01472   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01473   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01474   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01475   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\346O\247\2370*\374E'\7\323\345\2272}\362b\15BJ<\214X\261\318\331\0f\253\356@G\32(PP\233\253\6[=\10s\337/8\2174\352x(\376[a\34YE;\\3346\245\335\266\20\222(\256\2\3412&,\353\13\325)\213W", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\346O\247\2370*\374E'\7\323\345\2272}\362b\15BJ<\214X\261\318\331\0f\253\356@G\32(PP\233\253\6[=\10s\337/8\2174\352x(\376[a\34YE;\\3346\245\335\266\20\222(\256\2\3412&,\353\13\325)\213W", 80, ... ) , 80, ... ) == 0x0
 01476   484   NtClose  (-2147482020, ... ) == 0x0
 01466   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\202\267Mj6\356-\306\276\250\252\32\370?\263V!%\261\302\236\31^\325\3240\227\255gX\274\30AK\325eQ\336\245\37\266T\363\271\241\300\24\256\227\10\253\355\205\216\337 &\\344&\31K\360a\5q\32j\364\212\264\345\3V\227\12}\373\227w1I\3107\344{\371\11l\3760'\363!\177%\370M\205\375a@\336\302\227d:rx\30a\25\301X4%jv\237\241al\31\214\311\223]\214\332@}\201\215\214X\4\200f$\15\333\243\5\23(\225\372(\3721\177\265\304>\7[\Y\2\276\22\355\270\333\266\351r[\27Y\33\357\3k|_\344?>\30\340\12#c\327@\300FV\336\367\361h\351\265"\25<\364\212\266\317\7\237\273\226\343\23\335G=}\257BkU\364u\262v\3736\23\315\330\273z\200\272\300\344\351\225\264]o\272\256\276\265\353\36\222\241\217M\2248\215x\233+dA!\256", ) \25<\364\212\266\317\7\237\273\226\343\23\335G=}\257BkU\364u\262v\3736\23\315\330\273z\200\272\300\344\351\225\264]o\272\256\276\265\353\36\222\241\217M\2248\215x\233+dA!\256", ) == 0x0
 01477   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325\300\271\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ-}\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01478   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01479   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01480   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01481   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01482   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01483   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01484   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01485   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01486   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\217\326-2\200+\265\30\310F<\25_l\270\220\0\3\301*9e\370\372I\265O\347i\277l\352U\2667\324*\346\274k\4\220\374l$\332'\231L\322\35^\7\326*x\246`\24\315\5B\335\14\274\374\221\3635\212'y\327\336\312\313\300^Dh", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\217\326-2\200+\265\30\310F<\25_l\270\220\0\3\301*9e\370\372I\265O\347i\277l\352U\2667\324*\346\274k\4\220\374l$\332'\231L\322\35^\7\326*x\246`\24\315\5B\335\14\274\374\221\3635\212'y\327\336\312\313\300^Dh", 80, ... ) , 80, ... ) == 0x0
 01487   484   NtClose  (-2147482020, ... ) == 0x0
 01477   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\15\364\277\251\267\231H\246, ) , ) == 0x0
 01488   484   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\11\275\254\245\232\15\325\300\271\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ\232c\217@\204GQ-}\231\333\310r\321z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01489   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01490   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01491   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01492   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01493   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01494   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01495   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01496   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01497   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\255f\233\376O\3758\37\2nCo\21\206K\203f\347\334\12L\204&2ta(RH\232\374N\235c\363\227\242\377\263\17F/Wr)\240\205\234\320_\325\274\35\326_\360O\267\344\242\226*\7Z$M\337\360\275}\240\270Va\10\365\207\24D\35", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\255f\233\376O\3758\37\2nCo\21\206K\203f\347\334\12L\204&2ta(RH\232\374N\235c\363\227\242\377\263\17F/Wr)\240\205\234\320_\325\274\35\326_\360O\267\344\242\226*\7Z$M\337\360\275}\240\270Va\10\365\207\24D\35", 80, ... ) , 80, ... ) == 0x0
 01498   484   NtClose  (-2147482020, ... ) == 0x0
 01488   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\361$\211\267+\27j\345\301\301[\353\340 \316;\270\253\16\342\344\235\201t\220\320\361^-/W\273\363\26\364\2674Z+\320\247\253&\371\200\3533\306\302\303\254%Hd8]\302\24;~%\265\273\4\211\4JF\14\327\203\R]\360\16xx\26\345W$\234\262gr\375\5\362\5\264\6s\251\10\270+b=n\33 \33zZ\7\211\337YH\303\370\305\13\10\363Mu\316\375\346*\223\155\216\310\13l\211\374\267\265\221\207$\20Ec\16\3\16N\371\204\332uW\314[g\301\3\17L\303\22\310\222\212\36I\273\262\363}\2\222\337\261\260\245\254t%\312\361\353%\233\223b\37\2343^\203\342>\216<3l\221\276\254`<\252\27E=\35@p\266{=\276\247\377\254\22\320\351\35_-\23Z\204\221K\335d\22s\256\255\367Fb\251\265\305R\220\223\276\352\342kV, ) , ) == 0x0
 01499   484   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 01500   484   NtQueryVolumeInformationFile  (112, 1238968, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01501   484   NtClose  (12, ... ) == 0x0
 01502   484   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238188,  (0x80100080, {24, 0, 0x40, 0, 1238188, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01504   484   NtQueryInformationFile  (12, 1239124, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01505   484   NtQueryInformationFile  (12, 1239096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01506   484   NtQueryInformationFile  (12, 1239048, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01507   484   NtQueryInformationFile  (12, 1383368, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01508   484   NtQueryInformationFile  (12, 1237592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01509   484   NtQueryInformationFile  (12, 1237436, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01510   484   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237444,  (0x40110080, {24, 0, 0x40, 0, 1237444, "\??\C:\WINDOWS\System32\logon.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01511   484   NtClose  (-2147482020, ... ) == 0x0
 01510   484   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 01512   484   NtQueryVolumeInformationFile  (108, 1236816, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01513   484   NtQueryInformationFile  (108, 1236776, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01514   484   NtQueryVolumeInformationFile  (12, 1236816, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01515   484   NtQueryVolumeInformationFile  (12, 1236500, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01516   484   NtSetInformationFile  (108, 1236604, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01517   484   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 120, ) == 0x0
 01518   484   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x4c0000), {0, 0}, 110592, ) == 0x0
 01519   484   NtClose  (120, ... ) == 0x0
 01520   484   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\352\261W{\21\300t\321ZiY\257$8\16PE\0\0L\1\6\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\306T\2\0\0\20\2\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\340\2\0\0\20\0\0\305\1\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0-\3\2\0\226\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\2\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\27\306\2\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01521   484   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\0\0\351\\251\0\0\201\371\15\337}\330\351\27\177\0\0\207\320\17\210\32\214\0\0Q\205\325\351\334\4\0\0\207\24$Z\11\300\17\205\370\237\0\0\351x\240\0\0\235\213\302\351\271\245\0\0RhFc\263\265Z\201\352\357\371D3\351d\254\0\0\213\354h\231\266B\0\351rB\0\0\303\201\4$]lm\234\350\271\215\0\0S\211\4$\377U\374\351\370m\0\0\3\370X\211\7_hCrB\0\351\271\216\0\0\201\350\235\373\371\373\201\360\0\0\211<$_\213E\370h\365\25B\0\351\24i\0\0h\335iB\0\351\371\15\0\0\17\216\231/\0\0\207\14$Yh\213\345\336|\211\14$\211\354]\351\336\0\0\0\211E\370\213E\10\366@\371\20\17\204F\237\0\0\351\344\0\0\0Z\360m\0\0\0\0\0\0\0\0\351\\234\0\0\3510\373\377\377o\1\0\0\0\0\351\373 \0\0\32U^\0\0\0\0\351\23-\0\0\323&\346\0\0\0\0U\351\267#\0\0WhG\345_\270_\201\357F\275\367"\201\367R\266\223\265\351\243\27\0\0;E\370\17\205\261\11\0\0\213E\354\213@", 49152, 0x0, 0, ... {status=0x0, info=49152}, ) \201\367R\266\223\265\351\243\27\0\0;E\370\17\205\261\11\0\0\213E\354\213@", 49152, 0x0, 0, ... {status=0x0, info=49152}, ) == 0x0
 01522   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01523   484   NtSetInformationFile  (108, 1239048, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01524   484   NtClose  (12, ... ) == 0x0
 01525   484   NtClose  (108, ... ) == 0x0
 01526   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 7, 2113568, ... 108, {status=0x0, info=1}, ) }, 7, 2113568, ... 108, {status=0x0, info=1}, ) == 0x0
 01527   484   NtSetInformationFile  (108, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01528   484   NtClose  (108, ... ) == 0x0
 01529   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 7, 2113568, ... 108, {status=0x0, info=1}, ) }, 7, 2113568, ... 108, {status=0x0, info=1}, ) == 0x0
 01530   484   NtSetInformationFile  (108, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01531   484   NtClose  (108, ... ) == 0x0
 01532   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 01533   484   NtQueryInformationFile  (108, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01534   484   NtClose  (108, ... ) == 0x0
 01535   484   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\System32\logon.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 01536   484   NtSetInformationFile  (108, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01537   484   NtClose  (108, ... ) == 0x0
 01538   484   NtOpenFile  (0x10080, {24, 112, 0x40, 0, 0,  (0x10080, {24, 112, 0x40, 0, 0, "dfseqmi.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   484   NtCreateFile  (0x40100080, {24, 112, 0x40, 0, 1239200,  (0x40100080, {24, 112, 0x40, 0, 1239200, "dfseqmi.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 108, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 108, {status=0x0, info=2}, ) == 0x0
 01540   484   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del dfseqmi.bat\15\12", 123, 0x0, 0, ... {status=0x0, info=123}, ) , 123, 0x0, 0, ... {status=0x0, info=123}, ) == 0x0
 01541   484   NtClose  (108, ... ) == 0x0
 01542   484   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232540, ... ) }, 1232540, ... ) == 0x0
 01544   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01545   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 12, ) == 0x0
 01546   484   NtClose  (108, ... ) == 0x0
 01547   484   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4c0000), 0x0, 262144, ) == 0x0
 01548   484   NtClose  (12, ... ) == 0x0
 01549   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01550   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01551   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01552   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01553   484   NtAllocateVirtualMemory  (-1, 1392640, 0, 16384, 4096, 4, ... 1392640, 16384, ) == 0x0
 01554   484   NtUserRegisterClassExWOW  (1234624, 1234704, 1234688, 1234720, 0, 384, 0, ... ) == 0x810cc038
 01555   484   NtUserGetAtomName  (49208, 1233388, ... ) == 0x15
 01556   484   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01557   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230912, ... ) }, 1230912, ... ) == 0x0
 01558   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01559   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 108, ) == 0x0
 01560   484   NtClose  (12, ... ) == 0x0
 01561   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4c0000), 0x0, 204800, ) == 0x0
 01562   484   NtClose  (108, ... ) == 0x0
 01563   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 01564   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231228, ... ) }, 1231228, ... ) == 0x0
 01565   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01566   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 12, ) == 0x0
 01567   484   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01568   484   NtClose  (108, ... ) == 0x0
 01569   484   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01570   484   NtClose  (12, ... ) == 0x0
 01571   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01572   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01573   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01574   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01575   484   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01576   484   NtClose  (12, ... ) == 0x0
 01577   484   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01578   484   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01579   484   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 01580   484   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   484   NtClose  (108, ... ) == 0x0
 01582   484   NtClose  (12, ... ) == 0x0
 01583   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01584   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01585   484   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01586   484   NtClose  (12, ... ) == 0x0
 01587   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01588   484   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 01589   484   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   484   NtClose  (108, ... ) == 0x0
 01591   484   NtClose  (12, ... ) == 0x0
 01592   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == 0x0
 01595   484   NtUserGetProcessWindowStation  (... ) == 0x2c
 01596   484   NtUserGetObjectInformation  (44, 2, 0, 0, 1233024, ... ) == 0x0
 01597   484   NtUserGetObjectInformation  (44, 2, 1326064, 16, 1233024, ... ) == 0x1
 01598   484   NtUserGetGUIThreadInfo  (484, 1232980, ... ) == 0x1
 01599   484   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01600   484   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 476, 484, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 476, 484, 1617, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 476, 484, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01601   484   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 476, 484, 1618, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 476, 484, 1618, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 476, 484, 1618, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01602   484   NtUserCallNoParam  (29, ...
 01603   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230272, ... ) }, 1230272, ... ) == 0x0
 01602   484   NtUserCallNoParam  ... ) == 0x0
 01604   484   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01605   484   NtGdiHfontCreate  (1232352, 356, 0, 0, 1356784, ... ) == 0x80a047f
 01606   484   NtGdiHfontCreate  (1232352, 356, 0, 0, 1356776, ... ) == 0x60a0480
 01607   484   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 476, 484, 1619, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 476, 484, 1619, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 476, 484, 1619, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01608   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x4c0000), {0, 0}, 331776, ) == 0x0
 01609   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01610   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01611   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01612   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01613   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01614   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01615   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01616   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01617   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01618   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01619   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01620   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01621   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01622   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01623   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01624   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01625   484   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01626   484   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100482
 01627   484   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01628   484   NtUserCallNoParam  (29, ...
 01629   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229716, ... ) }, 1229716, ... ) == 0x0
 01628   484   NtUserCallNoParam  ... ) == 0x0
 01630   484   NtUserCallNoParam  (29, ...
 01631   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 01630   484   NtUserCallNoParam  ... ) == 0x0
 01632   484   NtUserMessageCall  (0x200be, WM_NCCREATE, 0x0, 0x12d198, 0, 670, 0, ... ) == 0x1
 01633   484   NtUserMessageCall  (0x200be, WM_NCCALCSIZE, 0x0, 0x12d1c0, 0, 670, 0, ... ) == 0x0
 01634   484   NtUserSetProp  (131262, 43288, -1, ... ) == 0x1
 01556   484   NtUserCreateWindowEx  ... ) == 0x200be
 01635   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01636   484   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 01638   484   NtQueryValueKey  (124,  (124, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01639   484   NtClose  (124, ... ) == 0x0
 01640   484   NtClose  (120, ... ) == 0x0
 01641   484   NtAllocateVirtualMemory  (-1, 1409024, 0, 24576, 4096, 4, ... 1409024, 24576, ) == 0x0
 01642   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01643   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 120, ) }, ... 120, ) == 0x0
 01645   484   NtQueryValueKey  (120,  (120, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   484   NtClose  (120, ... ) == 0x0
 01647   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01649   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 01650   484   NtQuerySystemTime  (... {1257093038, 29873097}, ) == 0x0
 01651   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01652   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01654   484   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01655   484   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01656   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 01657   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 136, ) == 0x0
 01658   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01659   484   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "ActiveComputerName"}, ... 144, ) }, ... 144, ) == 0x0
 01660   484   NtQueryValueKey  (144,  (144, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (144, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (144, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01661   484   NtClose  (144, ... ) == 0x0
 01662   484   NtClose  (140, ... ) == 0x0
 01663   484   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 140, ) == 0x0
 01664   484   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 144, ) == 0x0
 01665   484   NtDuplicateObject  (-1, 140, -1, 0x0, 0, 2, ... 148, ) == 0x0
 01666   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01667   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01668   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01669   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01670   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233152,  (0xc0100080, {24, 0, 0x40, 0, 1233152, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01671   484   NtSetInformationFile  (156, 1233208, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01672   484   NtSetInformationFile  (156, 1233200, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01673   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01674   484   NtWriteFile  (156, 133, 0, 0,  (156, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01675   484   NtReadFile  (156, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (156, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\372&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01676   484   NtFsControlFile  (156, 133, 0x0, 0x0, 0x11c017,  (156, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\372&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (156, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\372&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01677   484   NtClose  (152, ... ) == 0x0
 01678   484   NtClose  (156, ... ) == 0x0
 01679   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233196, ... ) }, 1233196, ... ) == 0x0
 01680   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01681   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01682   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "dfseqmi.bat"}, 1233016, ... ) }, 1233016, ... ) == 0x0
 01683   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01684   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01685   484   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1356800, 0,  (0x1f0003, {24, 56, 0x80, 1356800, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 156, ) }, 0, 2147483647, ... 156, ) == STATUS_OBJECT_NAME_EXISTS
 01686   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01687   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01688   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01689   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01690   484   NtQueryValueKey  (152,  (152, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   484   NtClose  (152, ... ) == 0x0
 01692   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01693   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01694   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01695   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01696   484   NtQueryValueKey  (152,  (152, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01697   484   NtClose  (152, ... ) == 0x0
 01698   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01699   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01700   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01702   484   NtQueryValueKey  (152,  (152, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   484   NtClose  (152, ... ) == 0x0
 01704   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01705   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01706   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01708   484   NtQueryValueKey  (152,  (152, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709   484   NtClose  (152, ... ) == 0x0
 01710   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 152, ) }, ... 152, ) == 0x0
 01711   484   NtEnumerateKey  (152, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (152, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01712   484   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 160, ) }, ... 160, ) == 0x0
 01713   484   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01714   484   NtClose  (160, ... ) == 0x0
 01715   484   NtEnumerateKey  (152, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (152, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01716   484   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 160, ) }, ... 160, ) == 0x0
 01717   484   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01718   484   NtClose  (160, ... ) == 0x0
 01719   484   NtEnumerateKey  (152, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (152, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01720   484   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 160, ) }, ... 160, ) == 0x0
 01721   484   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01722   484   NtClose  (160, ... ) == 0x0
 01723   484   NtEnumerateKey  (152, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (152, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01724   484   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 160, ) }, ... 160, ) == 0x0
 01725   484   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01726   484   NtClose  (160, ... ) == 0x0
 01727   484   NtEnumerateKey  (152, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01728   484   NtClose  (152, ... ) == 0x0
 01729   484   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   484   NtOpenProcessToken  (-1, 0x8, ... 152, ) == 0x0
 01731   484   NtQueryInformationToken  (152, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01732   484   NtClose  (152, ... ) == 0x0
 01733   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01734   484   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01735   484   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 160, ) == 0x0
 01736   484   NtCreateKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "SessionInfo\00000000000091c7"}, 0, 0x0, 1, ... 164, 2, ) }, 0, 0x0, 1, ... 164, 2, ) == 0x0
 01737   484   NtClose  (160, ... ) == 0x0
 01738   484   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   484   NtClose  (164, ... ) == 0x0
 01740   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01741   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01742   484   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01743   484   NtClose  (164, ... ) == 0x0
 01744   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 164, ) }, ... 164, ) == 0x0
 01745   484   NtSetInformationObject  (166, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01746   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01747   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 160, ) }, ... 160, ) == 0x0
 01749   484   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01750   484   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01751   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01752   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01753   484   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01754   484   NtClose  (168, ... ) == 0x0
 01755   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01756   484   NtQueryValueKey  (162,  (162, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757   484   NtClose  (162, ... ) == 0x0
 01758   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01759   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 160, ) }, ... 160, ) == 0x0
 01761   484   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01762   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01763   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01764   484   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01765   484   NtClose  (168, ... ) == 0x0
 01766   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   484   NtQueryValueKey  (162,  (162, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   484   NtClose  (162, ... ) == 0x0
 01769   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01770   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01771   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 160, ) }, ... 160, ) == 0x0
 01772   484   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01773   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01774   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01775   484   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01776   484   NtClose  (168, ... ) == 0x0
 01777   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   484   NtQueryValueKey  (162,  (162, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (162, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01779   484   NtClose  (162, ... ) == 0x0
 01780   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01781   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01782   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 160, ) }, ... 160, ) == 0x0
 01784   484   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01785   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01786   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01787   484   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01788   484   NtClose  (168, ... ) == 0x0
 01789   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01790   484   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01791   484   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01792   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01793   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01794   484   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01795   484   NtClose  (168, ... ) == 0x0
 01796   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   484   NtQueryValueKey  (162,  (162, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   484   NtClose  (162, ... ) == 0x0
 01799   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01800   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01801   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 160, ) }, ... 160, ) == 0x0
 01803   484   NtQueryValueKey  (160,  (160, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01804   484   NtClose  (160, ... ) == 0x0
 01805   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 160, ) }, ... 160, ) == 0x0
 01806   484   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01807   484   NtClose  (160, ... ) == 0x0
 01808   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 160, ) }, ... 160, ) == 0x0
 01809   484   NtQueryValueKey  (160,  (160, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   484   NtClose  (160, ... ) == 0x0
 01811   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 160, ) }, ... 160, ) == 0x0
 01812   484   NtQueryValueKey  (160, " (160, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (160, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01813   484   NtClose  (160, ... ) == 0x0
 01814   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01815   484   NtQueryVolumeInformationFile  (160, 1233336, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01816   484   NtOpenMutant  (0x120001, {24, 56, 0x0, 0, 0,  (0x120001, {24, 56, 0x0, 0, 0, "ShimCacheMutex"}, ... 168, ) }, ... 168, ) == 0x0
 01817   484   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 01818   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "ShimSharedMemory"}, ... 172, ) }, ... 172, ) == 0x0
 01819   484   NtMapViewOfSection  (172, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x520000), {0, 0}, 57344, ) == 0x0
 01820   484   NtQueryInformationFile  (160, 1233300, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01821   484   NtQueryInformationFile  (160, 1233340, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01822   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01823   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01824   484   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01825   484   NtClose  (176, ... ) == 0x0
 01826   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   484   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01828   484   NtClose  (160, ... ) == 0x0
 01829   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 160, ) }, ... 160, ) == 0x0
 01830   484   NtQueryValueKey  (160,  (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01831   484   NtClose  (160, ... ) == 0x0
 01832   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01835   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == 0x0
 01836   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01837   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 176, ) == 0x0
 01838   484   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01839   484   NtClose  (160, ... ) == 0x0
 01840   484   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01841   484   NtClose  (176, ... ) == 0x0
 01842   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == 0x0
 01846   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01847   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 160, ) == 0x0
 01848   484   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01849   484   NtClose  (176, ... ) == 0x0
 01850   484   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01851   484   NtClose  (160, ... ) == 0x0
 01852   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 160, ) }, ... 160, ) == 0x0
 01853   484   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01854   484   NtClose  (160, ... ) == 0x0
 01855   484   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 160, ) }, ... 160, ) == 0x0
 01858   484   NtQueryValueKey  (160,  (160, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859   484   NtQueryValueKey  (160,  (160, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01860   484   NtClose  (160, ... ) == 0x0
 01861   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231116, ... ) }, 1231116, ... ) == 0x0
 01862   484   NtOpenSection  (0x4, {24, 56, 0x2, 0, 0,  (0x4, {24, 56, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01863   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01864   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 160, ) }, ... 160, ) == 0x0
 01865   484   NtQueryValueKey  (160,  (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01866   484   NtClose  (160, ... ) == 0x0
 01867   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Classes"}, ... 160, ) }, ... 160, ) == 0x0
 01868   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01869   484   NtNotifyChangeKey  (160, 176, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01870   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 180, ) }, ... 180, ) == 0x0
 01871   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01872   484   NtNotifyChangeKey  (180, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01873   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01874   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 192, ) }, ... 192, ) == 0x0
 01875   484   NtSetInformationObject  (192, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01876   484   NtNotifyChangeKey  (192, 188, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01877   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Classes"}, ... 196, ) }, ... 196, ) == 0x0
 01878   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01879   484   NtNotifyChangeKey  (196, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01880   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01881   484   NtNotifyChangeKey  (192, 204, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01882   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 208, ) }, ... 208, ) == 0x0
 01883   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 01884   484   NtNotifyChangeKey  (208, 212, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01885   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 216, ) }, ... 216, ) == 0x0
 01886   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 01887   484   NtNotifyChangeKey  (216, 220, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01888   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 224, ) }, ... 224, ) == 0x0
 01889   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01890   484   NtNotifyChangeKey  (224, 228, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01891   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Classes"}, ... 232, ) }, ... 232, ) == 0x0
 01892   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 236, ) == 0x0
 01893   484   NtNotifyChangeKey  (232, 236, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01894   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 240, ) }, ... 240, ) == 0x0
 01895   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01896   484   NtNotifyChangeKey  (240, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01897   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 248, ) == 0x0
 01898   484   NtNotifyChangeKey  (192, 248, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01899   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 252, ) }, ... 252, ) == 0x0
 01900   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01901   484   NtNotifyChangeKey  (252, 256, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01902   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 260, ) }, ... 260, ) == 0x0
 01903   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 264, ) == 0x0
 01904   484   NtNotifyChangeKey  (260, 264, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01905   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 268, ) }, ... 268, ) == 0x0
 01906   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 272, ) == 0x0
 01907   484   NtNotifyChangeKey  (268, 272, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01908   484   NtOpenSection  (0x4, {24, 56, 0x2, 0, 0,  (0x4, {24, 56, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01910   484   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01911   484   NtClose  (276, ... ) == 0x0
 01912   484   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01913   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01914   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01915   484   NtOpenSection  (0x4, {24, 56, 0x0, 0, 0,  (0x4, {24, 56, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 276, ) }, ... 276, ) == 0x0
 01916   484   NtMapViewOfSection  (276, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x950000), {0, 0}, 24576, ) == 0x0
 01917   484   NtAllocateVirtualMemory  (-1, 4415488, 0, 8192, 4096, 4, ... 4415488, 8192, ) == 0x0
 01918   484   NtAllocateVirtualMemory  (-1, 4423680, 0, 8192, 4096, 4, ... 4423680, 8192, ) == 0x0
 01919   484   NtOpenSection  (0x4, {24, 56, 0x2, 0, 0,  (0x4, {24, 56, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 280, ) }, ... 280, ) == 0x0
 01921   484   NtQueryValueKey  (280,  (280, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (280, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01922   484   NtClose  (280, ... ) == 0x0
 01923   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01924   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01925   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 9830400, 65536, ) == 0x0
 01926   484   NtAllocateVirtualMemory  (-1, 9830400, 0, 4096, 4096, 4, ... 9830400, 4096, ) == 0x0
 01927   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01928   484   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01930   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01931   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01932   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01933   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01934   484   NtClose  (284, ... ) == 0x0
 01935   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01936   484   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01937   484   NtClose  (282, ... ) == 0x0
 01938   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01939   484   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01941   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01942   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01943   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01944   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01945   484   NtClose  (284, ... ) == 0x0
 01946   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01947   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01948   484   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01949   484   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01950   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01951   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01952   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01953   484   NtClose  (288, ... ) == 0x0
 01954   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955   484   NtQueryValueKey  (286,  (286, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01956   484   NtClose  (286, ... ) == 0x0
 01957   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01958   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01959   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01960   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01961   484   NtClose  (284, ... ) == 0x0
 01962   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01964   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01965   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01966   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01967   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01968   484   NtClose  (284, ... ) == 0x0
 01969   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01970   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01971   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01972   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01973   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01974   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01975   484   NtClose  (284, ... ) == 0x0
 01976   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01978   484   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01979   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01980   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01981   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01982   484   NtClose  (288, ... ) == 0x0
 01983   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   484   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01985   484   NtClose  (286, ... ) == 0x0
 01986   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01987   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01988   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01989   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01990   484   NtClose  (284, ... ) == 0x0
 01991   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01993   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01994   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01995   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01996   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01997   484   NtClose  (284, ... ) == 0x0
 01998   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02001   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02002   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02003   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02004   484   NtClose  (284, ... ) == 0x0
 02005   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02008   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02009   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02010   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02011   484   NtClose  (284, ... ) == 0x0
 02012   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02015   484   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 284, ) }, ... 284, ) == 0x0
 02017   484   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02018   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02019   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02020   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02021   484   NtClose  (288, ... ) == 0x0
 02022   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023   484   NtQueryValueKey  (286,  (286, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   484   NtClose  (286, ... ) == 0x0
 02025   484   NtClose  (282, ... ) == 0x0
 02026   484   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {476, 0}, ... 280, ) == 0x0
 02027   484   NtQueryInformationProcess  (280, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02028   484   NtClose  (280, ... ) == 0x0
 02029   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02030   484   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 02032   484   NtClose  (282, ... ) == 0x0
 02033   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 02034   484   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 02036   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02037   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02038   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02039   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02040   484   NtClose  (284, ... ) == 0x0
 02041   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02042   484   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 02043   484   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02044   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02045   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02046   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02047   484   NtClose  (288, ... ) == 0x0
 02048   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   484   NtQueryValueKey  (286,  (286, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (286, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02050   484   NtClose  (286, ... ) == 0x0
 02051   484   NtClose  (282, ... ) == 0x0
 02052   484   NtAllocateVirtualMemory  (-1, 1445888, 0, 8192, 4096, 4, ... 1445888, 8192, ) == 0x0
 02053   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02054   484   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02055   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 02056   484   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02057   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02058   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02059   484   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02060   484   NtClose  (284, ... ) == 0x0
 02061   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   484   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   484   NtClose  (282, ... ) == 0x0
 02064   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227508, ... ) }, 1227508, ... ) == 0x0
 02065   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 02066   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 280, ... 284, ) == 0x0
 02067   484   NtClose  (280, ... ) == 0x0
 02068   484   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 1339392, ) == 0x0
 02069   484   NtClose  (284, ... ) == 0x0
 02070   484   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 02071   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227824, ... ) }, 1227824, ... ) == 0x0
 02072   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02073   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 280, ) == 0x0
 02074   484   NtQuerySection  (280, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02075   484   NtClose  (284, ... ) == 0x0
 02076   484   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 02077   484   NtClose  (280, ... ) == 0x0
 02078   484   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02079   484   NtQueryDefaultUILanguage  (1226188, ...
 02080   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02081   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02082   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02083   484   NtClose  (-2147482020, ... ) == 0x0
 02084   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02085   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02087   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   484   NtClose  (-2147482032, ... ) == 0x0
 02089   484   NtClose  (-2147482020, ... ) == 0x0
 02079   484   NtQueryDefaultUILanguage  ... ) == 0x0
 02090   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02091   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 280, {status=0x0, info=1}, ) }, 1, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 02092   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 280, ... 284, ) == 0x0
 02093   484   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x970000), 0x0, 1339392, ) == 0x0
 02094   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   484   NtQueryDefaultLocale  (1, 1224224, ... ) == 0x0
 02096   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\242\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1620, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\242\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 476, 484, 1620, 0}  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\242\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 484, 1620, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\242\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" )  ) == 0x0
 02098   484   NtClose  (280, ... ) == 0x0
 02099   484   NtClose  (284, ... ) == 0x0
 02100   484   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 02101   484   NtUnmapViewOfSection  (-1, 0x12b878, ... ) == STATUS_NOT_MAPPED_VIEW
 02102   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02103   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02105   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02106   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222764, ... ) }, 1222764, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02107   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02108   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02109   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02110   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223356, ... ) }, 1223356, ... ) == 0x0
 02111   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 284, {status=0x0, info=1}, ) }, 3, 33, ... 284, {status=0x0, info=1}, ) == 0x0
 02112   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02113   484   NtUserFindExistingCursorIcon  (1227308, 1227324, 1227892, ... ) == 0x10011
 02114   484   NtUserRegisterClassExWOW  (1227760, 1227840, 1227824, 1227856, 0, 384, 0, ... ) == 0x810c0000
 02115   484   NtUserGetClassInfo  (1905590272, 1227924, 1227876, 1227952, 0, ... ) == 0xc05f
 02116   484   NtGdiCreateHalftonePalette  (0, ... ) == 0x1080483
 02117   484   NtGdiDoPalette  (17302659, 0, 256, 1227016, 2, 0, ... ) == 0x100
 02118   484   NtGdiDeleteObjectApp  (17302659, ... ) == 0x1
 02119   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x2010483
 02120   484   NtGdiCreatePaletteInternal  (1227012, 256, ... ) == 0x1080484
 02121   484   NtGdiDeleteObjectApp  (33621123, ... ) == 0x1
 02122   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 02123   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 280, ) }, ... 280, ) == 0x0
 02125   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 02126   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02127   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02128   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02129   484   NtClose  (288, ... ) == 0x0
 02130   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131   484   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02132   484   NtClose  (282, ... ) == 0x0
 02133   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02134   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02136   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02137   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02138   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02139   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02140   484   NtClose  (288, ... ) == 0x0
 02141   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   484   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02143   484   NtClose  (282, ... ) == 0x0
 02144   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02145   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02146   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02147   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02148   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02149   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02150   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02151   484   NtClose  (288, ... ) == 0x0
 02152   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153   484   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02154   484   NtClose  (282, ... ) == 0x0
 02155   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02156   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02158   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02159   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02160   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02161   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02162   484   NtClose  (288, ... ) == 0x0
 02163   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   484   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02165   484   NtClose  (282, ... ) == 0x0
 02166   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02167   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02169   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02170   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02171   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02172   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02173   484   NtClose  (288, ... ) == 0x0
 02174   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02175   484   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02176   484   NtClose  (282, ... ) == 0x0
 02177   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02178   484   NtAllocateVirtualMemory  (-1, 1454080, 0, 12288, 4096, 4, ... 1454080, 12288, ) == 0x0
 02179   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02180   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02181   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02182   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02183   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02184   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02185   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02186   484   NtClose  (288, ... ) == 0x0
 02187   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02188   484   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   484   NtClose  (282, ... ) == 0x0
 02190   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02191   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02193   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02194   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02195   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02196   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02197   484   NtClose  (288, ... ) == 0x0
 02198   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   484   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   484   NtClose  (282, ... ) == 0x0
 02201   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02202   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02204   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02205   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02206   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02207   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02208   484   NtClose  (288, ... ) == 0x0
 02209   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   484   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   484   NtClose  (282, ... ) == 0x0
 02212   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02213   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02215   484   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02216   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02217   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02218   484   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02219   484   NtClose  (288, ... ) == 0x0
 02220   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   484   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   484   NtClose  (282, ... ) == 0x0
 02223   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 280, ) }, ... 280, ) == 0x0
 02224   484   NtEnumerateValueKey  (280, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (280, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (280, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02225   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02226   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 288, ) }, ... 288, ) == 0x0
 02228   484   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02229   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02230   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 02231   484   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02232   484   NtClose  (292, ... ) == 0x0
 02233   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   484   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02235   484   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02236   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02237   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 02238   484   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02239   484   NtClose  (292, ... ) == 0x0
 02240   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   484   NtQueryValueKey  (290,  (290, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   484   NtClose  (290, ... ) == 0x0
 02243   484   NtEnumerateValueKey  (280, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02244   484   NtClose  (280, ... ) == 0x0
 02245   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02246   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02247   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 1232468, ... ) }, 1232468, ... ) == 0x0
 02248   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02249   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02250   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02251   484   NtQueryValueKey  (280,  (280, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (280, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (280, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02252   484   NtClose  (280, ... ) == 0x0
 02253   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02254   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02255   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 1233496, ... ) }, 1233496, ... ) == 0x0
 02256   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02257   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02258   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02259   484   NtQueryValueKey  (280,  (280, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02260   484   NtQueryValueKey  (280,  (280, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (280, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02261   484   NtClose  (280, ... ) == 0x0
 02262   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02264   484   NtQueryValueKey  (280,  (280, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   484   NtClose  (280, ... ) == 0x0
 02266   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02267   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02268   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02269   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02270   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02271   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02272   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02273   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02274   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02275   484   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02276   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 280, ) }, ... 280, ) == 0x0
 02277   484   NtEnumerateKey  (280, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (280, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02278   484   NtOpenKey  (0x20019, {24, 280, 0x40, 0, 0,  (0x20019, {24, 280, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 288, ) }, ... 288, ) == 0x0
 02279   484   NtQueryValueKey  (288,  (288, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (288, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02280   484   NtQueryValueKey  (288,  (288, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (288, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02281   484   NtClose  (288, ... ) == 0x0
 02282   484   NtEnumerateKey  (280, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02283   484   NtClose  (280, ... ) == 0x0
 02284   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02286   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02289   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02292   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02295   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02299   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02300   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02301   484   NtClose  (280, ... ) == 0x0
 02302   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02304   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02305   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02306   484   NtClose  (280, ... ) == 0x0
 02307   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02308   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02309   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02310   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02311   484   NtClose  (280, ... ) == 0x0
 02312   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02314   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02315   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02316   484   NtClose  (280, ... ) == 0x0
 02317   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02319   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02320   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02321   484   NtClose  (280, ... ) == 0x0
 02322   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02324   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02325   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02326   484   NtClose  (280, ... ) == 0x0
 02327   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02329   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02330   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02331   484   NtClose  (280, ... ) == 0x0
 02332   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02334   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02335   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02336   484   NtClose  (280, ... ) == 0x0
 02337   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02338   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02339   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02340   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02341   484   NtClose  (280, ... ) == 0x0
 02342   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02344   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02345   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02346   484   NtClose  (280, ... ) == 0x0
 02347   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02348   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02349   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02350   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02351   484   NtClose  (280, ... ) == 0x0
 02352   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02353   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02354   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02355   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02356   484   NtClose  (280, ... ) == 0x0
 02357   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02358   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02359   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02360   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02361   484   NtClose  (280, ... ) == 0x0
 02362   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02363   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02364   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02365   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02366   484   NtClose  (280, ... ) == 0x0
 02367   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02368   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02369   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02370   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02371   484   NtClose  (280, ... ) == 0x0
 02372   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02374   484   NtQueryValueKey  (280,  (280, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (280, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (280, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02375   484   NtClose  (280, ... ) == 0x0
 02376   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02377   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02378   484   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02379   484   NtClose  (280, ... ) == 0x0
 02380   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02381   484   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02382   484   NtOpenProcessToken  (-1, 0xa, ... 280, ) == 0x0
 02383   484   NtDuplicateToken  (280, 0xc, {24, 0, 0x0, 0, 1234304, 0x0}, 0, 2, ... 288, ) == 0x0
 02384   484   NtClose  (280, ... ) == 0x0
 02385   484   NtAccessCheck  (1456120, 288, 0x1, 1234432, 1234376, 56, 1234460, ... (0x1), ) == 0x0
 02386   484   NtClose  (288, ... ) == 0x0
 02387   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 288, ) }, ... 288, ) == 0x0
 02388   484   NtQueryValueKey  (288,  (288, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (288, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02389   484   NtClose  (288, ... ) == 0x0
 02390   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234320,  (0x80100080, {24, 0, 0x40, 0, 1234320, "\??\u:\work\dfseqmi.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 288, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 288, {status=0x0, info=1}, ) == 0x0
 02391   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 280, ) }, ... 280, ) == 0x0
 02392   484   NtQuerySymbolicLinkObject  (280, ...  (280, ... "\Device\WinDfs\U:00000000000091c7", 66, ) , 66, ) == 0x0
 02393   484   NtClose  (280, ... ) == 0x0
 02394   484   NtQueryInformationFile  (288, 1232764, 528, Name, ... {status=0x0, info=74}, ) == 0x0
 02395   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02396   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02397   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\dfseqmi.bat"}, 1231444, ... ) }, 1231444, ... ) == 0x0
 02398   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 02399   484   NtQueryDirectoryFile  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1,  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02400   484   NtClose  (280, ... ) == 0x0
 02401   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 02402   484   NtQueryDirectoryFile  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1,  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1, "dfseqmi.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02403   484   NtClose  (280, ... ) == 0x0
 02404   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02405   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02406   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02407   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02409   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == 0x0
 02410   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 02411   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 292, ) == 0x0
 02412   484   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02413   484   NtClose  (280, ... ) == 0x0
 02414   484   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 02415   484   NtClose  (292, ... ) == 0x0
 02416   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 292, ) }, ... 292, ) == 0x0
 02417   484   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 02418   484   NtClose  (292, ... ) == 0x0
 02419   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02420   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9895936, 262144, ) == 0x0
 02421   484   NtAllocateVirtualMemory  (-1, 9895936, 0, 4096, 4096, 4, ... 9895936, 4096, ) == 0x0
 02422   484   NtAllocateVirtualMemory  (-1, 9900032, 0, 8192, 4096, 4, ... 9900032, 8192, ) == 0x0
 02423   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02424   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10158080, 1048576, ) == 0x0
 02425   484   NtAllocateVirtualMemory  (-1, 10158080, 0, 1048576, 4096, 4, ... 10158080, 1048576, ) == 0x0
 02426   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 292, ) == 0x0
 02427   484   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 280, ) == 0x0
 02428   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 296, ) == 0x0
 02429   484   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 300, ) == 0x0
 02430   484   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 304, ) == 0x0
 02431   484   NtSetEvent  (304, ... 0x0, ) == 0x0
 02432   484   NtSetInformationFile  (288, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02433   484   NtReadFile  (288, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (288, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02434   484   NtWaitForSingleObject  (292, 0, 0x0, ... ) == 0x0
 02435   484   NtClearEvent  (280, ... ) == 0x0
 02436   484   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 02437   484   NtWaitForSingleObject  (292, 0, 0x0, ... ) == 0x0
 02438   484   NtSetEvent  (280, ... 0x0, ) == 0x0
 02439   484   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 02440   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02441   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02442   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02443   484   NtClose  (308, ... ) == 0x0
 02444   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02445   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02446   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02447   484   NtClose  (308, ... ) == 0x0
 02448   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02449   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02450   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02451   484   NtClose  (308, ... ) == 0x0
 02452   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02453   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02454   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02455   484   NtClose  (308, ... ) == 0x0
 02456   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02457   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02458   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02459   484   NtClose  (308, ... ) == 0x0
 02460   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02461   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02462   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02463   484   NtClose  (308, ... ) == 0x0
 02464   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02465   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02466   484   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02467   484   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02468   484   NtClose  (308, ... ) == 0x0
 02469   484   NtWaitForMultipleObjects  (2, (292, 280, ), 0, 0, 0x0, ... ) == 0x0
 02470   484   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 02471   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02472   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 02473   484   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02474   484   NtClose  (308, ... ) == 0x0
 02475   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02476   484   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02477   484   NtClose  (308, ... ) == 0x0
 02478   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 308, ) }, ... 308, ) == 0x0
 02479   484   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02480   484   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02481   484   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02482   484   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02483   484   NtClose  (308, ... ) == 0x0
 02484   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 308, ) }, ... 308, ) == 0x0
 02485   484   NtQueryValueKey  (308,  (308, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02486   484   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02487   484   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02488   484   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02489   484   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02490   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231492, ... ) }, 1231492, ... ) == 0x0
 02491   484   NtOpenKey  (0x20119, {24, 32, 0x40, 0, 0,  (0x20119, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 312, ) }, ... 312, ) == 0x0
 02492   484   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02493   484   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02494   484   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02495   484   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02496   484   NtClose  (312, ... ) == 0x0
 02497   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02498   484   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02499   484   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 02500   484   NtQueryInformationToken  (312, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02501   484   NtClose  (312, ... ) == 0x0
 02502   484   NtClose  (308, ... ) == 0x0
 02503   484   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02504   484   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 02505   484   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02506   484   NtClose  (308, ... ) == 0x0
 02507   484   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02508   484   NtCreateKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 02509   484   NtClose  (308, ... ) == 0x0
 02510   484   NtQueryValueKey  (312,  (312, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02511   484   NtClose  (312, ... ) == 0x0
 02512   484   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02513   484   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 02514   484   NtQueryInformationToken  (312, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02515   484   NtClose  (312, ... ) == 0x0
 02516   484   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 312, ) }, ... 312, ) == 0x0
 02517   484   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 308, ) }, ... 308, ) == 0x0
 02518   484   NtClose  (312, ... ) == 0x0
 02519   484   NtQueryValueKey  (308,  (308, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02520   484   NtClose  (308, ... ) == 0x0
 02521   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02522   484   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02523   484   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 02524   484   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02525   484   NtClose  (308, ... ) == 0x0
 02526   484   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02527   484   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528   484   NtClose  (308, ... ) == 0x0
 02529   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 288, ... 308, ) == 0x0
 02531   484   NtMapViewOfSection  (308, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xab0000), {0, 0}, 4096, ) == 0x0
 02532   484   NtClose  (308, ... ) == 0x0
 02533   484   NtQueryInformationFile  (288, 1233708, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02534   484   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 02535   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 308, ) }, ... 308, ) == 0x0
 02536   484   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 0"}, ... 312, ) }, ... 312, ) == 0x0
 02537   484   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 316, ) }, ... 316, ) == 0x0
 02538   484   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02539   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 320, ) }, ... 320, ) == 0x0
 02540   484   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02541   484   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02542   484   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02543   484   NtClose  (320, ... ) == 0x0
 02544   484   NtEnumerateKey  (316, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02545   484   NtClose  (316, ... ) == 0x0
 02546   484   NtClose  (312, ... ) == 0x0
 02547   484   NtClose  (308, ... ) == 0x0
 02548   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 308, ) }, ... 308, ) == 0x0
 02549   484   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 0"}, ... 312, ) }, ... 312, ) == 0x0
 02550   484   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 316, ) }, ... 316, ) == 0x0
 02551   484   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02552   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 320, ) }, ... 320, ) == 0x0
 02553   484   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02554   484   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02555   484   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02556   484   NtClose  (320, ... ) == 0x0
 02557   484   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02558   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 320, ) }, ... 320, ) == 0x0
 02559   484   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02560   484   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02561   484   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02562   484   NtClose  (320, ... ) == 0x0
 02563   484   NtEnumerateKey  (316, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (316, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02564   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 320, ) }, ... 320, ) == 0x0
 02565   484   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02566   484   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02567   484   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02568   484   NtClose  (320, ... ) == 0x0
 02569   484   NtEnumerateKey  (316, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (316, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02570   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 320, ) }, ... 320, ) == 0x0
 02571   484   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02572   484   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02573   484   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02574   484   NtClose  (320, ... ) == 0x0
 02575   484   NtEnumerateKey  (316, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02576   484   NtClose  (316, ... ) == 0x0
 02577   484   NtClose  (312, ... ) == 0x0
 02578   484   NtClose  (308, ... ) == 0x0
 02579   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 308, ) }, ... 308, ) == 0x0
 02580   484   NtEnumerateKey  (308, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (308, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02581   484   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 0"}, ... 312, ) }, ... 312, ) == 0x0
 02582   484   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 316, ) }, ... 316, ) == 0x0
 02583   484   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02584   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 320, ) }, ... 320, ) == 0x0
 02585   484   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02586   484   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02587   484   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02588   484   NtClose  (320, ... ) == 0x0
 02589   484   NtEnumerateKey  (316, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02590   484   NtClose  (316, ... ) == 0x0
 02591   484   NtClose  (312, ... ) == 0x0
 02592   484   NtEnumerateKey  (308, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (308, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02593   484   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 1"}, ... 312, ) }, ... 312, ) == 0x0
 02594   484   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02595   484   NtClose  (312, ... ) == 0x0
 02596   484   NtEnumerateKey  (308, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02597   484   NtClose  (308, ... ) == 0x0
 02598   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231236, ... ) }, 1231236, ... ) == 0x0
 02599   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02600   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 308, ... 312, ) == 0x0
 02601   484   NtClose  (308, ... ) == 0x0
 02602   484   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xab0000), 0x0, 16384, ) == 0x0
 02603   484   NtClose  (312, ... ) == 0x0
 02604   484   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 02605   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231552, ... ) }, 1231552, ... ) == 0x0
 02606   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02607   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 308, ) == 0x0
 02608   484   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02609   484   NtClose  (312, ... ) == 0x0
 02610   484   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02611   484   NtClose  (308, ... ) == 0x0
 02612   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230812, ... ) }, 1230812, ... ) == 0x0
 02613   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 308, ) == 0x0
 02614   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11337728, 1048576, ) == 0x0
 02615   484   NtAllocateVirtualMemory  (-1, 12378112, 0, 8192, 4096, 4, ... 12378112, 8192, ) == 0x0
 02616   484   NtProtectVirtualMemory  (-1, (0xbce000), 4096, 260, ... (0xbce000), 4096, 4, ) == 0x0
 02617   484   NtCreateThread  (0x1f03ff, 0x0, -1, 1232760, 1233476, 1, ... 312, {476, 1328}, ) == 0x0
 02618   484   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=476,Tid=1328,}, 0x0, ) == 0x0
 02619   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\08\1\0\0\334\1\0\00\5\0\0" ... {28, 56, reply, 0, 476, 484, 1621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\08\1\0\0\334\1\0\00\5\0\0" )  ... {28, 56, reply, 0, 476, 484, 1621, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\08\1\0\0\334\1\0\00\5\0\0" ... {28, 56, reply, 0, 476, 484, 1621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\08\1\0\0\334\1\0\00\5\0\0" )  ) == 0x0
 02620   484   NtResumeThread  (312, ... 1, ) == 0x0
 02621   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... }, ...
 02622  1328   NtTestAlert  (... ) == 0x0
 02623  1328   NtContinue  (12385584, 1, ...
 02624  1328   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02625  1328   NtWaitForMultipleObjects  (1, (308, ), 1, 0, {-150000000, -1}, ...
 02621   484   NtOpenKey  ... 316, ) == 0x0
 02626   484   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02627   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "EncodingType 0"}, ... 320, ) }, ... 320, ) == 0x0
 02628   484   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 324, ) }, ... 324, ) == 0x0
 02629   484   NtEnumerateKey  (324, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (324, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02630   484   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 328, ) }, ... 328, ) == 0x0
 02631   484   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02632   484   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02633   484   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02634   484   NtClose  (328, ... ) == 0x0
 02635   484   NtEnumerateKey  (324, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (324, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02636   484   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 328, ) }, ... 328, ) == 0x0
 02637   484   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02638   484   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02639   484   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02640   484   NtClose  (328, ... ) == 0x0
 02641   484   NtEnumerateKey  (324, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (324, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02642   484   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 328, ) }, ... 328, ) == 0x0
 02643   484   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02644   484   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02645   484   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02646   484   NtClose  (328, ... ) == 0x0
 02647   484   NtEnumerateKey  (324, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (324, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02648   484   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 328, ) }, ... 328, ) == 0x0
 02649   484   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02650   484   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02651   484   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02652   484   NtClose  (328, ... ) == 0x0
 02653   484   NtEnumerateKey  (324, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02654   484   NtClose  (324, ... ) == 0x0
 02655   484   NtClose  (320, ... ) == 0x0
 02656   484   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02657   484   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "EncodingType 1"}, ... 320, ) }, ... 320, ) == 0x0
 02658   484   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02659   484   NtClose  (320, ... ) == 0x0
 02660   484   NtEnumerateKey  (316, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02661   484   NtClose  (316, ... ) == 0x0
 02662   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02663   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02664   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02665   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == 0x0
 02666   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02667   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 02668   484   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02669   484   NtClose  (316, ... ) == 0x0
 02670   484   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02671   484   NtClose  (320, ... ) == 0x0
 02672   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02673   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11206656, 65536, ) == 0x0
 02674   484   NtAllocateVirtualMemory  (-1, 11206656, 0, 4096, 4096, 4, ... 11206656, 4096, ) == 0x0
 02675   484   NtAllocateVirtualMemory  (-1, 11210752, 0, 8192, 4096, 4, ... 11210752, 8192, ) == 0x0
 02676   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231132, ... ) }, 1231132, ... ) == 0x0
 02677   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02678   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 316, ) == 0x0
 02679   484   NtClose  (320, ... ) == 0x0
 02680   484   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbd0000), 0x0, 262144, ) == 0x0
 02681   484   NtClose  (316, ... ) == 0x0
 02682   484   NtUnmapViewOfSection  (-1, 0xbd0000, ... ) == 0x0
 02683   484   NtAllocateLocallyUniqueId  (... {97490, 0}, ) == 0x0
 02684   484   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02685   484   NtOpenProcessToken  (-1, 0x20008, ... 316, ) == 0x0
 02686   484   NtQueryInformationToken  (316, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02687   484   NtClose  (316, ... ) == 0x0
 02688   484   NtCreateSection  (0xf0007, {24, 56, 0x80, 1232452, 0,  (0xf0007, {24, 56, 0x80, 1232452, 0, "DfSharedHeap17CD2"}, {4194304, 0}, 4, 67108864, 0, ... 316, ) }, {4194304, 0}, 4, 67108864, 0, ... 316, ) == 0x0
 02689   484   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xbd0000), {0, 0}, 4194304, ) == 0x0
 02690   484   NtAllocateVirtualMemory  (-1, 12386304, 0, 16376, 4096, 4, ... 12386304, 16384, ) == 0x0
 02691   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229968,  (0x80100080, {24, 0, 0x40, 0, 1229968, "\??\UNC\missouri\binaries\work\dfseqmi.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 02692   484   NtReadFile  (320, 0, 0, 1232672, 512, {0, 0}, 0, ... {status=0x0, info=123},  (320, 0, 0, 1232672, 512, {0, 0}, 0, ... {status=0x0, info=123}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del dfseqmi.bat\15\12", ) , ) == 0x0
 02693   484   NtClose  (320, ... ) == 0x0
 02694   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231236, ... ) }, 1231236, ... ) == 0x0
 02695   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02696   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 02697   484   NtClose  (320, ... ) == 0x0
 02698   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfd0000), 0x0, 69632, ) == 0x0
 02699   484   NtClose  (324, ... ) == 0x0
 02700   484   NtUnmapViewOfSection  (-1, 0xfd0000, ... ) == 0x0
 02701   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231552, ... ) }, 1231552, ... ) == 0x0
 02702   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02703   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 320, ) == 0x0
 02704   484   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02705   484   NtClose  (324, ... ) == 0x0
 02706   484   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02707   484   NtClose  (320, ... ) == 0x0
 02708   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 320, ) }, ... 320, ) == 0x0
 02709   484   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02710   484   NtClose  (320, ... ) == 0x0
 02711   484   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02712   484   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02713   484   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02714   484   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02715   484   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02716   484   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02717   484   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02718   484   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02719   484   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02720   484   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02721   484   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02722   484   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02723   484   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02724   484   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02725   484   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02726   484   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02727   484   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02728   484   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02729   484   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02730   484   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02731   484   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02732   484   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02733   484   NtOpenProcessToken  (-1, 0x8, ... 320, ) == 0x0
 02734   484   NtQueryInformationToken  (320, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02735   484   NtClose  (320, ... ) == 0x0
 02736   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02737   484   NtReleaseMutant  (16, ...
 02738   484   NtContinue  (-104161144, 0, ...
 02737   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02739   484   NtQueryDefaultLocale  (1, 1230232, ... ) == 0x0
 02740   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02741   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02742   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02743   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02744   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02745   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02746   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02747   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02749   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02750   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02751   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02752   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02753   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02754   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02755   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02756   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02757   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02759   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02761   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02763   484   NtReleaseMutant  (16, ...
 02764   484   NtContinue  (-104161144, 0, ...
 02763   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02765   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02766   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02767   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02768   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02769   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02771   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02772   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02773   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02774   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02775   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02776   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02777   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02778   484   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02779   484   NtClose  (320, ... ) == 0x0
 02780   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 320, ) }, ... 320, ) == 0x0
 02781   484   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 324, ) }, ... 324, ) == 0x0
 02782   484   NtClose  (320, ... ) == 0x0
 02783   484   NtQueryValueKey  (324,  (324, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02784   484   NtQueryValueKey  (324,  (324, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (324, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02785   484   NtClose  (324, ... ) == 0x0
 02786   484   NtClose  (288, ... ) == 0x0
 02787   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 16580608, 4096, ) == 0x0
 02788   484   NtAllocateVirtualMemory  (-1, 16580608, 0, 4096, 4096, 4, ... 16580608, 4096, ) == 0x0
 02789   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 288, ) }, ... 288, ) == 0x0
 02790   484   NtQueryValueKey  (288,  (288, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02791   484   NtClose  (288, ... ) == 0x0
 02792   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02793   484   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02794   484   NtOpenProcessToken  (-1, 0x2000a, ... 288, ) == 0x0
 02795   484   NtQueryInformationToken  (288, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02796   484   NtQueryInformationToken  (288, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02797   484   NtClose  (288, ... ) == 0x0
 02798   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02799   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 02800   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 02801   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02802   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 288, ) }, ... 288, ) == 0x0
 02803   484   NtQueryValueKey  (288,  (288, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02804   484   NtClose  (288, ... ) == 0x0
 02805   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 02806   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 02807   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02808   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 288, ) }, ... 288, ) == 0x0
 02809   484   NtQueryValueKey  (288,  (288, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   484   NtClose  (288, ... ) == 0x0
 02811   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02812   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02813   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 288, ) }, ... 288, ) == 0x0
 02814   484   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02815   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02816   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02817   484   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02818   484   NtClose  (324, ... ) == 0x0
 02819   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820   484   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (290, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02821   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230840, ... ) }, 1230840, ... ) == 0x0
 02822   484   NtClose  (290, ... ) == 0x0
 02823   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02824   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 288, {status=0x0, info=1}, ) }, 3, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02825   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 324, ) }, ... 324, ) == 0x0
 02826   484   NtQuerySymbolicLinkObject  (324, ...  (324, ... "\Device\WinDfs\U:00000000000091c7", 66, ) , 66, ) == 0x0
 02827   484   NtClose  (324, ... ) == 0x0
 02828   484   NtQueryVolumeInformationFile  (288, 1234192, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02829   484   NtClose  (288, ... ) == 0x0
 02830   484   NtWaitForSingleObject  (72, 0, {0, 0}, ... ) == 0x102
 02831   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "system\CurrentControlSet"}, ... 288, ) }, ... 288, ) == 0x0
 02832   484   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 324, ) }, ... 324, ) == 0x0
 02833   484   NtQueryValueKey  (324,  (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02834   484   NtQueryValueKey  (324,  (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02835   484   NtClose  (324, ... ) == 0x0
 02836   484   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02837   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02838   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02839   484   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02840   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02841   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02842   484   NtClose  (324, ... ) == 0x0
 02843   484   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02844   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02845   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02846   484   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02847   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02848   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02849   484   NtClose  (324, ... ) == 0x0
 02850   484   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02851   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02852   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02853   484   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02854   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02855   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02856   484   NtClose  (324, ... ) == 0x0
 02857   484   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02858   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02859   484   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02860   484   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02861   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02862   484   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02863   484   NtClose  (324, ... ) == 0x0
 02864   484   NtClose  (288, ... ) == 0x0
 02865   484   NtQueryDefaultLocale  (1, 1233744, ... ) == 0x0
 02866   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02867   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02868   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 288, ... 324, ) == 0x0
 02869   484   NtClose  (288, ... ) == 0x0
 02870   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfe0000), 0x0, 12288, ) == 0x0
 02871   484   NtClose  (324, ... ) == 0x0
 02872   484   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 02873   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02874   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02875   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02876   484   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02877   484   NtClose  (324, ... ) == 0x0
 02878   484   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02879   484   NtClose  (288, ... ) == 0x0
 02880   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 288, ) }, ... 288, ) == 0x0
 02881   484   NtQueryValueKey  (288,  (288, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02882   484   NtClose  (288, ... ) == 0x0
 02883   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02884   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02885   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 288, ... 324, ) == 0x0
 02886   484   NtClose  (288, ... ) == 0x0
 02887   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfe0000), 0x0, 40960, ) == 0x0
 02888   484   NtClose  (324, ... ) == 0x0
 02889   484   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 02890   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02891   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02892   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02893   484   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02894   484   NtClose  (324, ... ) == 0x0
 02895   484   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02896   484   NtClose  (288, ... ) == 0x0
 02897   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231260, ... ) }, 1231260, ... ) == 0x0
 02899   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02900   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 324, ) == 0x0
 02901   484   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02902   484   NtClose  (288, ... ) == 0x0
 02903   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02904   484   NtClose  (324, ... ) == 0x0
 02905   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02906   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231260, ... ) }, 1231260, ... ) == 0x0
 02907   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02908   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02909   484   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02910   484   NtClose  (324, ... ) == 0x0
 02911   484   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02912   484   NtClose  (288, ... ) == 0x0
 02913   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02914   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230456, ... ) }, 1230456, ... ) == 0x0
 02915   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02916   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 324, ) == 0x0
 02917   484   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02918   484   NtClose  (288, ... ) == 0x0
 02919   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02920   484   NtClose  (324, ... ) == 0x0
 02921   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02922   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230456, ... ) }, 1230456, ... ) == 0x0
 02923   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02924   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02925   484   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02926   484   NtClose  (324, ... ) == 0x0
 02927   484   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02928   484   NtClose  (288, ... ) == 0x0
 02929   484   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 288, ) }, ... 288, ) == 0x0
 02930   484   NtQueryValueKey  (288,  (288, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02931   484   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 324, ) == 0x0
 02932   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02933   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02934   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 328, ) == 0x0
 02935   484   NtClose  (320, ... ) == 0x0
 02936   484   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfe0000), 0x0, 24576, ) == 0x0
 02937   484   NtClose  (328, ... ) == 0x0
 02938   484   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 02939   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02940   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02941   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 320, ) == 0x0
 02942   484   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02943   484   NtClose  (328, ... ) == 0x0
 02944   484   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02945   484   NtClose  (320, ... ) == 0x0
 02946   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02947   484   NtQueryValueKey  (320,  (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02948   484   NtClose  (320, ... ) == 0x0
 02949   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02950   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02951   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02952   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02953   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == 0x0
 02954   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02955   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 328, ) == 0x0
 02956   484   NtClose  (320, ... ) == 0x0
 02957   484   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfe0000), 0x0, 122880, ) == 0x0
 02958   484   NtClose  (328, ... ) == 0x0
 02959   484   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 02960   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02961   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02962   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02963   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02964   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == 0x0
 02965   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02966   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 320, ) == 0x0
 02967   484   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02968   484   NtClose  (328, ... ) == 0x0
 02969   484   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 02970   484   NtClose  (320, ... ) == 0x0
 02971   484   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02972   484   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02973   484   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02974   484   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02975   484   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02976   484   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02977   484   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02978   484   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02979   484   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02980   484   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02981   484   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02982   484   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02983   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02984   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16646144, 65536, ) == 0x0
 02985   484   NtAllocateVirtualMemory  (-1, 16646144, 0, 4096, 4096, 4, ... 16646144, 4096, ) == 0x0
 02986   484   NtAllocateVirtualMemory  (-1, 16650240, 0, 8192, 4096, 4, ... 16650240, 8192, ) == 0x0
 02987   484   NtAllocateVirtualMemory  (-1, 16658432, 0, 4096, 4096, 4, ... 16658432, 4096, ) == 0x0
 02988   484   NtQueryPerformanceCounter  (... {119556929, 0}, {3579545, 0}, ) == 0x0
 02989   484   NtRaiseException  (1231556, 1230816, 1, ...
 02990   484   NtContinue  (1229612, 0, ...
 02991   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 02992   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02993   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 02994   484   NtRaiseException  (1221532, 1220792, 1, ...
 02995   484   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02996   484   NtContinue  (1219588, 0, ...
 02997   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 02998   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02999   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03000   484   NtRaiseException  (1223292, 1222552, 1, ...
 03001   484   NtContinue  (1221348, 0, ...
 03002   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03003   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03004   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03005   484   NtRaiseException  (1223296, 1222556, 1, ...
 03006   484   NtContinue  (1221352, 0, ...
 03007   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03008   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03009   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03010   484   NtRaiseException  (1223292, 1222552, 1, ...
 03011   484   NtContinue  (1221348, 0, ...
 03012   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03013   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03014   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03015   484   NtRaiseException  (1223296, 1222556, 1, ...
 03016   484   NtContinue  (1221352, 0, ...
 03017   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03018   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03019   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03020   484   NtRaiseException  (1223292, 1222552, 1, ...
 03021   484   NtContinue  (1221348, 0, ...
 03022   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03023   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03025   484   NtRaiseException  (1223296, 1222556, 1, ...
 03026   484   NtContinue  (1221352, 0, ...
 03027   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03028   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03029   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03030   484   NtRaiseException  (1223292, 1222552, 1, ...
 03031   484   NtContinue  (1221348, 0, ...
 03032   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03033   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03034   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03035   484   NtRaiseException  (1223296, 1222556, 1, ...
 03036   484   NtContinue  (1221352, 0, ...
 03037   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03038   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03039   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03040   484   NtRaiseException  (1223292, 1222552, 1, ...
 03041   484   NtContinue  (1221348, 0, ...
 03042   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03043   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03045   484   NtRaiseException  (1223296, 1222556, 1, ...
 03046   484   NtContinue  (1221352, 0, ...
 03047   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03048   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03049   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03050   484   NtRaiseException  (1223292, 1222552, 1, ...
 03051   484   NtContinue  (1221348, 0, ...
 03052   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03053   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03054   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03055   484   NtRaiseException  (1223296, 1222556, 1, ...
 03056   484   NtContinue  (1221352, 0, ...
 03057   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03058   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03059   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03060   484   NtRaiseException  (1223292, 1222552, 1, ...
 03061   484   NtContinue  (1221348, 0, ...
 03062   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03063   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03065   484   NtRaiseException  (1223296, 1222556, 1, ...
 03066   484   NtContinue  (1221352, 0, ...
 03067   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03068   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03069   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03070   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 03071   484   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {476, 0}, ... 320, ) == 0x0
 03072   484   NtQueryInformationProcess  (320, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 03073   484   NtClose  (320, ... ) == 0x0
 03074   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 03075   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03076   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 320, ) == 0x0
 03077   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03078   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03079   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230772,  (0xc0100080, {24, 0, 0x40, 0, 1230772, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 03080   484   NtSetInformationFile  (328, 1230828, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03081   484   NtSetInformationFile  (328, 1230820, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03082   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03083   484   NtWriteFile  (328, 133, 0, 0,  (328, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03084   484   NtReadFile  (328, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\373&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03085   484   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\373&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\373&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03086   484   NtClose  (320, ... ) == 0x0
 03087   484   NtClose  (328, ... ) == 0x0
 03088   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03089   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 03090   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03091   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03092   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230772,  (0xc0100080, {24, 0, 0x40, 0, 1230772, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 03093   484   NtSetInformationFile  (320, 1230828, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03094   484   NtSetInformationFile  (320, 1230820, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03095   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03096   484   NtWriteFile  (320, 133, 0, 0,  (320, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03097   484   NtReadFile  (320, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (320, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03098   484   NtFsControlFile  (320, 133, 0x0, 0x0, 0x11c017,  (320, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (320, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03099   484   NtClose  (328, ... ) == 0x0
 03100   484   NtClose  (320, ... ) == 0x0
 03101   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 03102   484   NtQueryKey  (320, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 03103   484   NtQuerySecurityObject  (320, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03104   484   NtQuerySecurityObject  (320, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03105   484   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 16711680, 524288, ) == 0x0
 03106   484   NtAllocateVirtualMemory  (-1, 16711680, 0, 4096, 4096, 4, ... 16711680, 4096, ) == 0x0
 03107   484   NtQueryValueKey  (320,  (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03108   484   NtClose  (320, ... ) == 0x0
 03109   484   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 03110   484   NtFsControlFile  (320, 0, 0x0, 0x0, 0x600bc,  (320, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (320, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03111   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03112   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 03113   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03114   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03115   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232212,  (0xc0100080, {24, 0, 0x40, 0, 1232212, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 03116   484   NtSetInformationFile  (332, 1232268, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03117   484   NtSetInformationFile  (332, 1232260, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03118   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03119   484   NtWriteFile  (332, 133, 0, 0,  (332, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03120   484   NtReadFile  (332, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\375&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03121   484   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\274\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\375&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\274\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\375&\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03122   484   NtClose  (328, ... ) == 0x0
 03123   484   NtClose  (332, ... ) == 0x0
 03124   484   NtWaitForSingleObject  (324, 0, {-70000000, -1}, ... ) == 0x0
 03125   484   NtReleaseSemaphore  (324, 1, ... 0x0, ) == 0x0
 03126   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 03127   484   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 03128   484   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 03129   484   NtClose  (332, ... ) == 0x0
 03130   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03131   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 03132   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03133   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03134   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232248,  (0xc0100080, {24, 0, 0x40, 0, 1232248, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 03135   484   NtSetInformationFile  (328, 1232304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03136   484   NtSetInformationFile  (328, 1232296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03137   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03138   484   NtWriteFile  (328, 133, 0, 0,  (328, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03139   484   NtReadFile  (328, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\202%\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03140   484   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\202%\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\202%\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03141   484   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\220\273q\210\274?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\220\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\220\273q\210\274?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\220\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03142   484   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\221\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\221\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\221\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\221\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03143   484   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\220\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\220\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03144   484   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\221\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\221\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03145   484   NtClose  (332, ... ) == 0x0
 03146   484   NtClose  (328, ... ) == 0x0
 03147   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03148   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03149   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03150   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03151   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == 0x0
 03152   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 03153   484   NtQueryValueKey  (328,  (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 03154   484   NtClose  (328, ... ) == 0x0
 03155   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 03156   484   NtQueryValueKey  (328,  (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 03157   484   NtClose  (328, ... ) == 0x0
 03158   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 03159   484   NtQueryValueKey  (328,  (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03160   484   NtClose  (328, ... ) == 0x0
 03161   484   NtRaiseException  (1222216, 1221476, 1, ...
 03162   484   NtContinue  (1220272, 0, ...
 03163   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03164   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03166   484   NtRaiseException  (1222212, 1221472, 1, ...
 03167   484   NtContinue  (1220268, 0, ...
 03168   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03169   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03171   484   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 1232880, 0,  (0x1f0001, {24, 56, 0x80, 1232880, 0, "HGFSMUTEX"}, 1, ... 328, ) }, 1, ... 328, ) == 0x0
 03172   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1229900, ... ) }, 1229900, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03174   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "shfolder.dll"}, 1229900, ... ) }, 1229900, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1229900, ... ) }, 1229900, ... ) == 0x0
 03176   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 03177   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 336, ) == 0x0
 03178   484   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03179   484   NtClose  (332, ... ) == 0x0
 03180   484   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 03181   484   NtClose  (336, ... ) == 0x0
 03182   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03183   484   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1356800, 0,  (0x1f0003, {24, 56, 0x80, 1356800, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 336, ) }, 0, 2147483647, ... 336, ) == STATUS_OBJECT_NAME_EXISTS
 03184   484   NtReleaseSemaphore  (336, 1, ... 0, ) == 0x0
 03185   484   NtWaitForSingleObject  (336, 0, {0, 0}, ... ) == 0x0
 03186   484   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 03187   484   NtQueryValueKey  (332,  (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 03188   484   NtClose  (332, ... ) == 0x0
 03189   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1230432, ... ) }, 1230432, ... ) == 0x0
 03190   484   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 03191   484   NtSetValueKey  (332,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 03192   484   NtClose  (332, ... ) == 0x0
 03193   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 03194   484   NtQueryDirectoryFile  (332, 0, 0, 0, 1230572, 616, BothDirectory, 1,  (332, 0, 0, 0, 1230572, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 03195   484   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 03196   484   NtRaiseException  (1221852, 1221112, 1, ...
 03197   484   NtContinue  (1219908, 0, ...
 03198   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03199   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03200   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03201   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232880, 1232456,  (0xc0100080, {24, 0, 0x40, 1232880, 1232456, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 03202   484   NtRaiseException  (1221852, 1221112, 1, ...
 03203   484   NtContinue  (1219908, 0, ...
 03204   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03205   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03206   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03207   484   NtCreateSection  (0xf0007, {24, 56, 0x80, 1232880, 0,  (0xf0007, {24, 56, 0x80, 1232880, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 340, ... 344, ) }, {27876, 0}, 4, 134217728, 340, ... 344, ) == 0x0
 03208   484   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1070000), {0, 0}, 28672, ) == 0x0
 03209   484   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 03210   484   NtRaiseException  (1223268, 1222528, 1, ...
 03211   484   NtContinue  (1221324, 0, ...
 03212   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03213   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03214   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03215   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233924, 1233512,  (0xc0100080, {24, 0, 0x40, 1233924, 1233512, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 03216   484   NtDeviceIoControlFile  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 03217   484   NtClose  (348, ... ) == 0x0
 03218   484   NtRaiseException  (1223248, 1222508, 1, ...
 03219   484   NtContinue  (1221304, 0, ...
 03220   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03221   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03222   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03223   484   NtRaiseException  (1223268, 1222528, 1, ...
 03224   484   NtContinue  (1221324, 0, ...
 03225   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 03226   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03227   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 03228   484   NtAllocateVirtualMemory  (-1, 1466368, 0, 20480, 4096, 4, ... 1466368, 20480, ) == 0x0
 03229   484   NtAllocateVirtualMemory  (-1, 1486848, 0, 20480, 4096, 4, ... 1486848, 20480, ) == 0x0
 03230   484   NtWaitForSingleObject  (324, 0, {-70000000, -1}, ... ) == 0x0
 03231   484   NtReleaseSemaphore  (324, 1, ... 0x0, ) == 0x0
 03232   484   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 03233   484   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 03234   484   NtClose  (348, ... ) == 0x0
 03235   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03236   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 03237   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03238   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03239   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232188,  (0xc0100080, {24, 0, 0x40, 0, 1232188, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 03240   484   NtSetInformationFile  (352, 1232244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03241   484   NtSetInformationFile  (352, 1232236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03242   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03243   484   NtWriteFile  (352, 133, 0, 0,  (352, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03244   484   NtReadFile  (352, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\203%\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03245   484   NtFsControlFile  (352, 133, 0x0, 0x0, 0x11c017,  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\203%\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\203%\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03246   484   NtFsControlFile  (352, 133, 0x0, 0x0, 0x11c017,  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\222\273q\210\274?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\222\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\222\273q\210\274?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\222\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03247   484   NtFsControlFile  (352, 133, 0x0, 0x0, 0x11c017,  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\223\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\223\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\223\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\223\273q\210\274?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03248   484   NtFsControlFile  (352, 133, 0x0, 0x0, 0x11c017,  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\222\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\222\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03249   484   NtFsControlFile  (352, 133, 0x0, 0x0, 0x11c017,  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\223\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\223\273q\210\274?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03250   484   NtClose  (348, ... ) == 0x0
 03251   484   NtClose  (352, ... ) == 0x0
 03252   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03253   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 03254   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03255   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03256   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232280,  (0xc0100080, {24, 0, 0x40, 0, 1232280, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 03257   484   NtSetInformationFile  (348, 1232336, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03258   484   NtSetInformationFile  (348, 1232328, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03259   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03260   484   NtWriteFile  (348, 133, 0, 0,  (348, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03261   484   NtReadFile  (348, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (348, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\256,\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03262   484   NtFsControlFile  (348, 133, 0x0, 0x0, 0x11c017,  (348, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\256,\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (348, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\256,\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03263   484   NtClose  (352, ... ) == 0x0
 03264   484   NtClose  (348, ... ) == 0x0
 03265   484   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03266   484   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03267   484   NtClose  (348, ... ) == 0x0
 03268   484   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 03269   484   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03270   484   NtClose  (348, ... ) == 0x0
 03271   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03272   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03273   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03274   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03275   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03276   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03277   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03278   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03279   484   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03280   484   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03281   484   NtClose  (348, ... ) == 0x0
 03282   484   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 03283   484   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03284   484   NtClose  (348, ... ) == 0x0
 03285   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03286   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03287   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03288   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03289   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03290   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03291   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03292   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03293   484   NtWaitForSingleObject  (324, 0, {-70000000, -1}, ... ) == 0x0
 03294   484   NtReleaseSemaphore  (324, 1, ... 0x0, ) == 0x0
 03295   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03296   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03297   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03298   484   NtClose  (348, ... ) == 0x0
 03299   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 03300   484   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Network"}, ... 352, ) }, ... 352, ) == 0x0
 03301   484   NtClose  (348, ... ) == 0x0
 03302   484   NtQueryKey  (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03303   484   NtQuerySecurityObject  (352, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03304   484   NtQuerySecurityObject  (352, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03305   484   NtWaitForSingleObject  (72, 0, {0, 0}, ... ) == 0x102
 03306   484   NtEnumerateKey  (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03307   484   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "f"}, ... 348, ) }, ... 348, ) == 0x0
 03308   484   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03309   484   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03310   484   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03311   484   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03312   484   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03313   484   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03314   484   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03315   484   NtClose  (348, ... ) == 0x0
 03316   484   NtEnumerateKey  (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03317   484   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "u"}, ... 348, ) }, ... 348, ) == 0x0
 03318   484   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03319   484   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03320   484   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03321   484   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03322   484   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03323   484   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03324   484   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03325   484   NtClose  (348, ... ) == 0x0
 03326   484   NtClose  (352, ... ) == 0x0
 03327   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03328   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03329   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03330   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03331   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03332   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03333   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 352, ) }, ... 352, ) == 0x0
 03334   484   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03335   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03336   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03337   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03338   484   NtClose  (348, ... ) == 0x0
 03339   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340   484   NtEnumerateKey  (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03341   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03342   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03343   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 348, ) }, ... 348, ) == 0x0
 03344   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03345   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03346   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03347   484   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03348   484   NtClose  (356, ... ) == 0x0
 03349   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03350   484   NtQueryValueKey  (350,  (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03351   484   NtClose  (350, ... ) == 0x0
 03352   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03353   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 348, {status=0x0, info=1}, ) }, 3, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 03354   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 356, ) }, ... 356, ) == 0x0
 03355   484   NtQuerySymbolicLinkObject  (356, ...  (356, ... "\Device\WinDfs\U:00000000000091c7", 66, ) , 66, ) == 0x0
 03356   484   NtClose  (356, ... ) == 0x0
 03357   484   NtQueryVolumeInformationFile  (348, 1233600, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03358   484   NtClose  (348, ... ) == 0x0
 03359   484   NtEnumerateKey  (354, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03360   484   NtClose  (354, ... ) == 0x0
 03361   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 03362   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1232384, 616, BothDirectory, 1,  (352, 0, 0, 0, 1232384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03363   484   NtClose  (352, ... ) == 0x0
 03364   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03365   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03366   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 352, ) }, ... 352, ) == 0x0
 03367   484   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03368   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03369   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03370   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03371   484   NtClose  (348, ... ) == 0x0
 03372   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03373   484   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03374   484   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03375   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03376   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03377   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03378   484   NtClose  (348, ... ) == 0x0
 03379   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03380   484   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 03381   484   NtClose  (354, ... ) == 0x0
 03382   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03383   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03384   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03385   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03386   484   NtQueryValueKey  (352,  (352, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03387   484   NtClose  (352, ... ) == 0x0
 03388   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03389   484   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 352, ) == 0x0
 03390   484   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03391   484   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03392   484   NtClose  (352, ... ) == 0x0
 03393   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03394   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03395   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03396   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03397   484   NtQueryValueKey  (352,  (352, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03398   484   NtClose  (352, ... ) == 0x0
 03399   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03400   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03401   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03402   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03403   484   NtQueryValueKey  (352,  (352, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03404   484   NtClose  (352, ... ) == 0x0
 03405   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03406   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03407   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03408   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03409   484   NtQueryValueKey  (352,  (352, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03410   484   NtClose  (352, ... ) == 0x0
 03411   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03412   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03413   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03414   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03415   484   NtQueryValueKey  (352,  (352, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03416   484   NtClose  (352, ... ) == 0x0
 03417   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03418   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03419   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03420   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03421   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03422   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03423   484   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   484   NtClose  (352, ... ) == 0x0
 03425   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03426   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03427   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03428   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03429   484   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03430   484   NtClose  (352, ... ) == 0x0
 03431   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03432   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03433   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03434   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03435   484   NtQueryValueKey  (352,  (352, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03436   484   NtClose  (352, ... ) == 0x0
 03437   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03438   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03439   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03440   484   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 352, ) }, ... 352, ) == 0x0
 03441   484   NtQueryValueKey  (352,  (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03442   484   NtQueryValueKey  (352,  (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03443   484   NtQueryValueKey  (352,  (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03444   484   NtQueryValueKey  (352,  (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03445   484   NtQueryValueKey  (352,  (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03446   484   NtQueryValueKey  (352,  (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03447   484   NtQueryValueKey  (352,  (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03448   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03449   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03450   484   NtQueryValueKey  (352,  (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03451   484   NtQueryValueKey  (352,  (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03452   484   NtQueryValueKey  (352,  (352, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03453   484   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03454   484   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03455   484   NtClose  (352, ... ) == 0x0
 03456   484   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1356800, 0,  (0x1f0003, {24, 56, 0x80, 1356800, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 352, ) }, 0, 2147483647, ... 352, ) == STATUS_OBJECT_NAME_EXISTS
 03457   484   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03458   484   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03459   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03460   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03461   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03462   484   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03463   484   NtClose  (356, ... ) == 0x0
 03464   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03465   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03466   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03467   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03468   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03469   484   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03470   484   NtClose  (356, ... ) == 0x0
 03471   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03472   484   NtQueryValueKey  (350,  (350, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03474   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03475   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03476   484   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03477   484   NtClose  (356, ... ) == 0x0
 03478   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479   484   NtQueryValueKey  (350,  (350, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03480   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03481   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03482   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03483   484   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03484   484   NtClose  (356, ... ) == 0x0
 03485   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03486   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03487   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03488   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03489   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 356, ) }, ... 356, ) == 0x0
 03490   484   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03491   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03492   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03493   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03494   484   NtClose  (360, ... ) == 0x0
 03495   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03496   484   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03498   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03499   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03500   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03501   484   NtClose  (360, ... ) == 0x0
 03502   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03503   484   NtQueryValueKey  (350,  (350, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03504   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03505   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03506   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03507   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03508   484   NtClose  (360, ... ) == 0x0
 03509   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03510   484   NtQueryValueKey  (350,  (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03511   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03512   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03513   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03514   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03515   484   NtClose  (360, ... ) == 0x0
 03516   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03517   484   NtQueryValueKey  (350,  (350, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03518   484   NtClose  (350, ... ) == 0x0
 03519   484   NtClose  (358, ... ) == 0x0
 03520   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 03521   484   NtQueryDirectoryFile  (356, 0, 0, 0, 1232308, 616, BothDirectory, 1,  (356, 0, 0, 0, 1232308, 616, BothDirectory, 1, "dfseqmi.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03522   484   NtClose  (356, ... ) == 0x0
 03523   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03524   484   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 356, ) }, ... 356, ) == 0x0
 03525   484   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03526   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03527   484   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03528   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03529   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03530   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 348, ) }, ... 348, ) == 0x0
 03531   484   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03532   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03533   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03534   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03535   484   NtClose  (360, ... ) == 0x0
 03536   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03537   484   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03538   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03539   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03540   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 360, ) }, ... 360, ) == 0x0
 03541   484   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03542   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03543   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03544   484   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03545   484   NtClose  (364, ... ) == 0x0
 03546   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03547   484   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03548   484   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03549   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03550   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03551   484   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03552   484   NtClose  (364, ... ) == 0x0
 03553   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03554   484   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0, ""}, ... 364, ) == 0x0
 03555   484   NtClose  (362, ... ) == 0x0
 03556   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03557   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03558   484   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03559   484   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03560   484   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03561   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03562   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03563   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03564   484   NtClose  (360, ... ) == 0x0
 03565   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03566   484   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03567   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03568   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03569   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03570   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03571   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03572   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03573   484   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03574   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03575   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03576   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03577   484   NtClose  (368, ... ) == 0x0
 03578   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03579   484   NtQueryValueKey  (362,  (362, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03580   484   NtClose  (362, ... ) == 0x0
 03581   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03582   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03583   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03584   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03585   484   NtClose  (360, ... ) == 0x0
 03586   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03587   484   NtQueryValueKey  (366,  (366, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03588   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03589   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03590   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03591   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03592   484   NtClose  (360, ... ) == 0x0
 03593   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03594   484   NtQueryValueKey  (366,  (366, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03595   484   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03596   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03597   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03598   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03599   484   NtClose  (360, ... ) == 0x0
 03600   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03601   484   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03602   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03603   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03604   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 360, ) }, ... 360, ) == 0x0
 03605   484   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03606   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03607   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03608   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03609   484   NtClose  (368, ... ) == 0x0
 03610   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03611   484   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03612   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03613   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03614   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03615   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03616   484   NtClose  (368, ... ) == 0x0
 03617   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03618   484   NtQueryValueKey  (366,  (366, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03619   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03620   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03621   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03622   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03623   484   NtClose  (368, ... ) == 0x0
 03624   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03625   484   NtQueryValueKey  (366,  (366, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03626   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03627   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03628   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03629   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03630   484   NtClose  (368, ... ) == 0x0
 03631   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03632   484   NtQueryValueKey  (366,  (366, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03633   484   NtClose  (350, ... ) == 0x0
 03634   484   NtClose  (366, ... ) == 0x0
 03635   484   NtClose  (362, ... ) == 0x0
 03636   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03637   484   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03638   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03639   484   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03640   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03641   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03642   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03643   484   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03644   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03645   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03646   484   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03647   484   NtClose  (364, ... ) == 0x0
 03648   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03649   484   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03650   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03651   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03652   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 364, ) }, ... 364, ) == 0x0
 03653   484   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03654   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03655   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03656   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03657   484   NtClose  (348, ... ) == 0x0
 03658   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03659   484   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03660   484   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03661   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03662   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03663   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03664   484   NtClose  (348, ... ) == 0x0
 03665   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03666   484   NtOpenKey  (0x2000000, {24, 366, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 03667   484   NtClose  (366, ... ) == 0x0
 03668   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03669   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03670   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03671   484   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03672   484   NtClose  (364, ... ) == 0x0
 03673   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03674   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03675   484   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03676   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03677   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03678   484   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03679   484   NtClose  (364, ... ) == 0x0
 03680   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03681   484   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03682   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03683   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03684   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03685   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03686   484   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03687   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03688   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03689   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03690   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03691   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03692   484   NtClose  (368, ... ) == 0x0
 03693   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03694   484   NtQueryValueKey  (366,  (366, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03695   484   NtClose  (366, ... ) == 0x0
 03696   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03697   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03698   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 364, ) }, ... 364, ) == 0x0
 03699   484   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03700   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03701   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03702   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03703   484   NtClose  (368, ... ) == 0x0
 03704   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03705   484   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03706   484   NtClose  (362, ... ) == 0x0
 03707   484   NtClose  (350, ... ) == 0x0
 03708   484   NtClose  (366, ... ) == 0x0
 03709   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03710   484   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03711   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03712   484   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03713   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03714   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03715   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03716   484   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03717   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03718   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03719   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03720   484   NtClose  (348, ... ) == 0x0
 03721   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03722   484   NtQueryValueKey  (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03723   484   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03724   484   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03725   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 348, ) }, ... 348, ) == 0x0
 03726   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03727   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03728   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03729   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03730   484   NtClose  (360, ... ) == 0x0
 03731   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03732   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03733   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03734   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03735   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03736   484   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03737   484   NtClose  (360, ... ) == 0x0
 03738   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03739   484   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0, ""}, ... 360, ) == 0x0
 03740   484   NtClose  (350, ... ) == 0x0
 03741   484   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03742   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03743   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03744   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03745   484   NtClose  (348, ... ) == 0x0
 03746   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03747   484   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0,  (0x2000000, {24, 362, 0x40, 0, 0, "shell\open"}, ... 348, ) }, ... 348, ) == 0x0
 03748   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03749   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03750   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03751   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03752   484   NtClose  (368, ... ) == 0x0
 03753   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03754   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03755   484   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03756   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03757   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03758   484   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03759   484   NtClose  (372, ... ) == 0x0
 03760   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03761   484   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03762   484   NtClose  (370, ... ) == 0x0
 03763   484   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03764   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03765   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03766   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03767   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03768   484   NtClose  (368, ... ) == 0x0
 03769   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03770   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03771   484   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03772   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03773   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03774   484   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03775   484   NtClose  (372, ... ) == 0x0
 03776   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03777   484   NtQueryValueKey  (370,  (370, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03778   484   NtClose  (370, ... ) == 0x0
 03779   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\dfseqmi.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03780   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03781   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03782   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03783   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03784   484   NtClose  (368, ... ) == 0x0
 03785   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03786   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03787   484   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03788   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03789   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03790   484   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03791   484   NtClose  (372, ... ) == 0x0
 03792   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03793   484   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03794   484   NtClose  (370, ... ) == 0x0
 03795   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03796   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03797   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03798   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03799   484   NtClose  (368, ... ) == 0x0
 03800   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03801   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03802   484   NtUserGetForegroundWindow  (... ) == 0x100ac
 03803   484   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03804   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03805   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03806   484   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03807   484   NtClose  (368, ... ) == 0x0
 03808   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03809   484   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03810   484   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03811   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03812   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03813   484   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03814   484   NtClose  (372, ... ) == 0x0
 03815   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03816   484   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03817   484   NtClose  (370, ... ) == 0x0
 03818   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03819   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03820   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03821   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03822   484   NtQueryValueKey  (368,  (368, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03823   484   NtClose  (368, ... ) == 0x0
 03824   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03825   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03826   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03827   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03828   484   NtQueryValueKey  (368,  (368, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03829   484   NtClose  (368, ... ) == 0x0
 03830   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\dfseqmi.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03831   484   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03832   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\dfseqmi.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03833   484   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03834   484   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03835   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03836   484   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03837   484   NtQueryValueKey  (368,  (368, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03838   484   NtClose  (368, ... ) == 0x0
 03839   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\dfseqmi.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03840   484   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03841   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 1228796, ... ) }, 1228796, ... ) == 0x0
 03842   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03843   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03844   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03845   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 372, ) }, ... 372, ) == 0x0
 03846   484   NtQueryValueKey  (372,  (372, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03847   484   NtClose  (372, ... ) == 0x0
 03848   484   NtQueryVolumeInformationFile  (368, 1228796, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03849   484   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03850   484   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03851   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226780, ... ) }, 1226780, ... ) == 0x0
 03852   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 03853   484   NtQueryInformationFile  (372, 1227384, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03854   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 372, ... 376, ) == 0x0
 03855   484   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1080000), 0x0, 1028096, ) == 0x0
 03856   484   NtQueryInformationFile  (372, 1227480, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03857   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03858   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03859   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03860   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03861   484   NtQueryDirectoryFile  (380, 0, 0, 0, 1225044, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225044, 616, BothDirectory, 1, "dfseqmi.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03862   484   NtClose  (380, ... ) == 0x0
 03863   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03864   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03865   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 1224432, ... ) }, 1224432, ... ) == 0x0
 03866   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03867   484   NtQueryDirectoryFile  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1,  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03868   484   NtClose  (380, ... ) == 0x0
 03869   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03870   484   NtQueryDirectoryFile  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1,  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1, "dfseqmi.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03871   484   NtClose  (380, ... ) == 0x0
 03872   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03873   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03874   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03875   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 380, {status=0x0, info=1}, ) }, 3, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03876   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 384, ) }, ... 384, ) == 0x0
 03877   484   NtQuerySymbolicLinkObject  (384, ...  (384, ... "\Device\WinDfs\U:00000000000091c7", 66, ) , 66, ) == 0x0
 03878   484   NtClose  (384, ... ) == 0x0
 03879   484   NtQueryVolumeInformationFile  (380, 1225184, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03880   484   NtClose  (380, ... ) == 0x0
 03881   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03882   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 380, ) == 0x0
 03883   484   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03884   484   NtClose  (380, ... ) == 0x0
 03885   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03886   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dfseqmi.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03887   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03888   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03889   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dfseqmi.bat"}, 1226712, ... ) }, 1226712, ... ) == 0x0
 03890   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03891   484   NtQueryDirectoryFile  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1,  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03892   484   NtClose  (380, ... ) == 0x0
 03893   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03894   484   NtQueryDirectoryFile  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1,  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1, "dfseqmi.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03895   484   NtClose  (380, ... ) == 0x0
 03896   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03897   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03898   484   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03899   484   NtQueryVolumeInformationFile  (368, 1227356, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03900   484   NtQueryInformationFile  (368, 1227336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03901   484   NtQueryInformationFile  (368, 1227376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03902   484   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03903   484   NtUnmapViewOfSection  (-1, 0x1080000, ... ) == 0x0
 03904   484   NtClose  (376, ... ) == 0x0
 03905   484   NtClose  (372, ... ) == 0x0
 03906   484   NtClose  (368, ... ) == 0x0
 03907   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03908   484   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03909   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 03910   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03911   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03912   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... 372, ) == 0x0
 03913   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03914   484   NtQuerySection  (372, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03915   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03916   484   NtCreateProcessEx  (1231424, 2035711, 0, -1, 0, 372, 0, 0, 0, ... ) == 0x0
 03917   484   NtSetInformationProcess  (376, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03918   484   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1636,ParentPid=476,}, 0x0, ) == 0x0
 03919   484   NtReadVirtualMemory  (376, 0x7ffdf008, 4, ...  (376, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03920   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03921   484   NtReadVirtualMemory  (376, 0x4ad00000, 4096, ...  (376, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03922   484   NtReadVirtualMemory  (376, 0x4ad3b000, 256, ...  (376, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03923   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03924   484   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1636,ParentPid=476,}, 0x0, ) == 0x0
 03925   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03926   484   NtAllocateVirtualMemory  (-1, 0, 0, 1644, 4096, 4, ... 17301504, 4096, ) == 0x0
 03927   484   NtAllocateVirtualMemory  (376, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03928   484   NtWriteVirtualMemory  (376, 0x10000,  (376, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03929   484   NtAllocateVirtualMemory  (376, 0, 0, 1644, 4096, 4, ... 131072, 4096, ) == 0x0
 03930   484   NtWriteVirtualMemory  (376, 0x20000,  (376, 0x20000, "\0\20\0\0l\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0>\0@\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\20\6\0\0\36\0 \0H\6\0\0\0\0\2\0h\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1644, ... 0x0, ) , 1644, ... 0x0, ) == 0x0
 03931   484   NtWriteVirtualMemory  (376, 0x7ffdf010,  (376, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03932   484   NtWriteVirtualMemory  (376, 0x7ffdf1e8,  (376, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03933   484   NtFreeVirtualMemory  (-1, (0x1080000), 0, 32768, ... (0x1080000), 4096, ) == 0x0
 03934   484   NtAllocateVirtualMemory  (376, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03935   484   NtAllocateVirtualMemory  (376, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03936   484   NtCreateThread  (0x1f03ff, 0x0, 376, 1229688, 1230408, 1, ... 380, {1636, 1536}, ) == 0x0
 03937   484   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0d\6\0\0\0\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 476, 484, 1623, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0d\6\0\0\0\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 476, 484, 1623, 0}  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0d\6\0\0\0\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 476, 484, 1623, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0d\6\0\0\0\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03938   484   NtResumeThread  (380, ... 1, ) == 0x0
 03939   484   NtClose  (368, ... ) == 0x0
 03940   484   NtClose  (372, ... ) == 0x0
 03941   484   NtClose  (350, ... ) == 0x0
 03942   484   NtClose  (366, ... ) == 0x0
 03943   484   NtClose  (362, ... ) == 0x0
 03944   484   NtClose  (376, ... ) == 0x0
 03945   484   NtClose  (380, ... ) == 0x0
 03946   484   NtGdiDeleteObjectApp  (17302660, ... ) == 0x1
 03947   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03948   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03949   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03950   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03951   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03952   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03953   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03954   484   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03955   484   NtUnmapViewOfSection  (-1, 0xac0000, ... ) == 0x0
 03956   484   NtClose  (284, ... ) == 0x0
 03957   484   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03958   484   NtUserDestroyWindow  (131262, ...
 03959   484   NtUserRemoveProp  (131262, 43288, ... ) == 0xffffffff
 03960   484   NtUserRemoveProp  (131262, 43282, ... ) == 0x0
 03961   484   NtUserRemoveProp  (131262, 43287, ... ) == 0x0
 03958   484   NtUserDestroyWindow  ... ) == 0x1
 03962   484   NtUserUnregisterClass  (1234868, 1998258176, 1234856, ... ) == 0x1
 03963   484   NtFreeVirtualMemory  (-1, (0x153000), 8192, 16384, ... (0x153000), 8192, ) == 0x0
 03964   484   NtClose  (188, ... ) == 0x0
 03965   484   NtClose  (180, ... ) == 0x0
 03966   484   NtClose  (184, ... ) == 0x0
 03967   484   NtClose  (160, ... ) == 0x0
 03968   484   NtClose  (176, ... ) == 0x0
 03969   484   NtClose  (208, ... ) == 0x0
 03970   484   NtClose  (212, ... ) == 0x0
 03971   484   NtClose  (204, ... ) == 0x0
 03972   484   NtClose  (196, ... ) == 0x0
 03973   484   NtClose  (200, ... ) == 0x0
 03974   484   NtClose  (224, ... ) == 0x0
 03975   484   NtClose  (228, ... ) == 0x0
 03976   484   NtClose  (216, ... ) == 0x0
 03977   484   NtClose  (220, ... ) == 0x0
 03978   484   NtClose  (248, ... ) == 0x0
 03979   484   NtClose  (240, ... ) == 0x0
 03980   484   NtClose  (244, ... ) == 0x0
 03981   484   NtClose  (232, ... ) == 0x0
 03982   484   NtClose  (236, ... ) == 0x0
 03983   484   NtClose  (252, ... ) == 0x0
 03984   484   NtClose  (256, ... ) == 0x0
 03985   484   NtClose  (268, ... ) == 0x0
 03986   484   NtClose  (272, ... ) == 0x0
 03987   484   NtClose  (260, ... ) == 0x0
 03988   484   NtClose  (264, ... ) == 0x0
 03989   484   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03990   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1235744, ... ) }, 1235744, ... ) == 0x0
 03991   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1236436, ... ) }, 1236436, ... ) == 0x0
 03992   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 03993   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 264, ... 260, ) == 0x0
 03994   484   NtQueryVolumeInformationFile  (264, 1235744, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03995   484   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03996   484   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03997   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) == 0x0
 03998   484   NtQueryInformationFile  (272, 1234332, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03999   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 272, ... 268, ) == 0x0
 04000   484   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1080000), 0x0, 1028096, ) == 0x0
 04001   484   NtQueryInformationFile  (272, 1234428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04002   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04003   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04004   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1231992, 616, BothDirectory, 1,  (256, 0, 0, 0, 1231992, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04005   484   NtClose  (256, ... ) == 0x0
 04006   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04007   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04008   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1231380, ... ) }, 1231380, ... ) == 0x0
 04009   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04010   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04011   484   NtClose  (256, ... ) == 0x0
 04012   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04013   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04014   484   NtClose  (256, ... ) == 0x0
 04015   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04016   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04017   484   NtClose  (256, ... ) == 0x0
 04018   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04019   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04020   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04021   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04022   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 256, ) == 0x0
 04023   484   NtQueryInformationToken  (256, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04024   484   NtClose  (256, ... ) == 0x0
 04025   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04026   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\logon.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04027   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04028   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04029   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1233660, ... ) }, 1233660, ... ) == 0x0
 04030   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04031   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04032   484   NtClose  (256, ... ) == 0x0
 04033   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04034   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04035   484   NtClose  (256, ... ) == 0x0
 04036   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 04037   484   NtQueryDirectoryFile  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04038   484   NtClose  (256, ... ) == 0x0
 04039   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04040   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04041   484   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 04042   484   NtQueryVolumeInformationFile  (264, 1234304, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04043   484   NtQueryInformationFile  (264, 1234284, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04044   484   NtQueryInformationFile  (264, 1234324, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04045   484   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 04046   484   NtUnmapViewOfSection  (-1, 0x1080000, ... ) == 0x0
 04047   484   NtClose  (268, ... ) == 0x0
 04048   484   NtClose  (272, ... ) == 0x0
 04049   484   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04050   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logon.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04051   484   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 04052   484   NtOpenProcessToken  (-1, 0xa, ... 272, ) == 0x0
 04053   484   NtQueryInformationToken  (272, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 04054   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04055   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 268, ) }, ... 268, ) == 0x0
 04056   484   NtQueryValueKey  (268,  (268, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (268, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04057   484   NtQueryValueKey  (268,  (268, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (268, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04058   484   NtClose  (268, ... ) == 0x0
 04059   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 268, ) }, ... 268, ) == 0x0
 04060   484   NtQueryValueKey  (268,  (268, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 04061   484   NtQueryValueKey  (268,  (268, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (268, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 04062   484   NtClose  (268, ... ) == 0x0
 04063   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 268, ) }, ... 268, ) == 0x0
 04064   484   NtQuerySymbolicLinkObject  (268, ...  (268, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 04065   484   NtClose  (268, ... ) == 0x0
 04066   484   NtQueryInformationFile  (264, 1234096, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 04067   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04068   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04069   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1232776, ... ) }, 1232776, ... ) == 0x0
 04070   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 268, {status=0x0, info=1}, ) }, 3, 16417, ... 268, {status=0x0, info=1}, ) == 0x0
 04071   484   NtQueryDirectoryFile  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04072   484   NtClose  (268, ... ) == 0x0
 04073   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 268, {status=0x0, info=1}, ) }, 3, 16417, ... 268, {status=0x0, info=1}, ) == 0x0
 04074   484   NtQueryDirectoryFile  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04075   484   NtClose  (268, ... ) == 0x0
 04076   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 268, {status=0x0, info=1}, ) }, 3, 16417, ... 268, {status=0x0, info=1}, ) == 0x0
 04077   484   NtQueryDirectoryFile  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04078   484   NtClose  (268, ... ) == 0x0
 04079   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04080   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04081   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 268, ) }, ... 268, ) == 0x0
 04082   484   NtQueryValueKey  (268,  (268, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04083   484   NtClose  (268, ... ) == 0x0
 04084   484   NtQueryInformationToken  (272, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 04085   484   NtQueryInformationToken  (272, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 04086   484   NtClose  (272, ... ) == 0x0
 04087   484   NtCreateProcessEx  (1238372, 2035711, 0, -1, 4, 260, 0, 0, 0, ... ) == 0x0
 04088   484   NtSetInformationProcess  (272, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 04089   484   NtQueryInformationProcess  (272, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1936,ParentPid=476,}, 0x0, ) == 0x0
 04090   484   NtReadVirtualMemory  (272, 0x7ffdf008, 4, ...  (272, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 04091   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04092   484   NtReadVirtualMemory  (272, 0x400000, 4096, ...  (272, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\352\261W{\21\300t\321ZiY\257$8\16PE\0\0L\1\6\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\306T\2\0\0\20\2\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\340\2\0\0\20\0\0\305\1\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0-\3\2\0\226\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\2\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\27\306\2\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 04093   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04094   484   NtQueryInformationProcess  (272, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1936,ParentPid=476,}, 0x0, ) == 0x0
 04095   484   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 11272192, 4096, ) == 0x0
 04096   484   NtAllocateVirtualMemory  (272, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04097   484   NtWriteVirtualMemory  (272, 0x10000,  (272, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04098   484   NtAllocateVirtualMemory  (272, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 04099   484   NtWriteVirtualMemory  (272, 0x20000,  (272, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0s\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 04100   484   NtWriteVirtualMemory  (272, 0x7ffdf010,  (272, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04101   484   NtWriteVirtualMemory  (272, 0x7ffdf1e8,  (272, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04102   484   NtFreeVirtualMemory  (-1, (0xac0000), 0, 32768, ... (0xac0000), 4096, ) == 0x0
 04103   484   NtAllocateVirtualMemory  (272, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04104   484   NtAllocateVirtualMemory  (272, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 04105   484   NtProtectVirtualMemory  (272, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 04106   484   NtCreateThread  (0x1f03ff, 0x0, 272, 1236636, 1237356, 1, ... 268, {1936, 1968}, ) == 0x0
 04107   484   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1443464, 1238456}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1443464, 1238456} "\0\0\0\0\0\0\1\0\2$\370w U\367w\23\1\0\0\14\1\0\0\220\7\0\0\260\7\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 476, 484, 1656, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\20\1\0\0\14\1\0\0\220\7\0\0\260\7\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 476, 484, 1656, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1443464, 1238456} "\0\0\0\0\0\0\1\0\2$\370w U\367w\23\1\0\0\14\1\0\0\220\7\0\0\260\7\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 476, 484, 1656, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\20\1\0\0\14\1\0\0\220\7\0\0\260\7\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04108   484   NtResumeThread  (268, ... 1, ) == 0x0
 04109   484   NtClose  (264, ... ) == 0x0
 04110   484   NtClose  (260, ... ) == 0x0
 04111   484   NtTerminateProcess  (0, 0, ...
 02625  1328   NtWaitForMultipleObjects  ... ) == 0xc0
 04111   484   NtTerminateProcess  ... ) == 0x0
 04112   484   NtRaiseException  (1238120, 1237380, 1, ...
 04113   484   NtContinue  (1236176, 0, ...
 04114   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 04115   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04116   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 04117   484   NtRaiseException  (1228096, 1227356, 1, ...
 04118   484   NtContinue  (1226152, 0, ...
 04119   484   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 04120   484   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04121   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 04122   484   NtUnmapViewOfSection  (-1, 0x1070000, ... ) == 0x0
 04123   484   NtClose  (344, ... ) == 0x0
 04124   484   NtClose  (340, ... ) == 0x0
 04125   484   NtClose  (328, ... ) == 0x0
 04126   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 04127   484   NtFreeVirtualMemory  (-1, (0xfe0000), 0, 32768, ... (0xfe0000), 65536, ) == 0x0
 04128   484   NtClose  (324, ... ) == 0x0
 04129   484   NtClose  (320, ... ) == 0x0
 04130   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 04131   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 04132   484   NtQueryValueKey  (320,  (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 04133   484   NtClose  (320, ... ) == 0x0
 04134   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 04135   484   NtFreeVirtualMemory  (-1, (0xab0000), 0, 32768, ... (0xab0000), 65536, ) == 0x0
 04136   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 04137   484   NtFreeVirtualMemory  (-1, (0x970000), 0, 32768, ... (0x970000), 262144, ) == 0x0
 04138   484   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 04139   484   NtClose  (276, ... ) == 0x0
 04140   484   NtFreeVirtualMemory  (-1, (0x960000), 4096, 16384, ... (0x960000), 4096, ) == 0x0
 04141   484   NtFreeVirtualMemory  (-1, (0x960000), 0, 32768, ... (0x960000), 65536, ) == 0x0
 04142   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 04143   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 04144   484   NtUnmapViewOfSection  (-1, 0x4c0000, ... ) == 0x0
 04145   484   NtClose  (108, ... ) == 0x0
 04146   484   NtGdiDeleteObjectApp  (17826946, ... ) == 0x1
 04147   484   NtUserGetProcessWindowStation  (... ) == 0x2c
 04148   484   NtUserBuildNameList  (44, 256, 1332432, 1238760, ... ) == 0x0
 04149   484   NtUserGetProcessWindowStation  (... ) == 0x2c
 04150   484   NtUserOpenDesktop  ({24, 44, 0x40, 0, 0,  ({24, 44, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 04151   484   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x3004c, 0x100ea, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x100a4, 0x10084, 0x10078, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x10090, 0x10080, 0x10026, 0x100ee, 0x100e6, 0x100dc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100c0, 0x100bc, 0x100ba, 0x100ac, 0x100d8, 0x100ce, 0x100cc, 0x100b8, 0x100a6, 0x10070, 0x50050, 0x40054, 0x5004e, 0x10082, 0x1007a, 0x1, ), 41, ) == 0x0
 04152   484   NtUserQueryWindow  (196684, 0, ... ) == 0x778
 04153   484   NtUserQueryWindow  (196684, 1, ... ) == 0x7a0
 04154   484   NtUserQueryWindow  (65770, 0, ... ) == 0x778
 04155   484   NtUserQueryWindow  (65770, 1, ... ) == 0x7a0
 04156   484   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 04157   484   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 04158   484   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 04159   484   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 04160   484   NtUserQueryWindow  (65714, 0, ... ) == 0x7e8
 04161   484   NtUserQueryWindow  (65714, 1, ... ) == 0x7ec
 04162   484   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 04163   484   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 04164   484   NtUserQueryWindow  (65700, 0, ... ) == 0x778
 04165   484   NtUserQueryWindow  (65700, 1, ... ) == 0x7a0
 04166   484   NtUserQueryWindow  (65668, 0, ... ) == 0x778
 04167   484   NtUserQueryWindow  (65668, 1, ... ) == 0x7a0
 04168   484   NtUserBuildHwndList  (0, 65668, 1, 0, 64, ... (0x10086, 0x1008a, 0x1008c, 0x1008e, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 04169   484   NtUserQueryWindow  (65670, 0, ... ) == 0x778
 04170   484   NtUserQueryWindow  (65670, 1, ... ) == 0x7a0
 04171   484   NtUserQueryWindow  (65674, 0, ... ) == 0x778
 04172   484   NtUserQueryWindow  (65674, 1, ... ) == 0x7a0
 04173   484   NtUserQueryWindow  (65676, 0, ... ) == 0x778
 04174   484   NtUserQueryWindow  (65676, 1, ... ) == 0x7a0
 04175   484   NtUserQueryWindow  (65678, 0, ... ) == 0x778
 04176   484   NtUserQueryWindow  (65678, 1, ... ) == 0x7a0
 04177   484   NtUserQueryWindow  (65682, 0, ... ) == 0x778
 04178   484   NtUserQueryWindow  (65682, 1, ... ) == 0x7a0
 04179   484   NtUserQueryWindow  (65684, 0, ... ) == 0x778
 04180   484   NtUserQueryWindow  (65684, 1, ... ) == 0x7a0
 04181   484   NtUserQueryWindow  (65686, 0, ... ) == 0x778
 04182   484   NtUserQueryWindow  (65686, 1, ... ) == 0x7a0
 04183   484   NtUserQueryWindow  (65688, 0, ... ) == 0x778
 04184   484   NtUserQueryWindow  (65688, 1, ... ) == 0x7a0
 04185   484   NtUserQueryWindow  (65690, 0, ... ) == 0x778
 04186   484   NtUserQueryWindow  (65690, 1, ... ) == 0x7a0
 04187   484   NtUserQueryWindow  (65694, 0, ... ) == 0x778
 04188   484   NtUserQueryWindow  (65694, 1, ... ) == 0x7a0
 04189   484   NtUserQueryWindow  (65696, 0, ... ) == 0x778
 04190   484   NtUserQueryWindow  (65696, 1, ... ) == 0x7a0
 04191   484   NtUserQueryWindow  (65698, 0, ... ) == 0x778
 04192   484   NtUserQueryWindow  (65698, 1, ... ) == 0x7a0
 04193   484   NtUserQueryWindow  (65656, 0, ... ) == 0x778
 04194   484   NtUserQueryWindow  (65656, 1, ... ) == 0x7a0
 04195   484   NtUserQueryWindow  (65640, 0, ... ) == 0x778
 04196   484   NtUserQueryWindow  (65640, 1, ... ) == 0x7a0
 04197   484   NtUserQueryWindow  (196682, 0, ... ) == 0x778
 04198   484   NtUserQueryWindow  (196682, 1, ... ) == 0x7a0
 04199   484   NtUserQueryWindow  (65638, 0, ... ) == 0x778
 04200   484   NtUserQueryWindow  (65638, 1, ... ) == 0x7a0
 04201   484   NtUserQueryWindow  (196668, 0, ... ) == 0x778
 04202   484   NtUserQueryWindow  (196668, 1, ... ) == 0x7a0
 04203   484   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x10072, 0x10076, 0x1, ), 10, ) == 0x0
 04204   484   NtUserQueryWindow  (196670, 0, ... ) == 0x778
 04205   484   NtUserQueryWindow  (196670, 1, ... ) == 0x7a0
 04206   484   NtUserQueryWindow  (196674, 0, ... ) == 0x778
 04207   484   NtUserQueryWindow  (196674, 1, ... ) == 0x7a0
 04208   484   NtUserQueryWindow  (196672, 0, ... ) == 0x778
 04209   484   NtUserQueryWindow  (196672, 1, ... ) == 0x7a0
 04210   484   NtUserQueryWindow  (196676, 0, ... ) == 0x778
 04211   484   NtUserQueryWindow  (196676, 1, ... ) == 0x7a0
 04212   484   NtUserQueryWindow  (196678, 0, ... ) == 0x778
 04213   484   NtUserQueryWindow  (196678, 1, ... ) == 0x7a0
 04214   484   NtUserQueryWindow  (196680, 0, ... ) == 0x778
 04215   484   NtUserQueryWindow  (196680, 1, ... ) == 0x7a0
 04216   484   NtUserQueryWindow  (65642, 0, ... ) == 0x778
 04217   484   NtUserQueryWindow  (65642, 1, ... ) == 0x7a0
 04218   484   NtUserQueryWindow  (65650, 0, ... ) == 0x778
 04219   484   NtUserQueryWindow  (65650, 1, ... ) == 0x7a0
 04220   484   NtUserQueryWindow  (65654, 0, ... ) == 0x778
 04221   484   NtUserQueryWindow  (65654, 1, ... ) == 0x7a0
 04222   484   NtUserQueryWindow  (65692, 0, ... ) == 0x778
 04223   484   NtUserQueryWindow  (65692, 1, ... ) == 0x7a0
 04224   484   NtUserQueryWindow  (65680, 0, ... ) == 0x778
 04225   484   NtUserQueryWindow  (65680, 1, ... ) == 0x7a0
 04226   484   NtUserQueryWindow  (65664, 0, ... ) == 0x778
 04227   484   NtUserQueryWindow  (65664, 1, ... ) == 0x77c
 04228   484   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 04229   484   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 04230   484   NtUserQueryWindow  (65774, 0, ... ) == 0x664
 04231   484   NtUserQueryWindow  (65774, 1, ... ) == 0x600
 04232   484   NtUserQueryWindow  (65766, 0, ... ) == 0x170
 04233   484   NtUserQueryWindow  (65766, 1, ... ) == 0x184
 04234   484   NtUserQueryWindow  (65756, 0, ... ) == 0x170
 04235   484   NtUserQueryWindow  (65756, 1, ... ) == 0x184
 04236   484   NtUserQueryWindow  (65738, 0, ... ) == 0x7f0
 04237   484   NtUserQueryWindow  (65738, 1, ... ) == 0x7f4
 04238   484   NtUserQueryWindow  (65736, 0, ... ) == 0x7f0
 04239   484   NtUserQueryWindow  (65736, 1, ... ) == 0x7f4
 04240   484   NtUserQueryWindow  (65734, 0, ... ) == 0x7f0
 04241   484   NtUserQueryWindow  (65734, 1, ... ) == 0x7f4
 04242   484   NtUserQueryWindow  (65732, 0, ... ) == 0x7f0
 04243   484   NtUserQueryWindow  (65732, 1, ... ) == 0x7f4
 04244   484   NtUserQueryWindow  (65730, 0, ... ) == 0x7f0
 04245   484   NtUserQueryWindow  (65730, 1, ... ) == 0x7f4
 04246   484   NtUserQueryWindow  (65728, 0, ... ) == 0x7f0
 04247   484   NtUserQueryWindow  (65728, 1, ... ) == 0x7f4
 04248   484   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 04249   484   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 04250   484   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 04251   484   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 04252   484   NtUserQueryWindow  (65708, 0, ... ) == 0x7fc
 04253   484   NtUserQueryWindow  (65708, 1, ... ) == 0x70
 04254   484   NtUserQueryWindow  (65752, 0, ... ) == 0x778
 04255   484   NtUserQueryWindow  (65752, 1, ... ) == 0x190
 04256   484   NtUserQueryWindow  (65742, 0, ... ) == 0x778
 04257   484   NtUserQueryWindow  (65742, 1, ... ) == 0x190
 04258   484   NtUserBuildHwndList  (0, 65742, 1, 0, 64, ... (0x100d0, 0x100d2, 0x100d4, 0x100d6, 0x1, ), 5, ) == 0x0
 04259   484   NtUserQueryWindow  (65744, 0, ... ) == 0x778
 04260   484   NtUserQueryWindow  (65744, 1, ... ) == 0x190
 04261   484   NtUserQueryWindow  (65746, 0, ... ) == 0x778
 04262   484   NtUserQueryWindow  (65746, 1, ... ) == 0x190
 04263   484   NtUserQueryWindow  (65748, 0, ... ) == 0x778
 04264   484   NtUserQueryWindow  (65748, 1, ... ) == 0x190
 04265   484   NtUserQueryWindow  (65750, 0, ... ) == 0x778
 04266   484   NtUserQueryWindow  (65750, 1, ... ) == 0x190
 04267   484   NtUserQueryWindow  (65740, 0, ... ) == 0x778
 04268   484   NtUserQueryWindow  (65740, 1, ... ) == 0x7a0
 04269   484   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 04270   484   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 04271   484   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 04272   484   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 04273   484   NtUserQueryWindow  (65648, 0, ... ) == 0x778
 04274   484   NtUserQueryWindow  (65648, 1, ... ) == 0x7c8
 04275   484   NtUserQueryWindow  (327760, 0, ... ) == 0x778
 04276   484   NtUserQueryWindow  (327760, 1, ... ) == 0x77c
 04277   484   NtUserQueryWindow  (262228, 0, ... ) == 0x778
 04278   484   NtUserQueryWindow  (262228, 1, ... ) == 0x77c
 04279   484   NtUserQueryWindow  (327758, 0, ... ) == 0x778
 04280   484   NtUserQueryWindow  (327758, 1, ... ) == 0x77c
 04281   484   NtUserQueryWindow  (65666, 0, ... ) == 0x778
 04282   484   NtUserQueryWindow  (65666, 1, ... ) == 0x77c
 04283   484   NtUserQueryWindow  (65658, 0, ... ) == 0x778
 04284   484   NtUserQueryWindow  (65658, 1, ... ) == 0x77c
 04285   484   NtUserBuildHwndList  (0, 65658, 1, 0, 64, ... (0x1007c, 0x1007e, 0x1, ), 3, ) == 0x0
 04286   484   NtUserQueryWindow  (65660, 0, ... ) == 0x778
 04287   484   NtUserQueryWindow  (65660, 1, ... ) == 0x77c
 04288   484   NtUserQueryWindow  (65662, 0, ... ) == 0x778
 04289   484   NtUserQueryWindow  (65662, 1, ... ) == 0x77c
 04290   484   NtUserCloseDesktop  (108, ...
 04291   484   NtClose  (108, ... ) == 0x0
 04290   484   NtUserCloseDesktop  ... ) == 0x1
 04292   484   NtUserGetProcessWindowStation  (... ) == 0x2c
 04293   484   NtUserOpenDesktop  ({24, 44, 0x40, 0, 0,  ({24, 44, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04294   484   NtUserGetProcessWindowStation  (... ) == 0x2c
 04295   484   NtUserOpenDesktop  ({24, 44, 0x40, 0, 0,  ({24, 44, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04296   484   NtGdiDeleteObjectApp  (134874239, ... ) == 0x1
 04297   484   NtGdiDeleteObjectApp  (101319808, ... ) == 0x1
 04298   484   NtClose  (12, ... ) == 0x0
 04299   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 04300   484   NtFreeVirtualMemory  (-1, (0x14c000), 16384, 16384, ... (0x14c000), 16384, ) == 0x0
 04301   484   NtClose  (100, ... ) == 0x0
 04302   484   NtUnmapViewOfSection  (-1, 0x460000, ... ) == 0x0
 04303   484   NtClose  (104, ... ) == 0x0
 04304   484   NtClose  (96, ... ) == 0x0
 04305   484   NtFreeVirtualMemory  (-1, (0x480000), 0, 32768, ... (0x480000), 262144, ) == 0x0
 04306   484   NtUserUnregisterClass  (1238720, 1991376896, 1238708, ... ) == 0x0
 04307   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 04308   484   NtUnmapViewOfSection  (-1, 0xbd0000, ... ) == 0x0
 04309   484   NtClose  (316, ... ) == 0x0
 04310   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03b
 04311   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04312   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03d
 04313   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04314   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03f
 04315   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04316   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc041
 04317   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04318   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc043
 04319   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04320   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc045
 04321   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04322   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc047
 04323   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04324   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc049
 04325   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04326   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04b
 04327   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04328   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04d
 04329   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04330   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04f
 04331   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04332   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc051
 04333   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04334   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc053
 04335   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04336   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc057
 04337   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04338   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc059
 04339   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04340   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05b
 04341   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04342   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05d
 04343   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04344   484   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05f
 04345   484   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04346   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03b
 04347   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04348   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03d
 04349   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04350   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03f
 04351   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04352   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc041
 04353   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04354   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc043
 04355   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04356   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc045
 04357   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04358   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc047
 04359   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04360   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc049
 04361   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04362   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04b
 04363   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04364   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04d
 04365   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04366   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04f
 04367   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04368   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc051
 04369   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04370   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc053
 04371   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04372   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc057
 04373   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04374   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc059
 04375   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04376   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05b
 04377   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04378   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05d
 04379   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04380   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05f
 04381   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04382   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc017
 04383   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04384   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc019
 04385   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04386   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc018
 04387   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04388   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01a
 04389   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04390   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01c
 04391   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04392   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01e
 04393   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04394   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01b
 04395   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04396   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc068
 04397   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04398   484   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc06a
 04399   484   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04400   484   NtUnmapViewOfSection  (-1, 0x470000, ... ) == 0x0
 04401   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04402   484   NtClose  (336, ... ) == 0x0
 04403   484   NtClose  (156, ... ) == 0x0
 04404   484   NtClose  (352, ... ) == 0x0
 04405   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04406   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04407   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04408   484   NtClose  (152, ... ) == 0x0
 04409   484   NtClose  (356, ... ) == 0x0
 04410   484   NtClose  (116, ... ) == 0x0
 04411   484   NtFreeVirtualMemory  (-1, (0xfd0000), 4096, 32768, ... (0xfd0000), 4096, ) == 0x0
 04412   484   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 2147348480, 1310720, 1238944}  (24, {20, 48, new_msg, 0, 0, 2147348480, 1310720, 1238944} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 476, 484, 1702, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ... {20, 48, reply, 0, 476, 484, 1702, 0}  (24, {20, 48, new_msg, 0, 0, 2147348480, 1310720, 1238944} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 476, 484, 1702, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ) == 0x0
 04413   484   NtTerminateProcess  (-1, 0, ...
 04414   484   NtClose  (48, ... ) == 0x0
NtAddAtom(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultUILanguage(>)	10	NtReadVirtualMemory(>)	32
NtAllocateLocallyUniqueId(>)	1	NtOpenDirectoryObject(>)	2	NtUserGetWindowDC(>)	10	NtOpenThreadToken(>)	33
NtClearEvent(>)	1	NtQueryInformationJobObject(>)	2	NtWriteFile(>)	10	NtQueryInformationThread(>)	34
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtSetValueKey(>)	11	NtUnmapViewOfSection(>)	38
NtDelayExecution(>)	1	NtUserCloseDesktop(>)	2	NtUserCallOneParam(>)	11	NtQueryInformationProcess(>)	39
NtDuplicateToken(>)	1	NtUserCreateWindowEx(>)	2	NtUserSystemParametersInfo(>)	11	NtReleaseMutant(>)	41
NtGdiCreateBitmap(>)	1	NtUserDestroyWindow(>)	2	NtOpenProcessToken(>)	14	NtQueryDefaultLocale(>)	45
NtGdiCreateHalftonePalette(>)	1	NtUserGetObjectInformation(>)	2	NtTerminateThread(>)	14	NtUserUnregisterClass(>)	47
NtGdiCreatePaletteInternal(>)	1	NtUserMessageCall(>)	2	NtNotifyChangeKey(>)	15	NtSetInformationThread(>)	49
NtGdiCreatePatternBrushInternal(>)	1	NtOpenMutant(>)	3	NtQueryVolumeInformationFile(>)	15	NtCreateEvent(>)	50
NtGdiDoPalette(>)	1	NtTerminateProcess(>)	3	NtRegisterThreadTerminatePort(>)	16	NtContinue(>)	51
NtGdiInit(>)	1	NtUserOpenDesktop(>)	3	NtTestAlert(>)	16	NtCreateSection(>)	56
NtGdiQueryFontAssocInfo(>)	1	NtUserRemoveProp(>)	3	NtCreateKey(>)	17	NtProtectVirtualMemory(>)	65
NtGdiSelectBitmap(>)	1	NtWaitForMultipleObjects(>)	3	NtCreateThread(>)	17	NtUserFindExistingCursorIcon(>)	68
NtOpenKeyedEvent(>)	1	NtCallbackReturn(>)	4	NtDeviceIoControlFile(>)	17	NtOpenSection(>)	77
NtQueryFullAttributesFile(>)	1	NtCreateMutant(>)	4	NtFsControlFile(>)	17	NtReadFile(>)	77
NtQueryObject(>)	1	NtGdiCreateCompatibleDC(>)	4	NtFlushInstructionCache(>)	18	NtMapViewOfSection(>)	80
NtQueryPerformanceCounter(>)	1	NtOpenEvent(>)	4	NtUserRegisterWindowMessage(>)	19	NtOpenFile(>)	88
NtQuerySystemTime(>)	1	NtQuerySecurityObject(>)	4	NtQueryDirectoryFile(>)	20	NtQuerySystemInformation(>)	89
NtSecureConnectPort(>)	1	NtUserFindWindowEx(>)	4	NtResumeThread(>)	21	NtUserGetClassInfo(>)	91
NtSetSecurityObject(>)	1	NtDuplicateObject(>)	5	NtSetInformationProcess(>)	21	NtUserRegisterClassExWOW(>)	94
NtUserBuildNameList(>)	1	NtGdiGetStockObject(>)	5	NtEnumerateValueKey(>)	23	NtWaitForSingleObject(>)	95
NtUserGetAtomName(>)	1	NtSetInformationObject(>)	5	NtQueryDebugFilterState(>)	24	NtAllocateVirtualMemory(>)	102
NtUserGetDC(>)	1	NtUserGetProcessWindowStation(>)	5	NtSetInformationFile(>)	25	NtOpenProcessTokenEx(>)	110
NtUserGetForegroundWindow(>)	1	NtGdiDeleteObjectApp(>)	6	NtSetEvent(>)	26	NtOpenThreadTokenEx(>)	110
NtUserGetGUIThreadInfo(>)	1	NtOpenSymbolicLinkObject(>)	6	NtCreateFile(>)	27	NtQueryInformationToken(>)	126
NtUserGetThreadDesktop(>)	1	NtQuerySymbolicLinkObject(>)	6	NtRaiseException(>)	27	NtQueryKey(>)	129
NtUserGetThreadState(>)	1	NtCreateSemaphore(>)	7	NtFreeVirtualMemory(>)	28	NtQueryAttributesFile(>)	147
NtUserSetProp(>)	1	NtUserBuildHwndList(>)	7	NtQuerySection(>)	28	NtQueryValueKey(>)	227
NtAccessCheck(>)	2	NtWriteVirtualMemory(>)	8	NtReleaseSemaphore(>)	28	NtUserQueryWindow(>)	302
NtCreateIoCompletion(>)	2	NtQueryVirtualMemory(>)	9	NtRequestWaitReplyPort(>)	28	NtOpenKey(>)	482
NtCreateProcessEx(>)	2	NtUserCallNoParam(>)	9	NtQueryInformationFile(>)	30	NtClose(>)	620
NtGdiCreateSolidBrush(>)	2	NtOpenProcess(>)	10	NtEnumerateKey(>)	31