Summary:


NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtContinue(>)  29 

NtAllocateLocallyUniqueId(>)  1 
NtGdiHfontCreate(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtQueryInformationFile(>)  30 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateSemaphore(>)  7 
NtEnumerateKey(>)  31 

NtClearEvent(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserCallNoParam(>)  7 
NtCreateEvent(>)  32 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryVirtualMemory(>)  8 
NtOpenThreadToken(>)  33 

NtDelayExecution(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtWriteVirtualMemory(>)  8 
NtReleaseMutant(>)  38 

NtDuplicateToken(>)  1 
NtSetEvent(>)  2 
NtWriteFile(>)  9 
NtUnmapViewOfSection(>)  38 

NtGdiCreateBitmap(>)  1 
NtTestAlert(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtQueryInformationProcess(>)  39 

NtGdiCreateHalftonePalette(>)  1 
NtUserCloseDesktop(>)  2 
NtUserGetWindowDC(>)  10 
NtQueryDefaultLocale(>)  42 

NtGdiCreatePaletteInternal(>)  1 
NtUserCreateWindowEx(>)  2 
NtSetValueKey(>)  11 
NtUserUnregisterClass(>)  47 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserDestroyWindow(>)  2 
NtUserCallOneParam(>)  11 
NtUserFindExistingCursorIcon(>)  49 

NtGdiDoPalette(>)  1 
NtUserGetObjectInformation(>)  2 
NtUserSystemParametersInfo(>)  11 
NtProtectVirtualMemory(>)  50 

NtGdiInit(>)  1 
NtUserMessageCall(>)  2 
NtOpenProcessToken(>)  14 
NtCreateSection(>)  56 

NtGdiQueryFontAssocInfo(>)  1 
NtCreateThread(>)  3 
NtQueryVolumeInformationFile(>)  14 
NtUserRegisterClassExWOW(>)  65 

NtGdiSelectBitmap(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  14 
NtWaitForSingleObject(>)  66 

NtOpenKeyedEvent(>)  1 
NtOpenMutant(>)  3 
NtNotifyChangeKey(>)  15 
NtOpenSection(>)  74 

NtQueryFullAttributesFile(>)  1 
NtOpenProcess(>)  3 
NtCreateKey(>)  17 
NtReadFile(>)  77 

NtQueryInformationThread(>)  1 
NtResumeThread(>)  3 
NtDeviceIoControlFile(>)  17 
NtMapViewOfSection(>)  80 

NtQueryObject(>)  1 
NtTerminateProcess(>)  3 
NtFsControlFile(>)  17 
NtAllocateVirtualMemory(>)  84 

NtQueryPerformanceCounter(>)  1 
NtUserOpenDesktop(>)  3 
NtFlushInstructionCache(>)  19 
NtOpenFile(>)  88 

NtQuerySystemTime(>)  1 
NtUserRemoveProp(>)  3 
NtFreeVirtualMemory(>)  19 
NtQuerySystemInformation(>)  89 

NtSecureConnectPort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtUserRegisterWindowMessage(>)  19 
NtUserGetClassInfo(>)  91 

NtUserBuildNameList(>)  1 
NtCreateMutant(>)  4 
NtQueryDirectoryFile(>)  20 
NtOpenProcessTokenEx(>)  110 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtSetInformationProcess(>)  21 
NtOpenThreadTokenEx(>)  110 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtEnumerateValueKey(>)  23 
NtQueryInformationToken(>)  126 

NtUserGetForegroundWindow(>)  1 
NtQuerySecurityObject(>)  4 
NtQueryDebugFilterState(>)  24 
NtQueryKey(>)  129 

NtUserGetGUIThreadInfo(>)  1 
NtGdiGetStockObject(>)  5 
NtRaiseException(>)  25 
NtUserQueryWindow(>)  134 

NtUserGetThreadDesktop(>)  1 
NtReadVirtualMemory(>)  5 
NtSetInformationFile(>)  25 
NtQueryAttributesFile(>)  147 

NtUserSetProp(>)  1 
NtSetInformationObject(>)  5 
NtCreateFile(>)  27 
NtQueryValueKey(>)  223 

NtAccessCheck(>)  2 
NtUserBuildHwndList(>)  5 
NtSetInformationThread(>)  27 
NtOpenKey(>)  475 

NtCreateIoCompletion(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQuerySection(>)  28 
NtClose(>)  570 

NtCreateProcessEx(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtReleaseSemaphore(>)  28 

Trace:
 00001   532   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   532   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   532   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   532   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   532   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   532   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   532   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   532   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   532   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   532   NtClose  (12, ... ) == 0x0
 00014   532   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   532   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   532   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   532   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   532   NtClose  (16, ... ) == 0x0
 00021   532   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   532   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   532   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   532   NtClose  (16, ... ) == 0x0
 00026   532   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   532   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   532   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   532   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 508, 532, 1535, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 508, 532, 1535, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 508, 532, 1535, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   532   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   532   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   532   NtClose  (16, ... ) == 0x0
 00036   532   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   532   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   532   NtClose  (28, ... ) == 0x0
 00041   532   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   532   NtClose  (28, ... ) == 0x0
 00045   532   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   532   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   532   NtClose  (28, ... ) == 0x0
 00049   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   532   NtClose  (28, ... ) == 0x0
 00052   532   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 508, 532, 1544, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 508, 532, 1544, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 508, 532, 1544, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   532   NtProtectVirtualMemory  (-1, (0x42f000), 6100, 4, ... (0x42f000), 8192, 128, ) == 0x0
 00057   532   NtProtectVirtualMemory  (-1, (0x42f000), 8192, 128, ... (0x42f000), 8192, 4, ) == 0x0
 00058   532   NtFlushInstructionCache  (-1, 4386816, 6100, ... ) == 0x0
 00059   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   532   NtClose  (28, ... ) == 0x0
 00062   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   532   NtClose  (28, ... ) == 0x0
 00065   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   532   NtClose  (28, ... ) == 0x0
 00068   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   532   NtClose  (28, ... ) == 0x0
 00071   532   NtProtectVirtualMemory  (-1, (0x42f000), 6100, 4, ... (0x42f000), 8192, 64, ) == 0x0
 00072   532   NtProtectVirtualMemory  (-1, (0x42f000), 8192, 64, ... (0x42f000), 8192, 4, ) == 0x0
 00073   532   NtFlushInstructionCache  (-1, 4386816, 6100, ... ) == 0x0
 00074   532   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   532   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   532   NtClose  (28, ... ) == 0x0
 00077   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   532   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   532   NtClose  (28, ... ) == 0x0
 00080   532   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   532   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   532   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   532   NtClose  (28, ... ) == 0x0
 00085   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   532   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   532   NtClose  (28, ... ) == 0x0
 00088   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   532   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 508, 532, 1564, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 508, 532, 1564, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 508, 532, 1564, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00093   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   532   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00095   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   532   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   532   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482052, ) == 0x0
 00098   532   NtQueryInformationToken  (-2147482052, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   532   NtQueryInformationToken  (-2147482052, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   532   NtClose  (-2147482052, ... ) == 0x0
 00101   532   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   532   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   532   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   532   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00105   532   NtQueryValueKey  (-2147482052,  (-2147482052, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   532   NtClose  (-2147482052, ... ) == 0x0
 00107   532   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00108   532   NtQueryValueKey  (-2147482052,  (-2147482052, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   532   NtClose  (-2147482052, ... ) == 0x0
 00110   532   NtQueryDefaultLocale  (0, -136148468, ... ) == 0x0
 00111   532   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   532   NtUserCallNoParam  (24, ... ) == 0x0
 00113   532   NtGdiCreateCompatibleDC  (0, ...
 00114   532   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   532   NtGdiCreateCompatibleDC  ... ) == 0x10010448
 00115   532   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   532   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   532   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00118   532   NtGdiCreateSolidBrush  (0, 0, ...
 00119   532   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00118   532   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00120   532   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   532   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00122   532   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00123   532   NtUserGetThreadDesktop  (532, 0, ... ) == 0x2c
 00124   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   532   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   532   NtClose  (52, ... ) == 0x0
 00127   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x8126c017
 00129   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x8126c01c
 00131   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x8126c01e
 00133   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x81268002
 00135   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x8126c018
 00137   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x8126c01a
 00139   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x8126c01d
 00141   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x8126c026
 00143   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x8126c019
 00145   532   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8126c020
 00146   532   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x8126c022
 00147   532   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8126c023
 00148   532   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x8126c024
 00149   532   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00150   532   NtAllocateVirtualMemory  (-1, 5681152, 0, 4096, 4096, 32, ... 5681152, 4096, ) == 0x0
 00149   532   NtUserRegisterClassExWOW  ... ) == 0x8126c025
 00151   532   NtCallbackReturn  (0, 0, 0, ...
 00152   532   NtGdiInit  (... ) == 0x1
 00153   532   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   532   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   532   NtTestAlert  (... ) == 0x0
 00156   532   NtContinue  (1244464, 1, ...
 00157   532   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x42fa39,}, 4, ... ) == 0x0
 00158   532   NtAllocateVirtualMemory  (-1, 0, 0, 128, 4096, 4, ... 8781824, 4096, ) == 0x0
 00159   532   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 8847360, 4096, ) == 0x0
 00160   532   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 8912896, 4096, ) == 0x0
 00161   532   NtAllocateVirtualMemory  (-1, 0, 0, 139264, 4096, 4, ... 8978432, 139264, ) == 0x0
 00162   532   NtAllocateVirtualMemory  (-1, 0, 0, 28268, 4096, 4, ... 9175040, 28672, ) == 0x0
 00163   532   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 28672, ) == 0x0
 00164   532   NtFreeVirtualMemory  (-1, (0x890000), 0, 32768, ... (0x890000), 139264, ) == 0x0
 00165   532   NtProtectVirtualMemory  (-1, (0x420664), 20, 64, ... (0x420000), 4096, 4, ) == 0x0
 00166   532   NtProtectVirtualMemory  (-1, (0x420599), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00167   532   NtProtectVirtualMemory  (-1, (0x42059d), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00168   532   NtProtectVirtualMemory  (-1, (0x4205a1), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00169   532   NtProtectVirtualMemory  (-1, (0x4205a5), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00170   532   NtProtectVirtualMemory  (-1, (0x4205a9), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00171   532   NtProtectVirtualMemory  (-1, (0x4205ad), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00172   532   NtProtectVirtualMemory  (-1, (0x420678), 20, 64, ... (0x420000), 4096, 64, ) == 0x0
 00173   532   NtProtectVirtualMemory  (-1, (0x4205b5), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00174   532   NtProtectVirtualMemory  (-1, (0x4205b9), 4, 64, ... (0x420000), 4096, 64, ) == 0x0
 00175   532   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 4096, ) == 0x0
 00176   532   NtFreeVirtualMemory  (-1, (0x880000), 0, 32768, ... (0x880000), 4096, ) == 0x0
 00177   532   NtFreeVirtualMemory  (-1, (0x870000), 0, 32768, ... (0x870000), 4096, ) == 0x0
 00178   532   NtAllocateVirtualMemory  (-1, 0, 0, 90087, 4096, 4, ... 8781824, 90112, ) == 0x0
 00179   532   NtFreeVirtualMemory  (-1, (0x860000), 90087, 4, ... ) == STATUS_INVALID_PARAMETER_4
 00180   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00181   532   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   532   NtClose  (52, ... ) == 0x0
 00183   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00184   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00185   532   NtClose  (52, ... ) == 0x0
 00186   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00187   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8912896, 65536, ) == 0x0
 00188   532   NtAllocateVirtualMemory  (-1, 8912896, 0, 4096, 4096, 4, ... 8912896, 4096, ) == 0x0
 00189   532   NtAllocateVirtualMemory  (-1, 8916992, 0, 8192, 4096, 4, ... 8916992, 8192, ) == 0x0
 00190   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00191   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x890000), 0x0, 12288, ) == 0x0
 00192   532   NtClose  (52, ... ) == 0x0
 00193   532   NtAllocateVirtualMemory  (-1, 8925184, 0, 4096, 4096, 4, ... 8925184, 4096, ) == 0x0
 00194   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243056, ... ) }, 1243056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   532   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243056, ... ) }, 1243056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243056, ... ) }, 1243056, ... ) == 0x0
 00198   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00199   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00200   532   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00201   532   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00202   532   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00203   532   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00205   532   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00206   532   NtClose  (64, ... ) == 0x0
 00207   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00208   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00209   532   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00210   532   NtClose  (64, ... ) == 0x0
 00211   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   532   NtClose  (60, ... ) == 0x0
 00213   532   NtClose  (52, ... ) == 0x0
 00214   532   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00215   532   NtClose  (56, ... ) == 0x0
 00216   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242252, ... ) }, 1242252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   532   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242252, ... ) }, 1242252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242252, ... ) }, 1242252, ... ) == 0x0
 00220   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00221   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00222   532   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00223   532   NtClose  (56, ... ) == 0x0
 00224   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00225   532   NtClose  (52, ... ) == 0x0
 00226   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00227   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00228   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00229   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00230   532   NtClose  (52, ... ) == 0x0
 00231   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00232   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00233   532   NtClose  (52, ... ) == 0x0
 00234   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00236   532   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00237   532   NtClose  (52, ... ) == 0x0
 00238   532   NtQueryDefaultUILanguage  (1241412, ...
 00239   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00240   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 00241   532   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00242   532   NtClose  (-2147482052, ... ) == 0x0
 00243   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00244   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00245   532   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482064, ) }, ... -2147482064, ) == 0x0
 00246   532   NtQueryValueKey  (-2147482064,  (-2147482064, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00247   532   NtClose  (-2147482064, ... ) == 0x0
 00248   532   NtClose  (-2147482052, ... ) == 0x0
 00238   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00249   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   532   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00251   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00252   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00253   532   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8a0000), 0x0, 8323072, ) == 0x0
 00254   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   532   NtQueryDefaultUILanguage  (2013024600, ...
 00256   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00257   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 00258   532   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00259   532   NtClose  (-2147482052, ... ) == 0x0
 00260   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00261   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   532   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482064, ) }, ... -2147482064, ) == 0x0
 00263   532   NtQueryValueKey  (-2147482064,  (-2147482064, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   532   NtClose  (-2147482064, ... ) == 0x0
 00265   532   NtClose  (-2147482052, ... ) == 0x0
 00255   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00266   532   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00267   532   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00268   532   NtQueryDefaultLocale  (1, 1239448, ... ) == 0x0
 00269   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   532   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240304, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240304, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\301\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\360\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1575, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\301\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\360\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 508, 532, 1575, 0}  (24, {128, 156, new_msg, 0, 1240304, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\301\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\360\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1575, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\301\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\360\363\22\0\0\0\0\0" )  ) == 0x0
 00271   532   NtClose  (52, ... ) == 0x0
 00272   532   NtClose  (56, ... ) == 0x0
 00273   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00274   532   NtUnmapViewOfSection  (-1, 0x12f3f0, ... ) == STATUS_NOT_MAPPED_VIEW
 00275   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00276   532   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00277   532   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00279   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00280   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238532, ... ) }, 1238532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00282   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00283   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00284   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239124, ... ) }, 1239124, ... ) == 0x0
 00285   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00286   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00287   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00288   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00289   532   NtClose  (52, ... ) == 0x0
 00290   532   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 921600, ) == 0x0
 00291   532   NtClose  (60, ... ) == 0x0
 00292   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00293   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00294   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00295   532   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00296   532   NtClose  (60, ... ) == 0x0
 00297   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00298   532   NtClose  (52, ... ) == 0x0
 00299   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00303   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00304   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00305   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00306   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00307   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00308   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00309   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00310   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00311   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00312   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00313   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00314   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00315   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00316   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00317   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00318   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00319   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00320   532   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240308, ... ) , 42, 1240308, ... ) == 0x0
 00321   532   NtQueryDefaultUILanguage  (1239024, ...
 00322   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00323   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 00324   532   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00325   532   NtClose  (-2147482052, ... ) == 0x0
 00326   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00327   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   532   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482064, ) }, ... -2147482064, ) == 0x0
 00329   532   NtQueryValueKey  (-2147482064,  (-2147482064, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   532   NtClose  (-2147482064, ... ) == 0x0
 00331   532   NtClose  (-2147482052, ... ) == 0x0
 00321   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00332   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237876, ... ) }, 1237876, ... ) == 0x0
 00334   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00335   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00336   532   NtClose  (52, ... ) == 0x0
 00337   532   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 4096, ) == 0x0
 00338   532   NtClose  (60, ... ) == 0x0
 00339   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00340   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237516, ... ) }, 1237516, ... ) == 0x0
 00341   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238216,  (0x80100080, {24, 0, 0x40, 0, 1238216, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00342   532   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00343   532   NtClose  (60, ... ) == 0x0
 00344   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8a0000), {0, 0}, 4096, ) == 0x0
 00345   532   NtClose  (52, ... ) == 0x0
 00346   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00347   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00348   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00349   532   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8a0000), 0x0, 4096, ) == 0x0
 00350   532   NtQueryInformationFile  (52, 1237836, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00351   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00352   532   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237916, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237916, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\234\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1576, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\234\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 508, 532, 1576, 0}  (24, {128, 156, new_msg, 0, 1237916, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\234\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1576, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\234\352\22\0\0\0\0\0" )  ) == 0x0
 00353   532   NtClose  (52, ... ) == 0x0
 00354   532   NtClose  (60, ... ) == 0x0
 00355   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00356   532   NtUnmapViewOfSection  (-1, 0x12ea9c, ... ) == STATUS_NOT_MAPPED_VIEW
 00357   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00358   532   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00359   532   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00360   532   NtUserGetDC  (0, ... ) == 0x1010051
 00361   532   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00362   532   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00363   532   NtUserSystemParametersInfo  (66, 12, 1240328, 0, ... ) == 0x1
 00364   532   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00365   532   NtAccessCheck  (1329520, 60, 0x1, 1239732, 1239676, 56, 1239760, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00366   532   NtClose  (60, ... ) == 0x0
 00367   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00368   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00369   532   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00370   532   NtClose  (60, ... ) == 0x0
 00371   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00372   532   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00373   532   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00374   532   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00375   532   NtClose  (52, ... ) == 0x0
 00376   532   NtUserSystemParametersInfo  (41, 500, 1239828, 0, ... ) == 0x1
 00377   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00378   532   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00380   532   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00381   532   NtClose  (64, ... ) == 0x0
 00382   532   NtClose  (52, ... ) == 0x0
 00383   532   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00384   532   NtUserSystemParametersInfo  (4130, 0, 1240352, 0, ... ) == 0x1
 00385   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00386   532   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00387   532   NtClose  (52, ... ) == 0x0
 00388   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00389   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c03b
 00390   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c03d
 00391   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00392   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c03f
 00393   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00394   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c041
 00395   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00396   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c043
 00397   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c045
 00398   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00399   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c047
 00400   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00401   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c049
 00402   532   NtUserGetClassInfo  (1905590272, 1240248, 1240200, 1240276, 0, ... ) == 0xc049
 00403   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00404   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c04b
 00405   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00406   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c04d
 00407   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00408   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c04f
 00409   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c051
 00410   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00411   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c053
 00412   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00413   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c055
 00414   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c057
 00415   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00416   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c059
 00417   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10013
 00418   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c05b
 00419   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00420   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c05d
 00421   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00422   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c05f
 00423   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00424   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c017
 00425   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00426   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c019
 00427   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10013
 00428   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c018
 00429   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00430   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c01a
 00431   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00432   532   NtUserRegisterClassExWOW  (1240084, 1240164, 1240148, 1240180, 0, 384, 0, ... ) == 0x8126c01c
 00433   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00434   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ... ) == 0x8126c01e
 00435   532   NtUserFindExistingCursorIcon  (1239632, 1239648, 1240216, ... ) == 0x10011
 00436   532   NtUserRegisterClassExWOW  (1240144, 1240224, 1240208, 1240240, 0, 384, 0, ... ) == 0x8126c01b
 00437   532   NtUserFindExistingCursorIcon  (1239628, 1239644, 1240212, ... ) == 0x10011
 00438   532   NtUserRegisterClassExWOW  (1240140, 1240220, 1240204, 1240236, 0, 384, 0, ... ) == 0x8126c068
 00439   532   NtUserFindExistingCursorIcon  (1239636, 1239652, 1240220, ... ) == 0x10011
 00440   532   NtUserRegisterClassExWOW  (1240088, 1240168, 1240152, 1240184, 0, 384, 0, ...
 00441   532   NtAllocateVirtualMemory  (-1, 5685248, 0, 4096, 4096, 32, ... 5685248, 4096, ) == 0x0
 00440   532   NtUserRegisterClassExWOW  ... ) == 0x8126c06a
 00442   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00443   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00444   532   NtClose  (52, ... ) == 0x0
 00445   532   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {508, 0}, ... 52, ) == 0x0
 00446   532   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00447   532   NtClose  (52, ... ) == 0x0
 00448   532   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00449   532   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00450   532   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00451   532   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00452   532   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00453   532   NtClose  (52, ... ) == 0x0
 00454   532   NtUserSystemParametersInfo  (41, 500, 1240988, 0, ... ) == 0x1
 00455   532   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00456   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00457   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00458   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c03b
 00459   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00460   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c03d
 00461   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00462   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00463   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c03f
 00464   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00465   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00466   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c041
 00467   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00468   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00469   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c043
 00470   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00471   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c045
 00472   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00473   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00474   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c047
 00475   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00476   532   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 00477   532   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x8126c049
 00478   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00479   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00480   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c04b
 00481   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00482   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00483   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c04d
 00484   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00485   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00486   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c04f
 00487   532   NtUserGetClassInfo  (1999896576, 1241400, 1241352, 1241428, 0, ... ) == 0x0
 00488   532   NtUserRegisterClassExWOW  (1241236, 1241316, 1241300, 1241332, 0, 384, 0, ... ) == 0x8126c051
 00489   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00490   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00491   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c053
 00492   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00493   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00494   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c055
 00495   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c057
 00496   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00497   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00498   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c059
 00499   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00500   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10013
 00501   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c05b
 00502   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00503   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00504   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c05d
 00505   532   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 00506   532   NtUserFindExistingCursorIcon  (1240780, 1240796, 1241364, ... ) == 0x10011
 00507   532   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x8126c05f
 00508   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc03b
 00509   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc03d
 00510   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc03f
 00511   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc041
 00512   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc043
 00513   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc045
 00514   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc047
 00515   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc049
 00516   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc04b
 00517   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc04d
 00518   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc04f
 00519   532   NtUserGetClassInfo  (1999896576, 1243152, 1243104, 1243180, 0, ... ) == 0xc051
 00520   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc053
 00521   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc055
 00522   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc059
 00523   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc05b
 00524   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc05d
 00525   532   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc05f
 00526   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00527   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00528   532   NtClose  (52, ... ) == 0x0
 00529   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00530   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00531   532   NtClose  (52, ... ) == 0x0
 00532   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00533   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00534   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00535   532   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00536   532   NtClose  (52, ... ) == 0x0
 00537   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00538   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00539   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00540   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00541   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00542   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00543   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   532   NtClose  (52, ... ) == 0x0
 00546   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00547   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   532   NtClose  (52, ... ) == 0x0
 00550   532   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00551   532   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   532   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00553   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   532   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00557   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00558   532   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00559   532   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 00560   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   532   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00562   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   532   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00565   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00566   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00567   532   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00568   532   NtClose  (68, ... ) == 0x0
 00569   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00570   532   NtClose  (72, ... ) == 0x0
 00571   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00572   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00573   532   NtClose  (72, ... ) == 0x0
 00574   532   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 72, ) == 0x0
 00575   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00576   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 76, ) }, ... 76, ) == 0x0
 00577   532   NtNotifyChangeKey  (76, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00578   532   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00579   532   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00580   532   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00581   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   532   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00585   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00586   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00587   532   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00588   532   NtClose  (88, ... ) == 0x0
 00589   532   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00590   532   NtClose  (92, ... ) == 0x0
 00591   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   532   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 00595   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00596   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00597   532   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00598   532   NtClose  (92, ... ) == 0x0
 00599   532   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00600   532   NtClose  (88, ... ) == 0x0
 00601   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00602   532   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9175040, 262144, ) == 0x0
 00603   532   NtAllocateVirtualMemory  (-1, 9175040, 0, 4096, 4096, 4, ... 9175040, 4096, ) == 0x0
 00604   532   NtAllocateVirtualMemory  (-1, 9179136, 0, 8192, 4096, 4, ... 9179136, 8192, ) == 0x0
 00605   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00606   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00607   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00608   532   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00609   532   NtClose  (88, ... ) == 0x0
 00610   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00611   532   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00612   532   NtClose  (88, ... ) == 0x0
 00613   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00614   532   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00615   532   NtClose  (88, ... ) == 0x0
 00616   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   532   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00618   532   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00619   532   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00620   532   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238328, 0,  (0x1f0003, {24, 52, 0x80, 1238328, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00621   532   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 00622   532   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00623   532   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00624   532   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00625   532   NtQueryDefaultUILanguage  (1236564, ...
 00626   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00627   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 00628   532   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00629   532   NtClose  (-2147482052, ... ) == 0x0
 00630   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00631   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00632   532   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482064, ) }, ... -2147482064, ) == 0x0
 00633   532   NtQueryValueKey  (-2147482064,  (-2147482064, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   532   NtClose  (-2147482064, ... ) == 0x0
 00635   532   NtClose  (-2147482052, ... ) == 0x0
 00625   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00636   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00637   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00638   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00639   532   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x900000), 0x0, 593920, ) == 0x0
 00640   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   532   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00642   532   NtQueryDefaultLocale  (1, 1234600, ... ) == 0x0
 00643   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   532   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\227\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1580, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\227\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 508, 532, 1580, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\227\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1580, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\227\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ) == 0x0
 00645   532   NtClose  (96, ... ) == 0x0
 00646   532   NtClose  (100, ... ) == 0x0
 00647   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00648   532   NtUnmapViewOfSection  (-1, 0x12e100, ... ) == STATUS_NOT_MAPPED_VIEW
 00649   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00650   532   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00652   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00653   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233140, ... ) }, 1233140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00654   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00655   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00657   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 00658   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00659   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00660   532   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00661   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00662   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   532   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 00665   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00666   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00667   532   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00668   532   NtClose  (104, ... ) == 0x0
 00669   532   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00670   532   NtClose  (108, ... ) == 0x0
 00671   532   NtAllocateVirtualMemory  (-1, 8929280, 0, 8192, 4096, 4, ... 8929280, 8192, ) == 0x0
 00672   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00673   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00674   532   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00675   532   NtClose  (108, ... ) == 0x0
 00676   532   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00677   532   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   532   NtClose  (108, ... ) == 0x0
 00679   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 108, ) }, ... 108, ) == 0x0
 00680   532   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00681   532   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00682   532   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00683   532   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00684   532   NtClose  (108, ... ) == 0x0
 00685   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 108, ) }, ... 108, ) == 0x0
 00686   532   NtQueryValueKey  (108,  (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00687   532   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00688   532   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00689   532   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00690   532   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00691   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237776, ... ) }, 1237776, ... ) == 0x0
 00692   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00693   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00694   532   NtClose  (104, ... ) == 0x0
 00695   532   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 135168, ) == 0x0
 00696   532   NtClose  (112, ... ) == 0x0
 00697   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00698   532   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00699   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 00700   532   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239332, ... ) }, 1239332, ... ) == 0x0
 00701   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239188,  (0x80100080, {24, 0, 0x40, 0, 1239188, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00702   532   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00703   532   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 135168, ) == 0x0
 00704   532   NtQueryDefaultLocale  (1, 1238996, ... ) == 0x0
 00705   532   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00706   532   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00707   532   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00708   532   NtQueryInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00709   532   NtSetInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00710   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00711   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00712   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00713   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00714   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00715   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00716   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00717   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00718   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00719   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00720   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00721   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00722   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00723   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00724   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00725   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00726   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00727   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00728   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00729   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00730   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00731   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00732   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00733   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00734   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00735   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00736   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00737   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00738   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00739   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00740   532   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00741   532   NtQueryInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00742   532   NtSetInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00743   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 00744   532   NtReadFile  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 00745   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00746   532   NtClose  (104, ... ) == 0x0
 00747   532   NtClose  (112, ... ) == 0x0
 00748   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237720, ... ) }, 1237720, ... ) == 0x0
 00749   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00750   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 104, ) == 0x0
 00751   532   NtClose  (112, ... ) == 0x0
 00752   532   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 135168, ) == 0x0
 00753   532   NtClose  (104, ... ) == 0x0
 00754   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00755   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238036, ... ) }, 1238036, ... ) == 0x0
 00756   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00757   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 112, ) == 0x0
 00758   532   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00759   532   NtClose  (104, ... ) == 0x0
 00760   532   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 00761   532   NtClose  (112, ... ) == 0x0
 00762   532   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00763   532   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00764   532   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00765   532   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00766   532   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00767   532   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00768   532   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00769   532   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00770   532   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00771   532   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00772   532   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00773   532   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00774   532   NtAllocateVirtualMemory  (-1, 1359872, 0, 20480, 4096, 4, ... 1359872, 20480, ) == 0x0
 00775   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00776   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00777   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00778   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00779   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00780   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00781   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00782   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00783   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00784   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00785   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00786   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00787   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00788   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00789   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00790   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00791   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00792   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00793   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00794   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00795   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00796   532   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00797   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236988, ... ) }, 1236988, ... ) == 0x0
 00798   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237720,  (0x80100080, {24, 0, 0x40, 0, 1237720, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00799   532   NtQueryVolumeInformationFile  (112, 1237880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00800   532   NtQueryInformationFile  (112, 1237772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00801   532   NtQueryInformationFile  (112, 1238064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00802   532   NtClose  (112, ... ) == 0x0
 00803   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236480, ... ) }, 1236480, ... ) == 0x0
 00804   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237212,  (0x80100080, {24, 0, 0x40, 0, 1237212, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00805   532   NtQueryVolumeInformationFile  (112, 1237372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00806   532   NtQueryInformationFile  (112, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00807   532   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00808   532   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 135168, ) == 0x0
 00809   532   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 00810   532   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00811   532   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00812   532   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 00813   532   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00814   532   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00815   532   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00816   532   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00817   532   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00818   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00819   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00820   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00821   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00822   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00823   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00824   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00825   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00826   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00827   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00828   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00829   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00830   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00831   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00832   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00833   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00834   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00835   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00836   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00837   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00838   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00839   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00840   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00841   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00842   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00843   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00844   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00845   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00846   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00847   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00848   532   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00849   532   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00850   532   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00851   532   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00852   532   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00853   532   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 00854   532   NtReadFile  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 00855   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00856   532   NtClose  (104, ... ) == 0x0
 00857   532   NtClose  (112, ... ) == 0x0
 00858   532   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 112, ) }, ... 112, ) == 0x0
 00859   532   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00860   532   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00861   532   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00862   532   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00863   532   NtClose  (112, ... ) == 0x0
 00864   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   532   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00866   532   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 00867   532   NtQueryInformationToken  (112, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 00868   532   NtClose  (112, ... ) == 0x0
 00869   532   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 00870   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 112, {status=0x0, info=0}, ) }, 7, 16, ... 112, {status=0x0, info=0}, ) == 0x0
 00871   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00872   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00873   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00874   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00875   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00876   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00877   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00878   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00879   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00880   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\2267\205\57\312k\267\35\307{J\253\255\362=(\242\2035\22e\363=N\225\203\335X#\11\314\204-x\2369\13c*r|\232%\311\310o\3376\37mx\376\216\232\347\260\337\220?\2525\3242\204.\266ZY\366\272e\3643\255d\34\310\211\337", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\2267\205\57\312k\267\35\307{J\253\255\362=(\242\2035\22e\363=N\225\203\335X#\11\314\204-x\2369\13c*r|\232%\311\310o\3376\37mx\376\216\232\347\260\337\220?\2525\3242\204.\266ZY\366\272e\3643\255d\34\310\211\337", 80, ... ) , 80, ... ) == 0x0
 00881   532   NtClose  (-2147482052, ... ) == 0x0
 00871   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\33\21\265\200\2177\312\361\300j\200\324\345\177`\275 \344\310\262*i\231\357\11\272r\313\236\367\222\256M\29"\273^\365Ut\313)<\13"\6n#\27U\3765j\203\200V\317l(\302:&f@\271\240l\0@Z\337\240\310\303\33\274\3107r;h#\223\270X\3277\265\0\251\274J:W\316(3\223\242f\360\236\366G\375r\2\241(\305\265\265\321\12a+\W$Q\202\220\253\254\0\376\263\360\335d\351=yJs\237G\341A~+>\236\77\252%\224\13\253\201\277\322\225\377\203\211]\34\346A\261\35\213\35\22\345\345\242\16\251\334s%Y\312\255\226+DR\312\306,\323\374v\215\327S\217\275\31\351\32\322w{<\332r\375\\302\343\252\11\264P\233\35U\210\355\310\341U\341\206-\213r\305\264\352E\303L\11w\374(\255a\35\314\346\344hm\275}\3108\211\310Yd\256\0", ) \273^\365Ut\313)<\13"\33\21\265\200\2177\312\361\300j\200\324\345\177`\275 \344\310\262*i\231\357\11\272r\313\236\367\222\256M\29"\273^\365Ut\313)<\13"\6n#\27U\3765j\203\200V\317l(\302:&f@\271\240l\0@Z\337\240\310\303\33\274\3107r;h#\223\270X\3277\265\0\251\274J:W\316(3\223\242f\360\236\366G\375r\2\241(\305\265\265\321\12a+\W$Q\202\220\253\254\0\376\263\360\335d\351=yJs\237G\341A~+>\236\77\252%\224\13\253\201\277\322\225\377\203\211]\34\346A\261\35\213\35\22\345\345\242\16\251\334s%Y\312\255\226+DR\312\306,\323\374v\215\327S\217\275\31\351\32\322w{<\332r\375\\302\343\252\11\264P\233\35U\210\355\310\341U\341\206-\213r\305\264\352E\303L\11w\374(\255a\35\314\346\344hm\275}\3108\211\310Yd\256\0", ) , ) == 0x0
 00882   532   NtClose  (108, ... ) == 0x0
 00883   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\24\347\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00884   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00885   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00886   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00887   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00888   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00889   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00890   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00891   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00892   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "#\345\363&\313(E+\337]DG\25\261\314L\214\351\247\250\247\303x\354\361\15\15\325\262\325\2442\270\22p\342\223\320\252'\353\311i\360\22,[u\250\371\17\247\210t\201\220f\16\242/{\276Bz\366\0\315w\347R\267$\363\304`~\222\263\30\202", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "#\345\363&\313(E+\337]DG\25\261\314L\214\351\247\250\247\303x\354\361\15\15\325\262\325\2442\270\22p\342\223\320\252'\353\311i\360\22,[u\250\371\17\247\210t\201\220f\16\242/{\276Bz\366\0\315w\347R\267$\363\304`~\222\263\30\202", 80, ... ) , 80, ... ) == 0x0
 00893   532   NtClose  (-2147482052, ... ) == 0x0
 00883   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "L3\3Y\371\27#c\354Z\275AL{\16\335\34\234\2dP:\221\322\307.\37f\201\4/:n\11\3036!n\321\254Z \12\354b\225Xr\371\25)\272\266#\305DD\22\231W"\3529\312lJ\266\211A\37)\224\276\362\5kz\300\373B\30\305\324zf\321\0k/\233$\217\234z\2\203\343l\10\215G\327\364\360'\375\265w\337\367+\31p\225\327\334\22\237 \351F e\3\305\325\377;\317~.\351V\251y\16\331\346{u\30\317MBOw\272\275D\220;\263;\13f\223\304\324\331\20\257\224\326\271\331\330\26\344G\34N\263\264Z\217\\1\243Q\332_\12\23\345&\27\221M\254\270\274\247\261\221_\234Zy\34\352\243\2761\206\11\335\13Z\11Z\227\243\215[WH\21J\371\360\276H\\301e\221\262\262\306\237R3\210T-\250\15\240\260\212\307\326r\202\265\226\325\214\233\326G\222\333r\24", ) \3529\312lJ\266\211A\37)\224\276\362\5kz\300\373B\30\305\324zf\321\0k/\233$\217\234z\2\203\343l\10\215G\327\364\360'\375\265w\337\367+\31p\225\327\334\22\237 \351F e\3\305\325\377;\317~.\351V\251y\16\331\346{u\30\317MBOw\272\275D\220;\263;\13f\223\304\324\331\20\257\224\326\271\331\330\26\344G\34N\263\264Z\217\\1\243Q\332_\12\23\345&\27\221M\254\270\274\247\261\221_\234Zy\34\352\243\2761\206\11\335\13Z\11Z\227\243\215[WH\21J\371\360\276H\\301e\221\262\262\306\237R3\210T-\250\15\240\260\212\307\326r\202\265\226\325\214\233\326G\222\333r\24", ) == 0x0
 00894   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\17NH\374\237dz\311#\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00895   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00896   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00897   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00898   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00899   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00900   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00901   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00902   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00903   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\244<\345\240\15\243\251\7P5\221\367Eq\22IX\36\272\216\273\270\346;\370\7\17\0\25\333/m\0", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\244<\345\240\15\243\251\7P5\221\367Eq\22IX\36\272\216\273\270\346;\370\7\17\0\25\333/m\0", 80, ... ) \272\216\273\270\346;\370\7\17\0\25\333/m\0", 80, ... ) == 0x0
 00904   532   NtClose  (-2147482052, ... ) == 0x0
 00894   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "`\3736\27\313L\33\26\307\27}\335\260\247\255\4\367\221\257v\36\222\356\360?c\3705>\7A\263\30\357\232\371\313N\342+Qd\27\352\346A\374\303\357R\15\301\16\342;\24\247cKu\245\223\260q\202\271\304.\363\366Xj\305f5\337a\30M1\27 \361h\2132oW\310d\36\247\360\253\230\32\232\204q)\220\36\13\13Va\253J1\355Ol\6\340\3174{UrV\330\357I\366\241\347\1Q|x\312\361\377:\255~\332\315\274\324\356kg\307jdk\35\332\247\203\31\367\22\315p\347\335%\24j\203\320J\303\332\302\317\264\203V.\252\316O\17Bf\351\2327>n\\25\2734\265\265P\253\2665\340\314\340\273\245N\246b\350kCk\363\354\373\335\34\377\6\234i|\353y\267\20\27\322{\322\6\220)\\274\312g\3104J#\fQ\26\217\363\213\217\321zeg\3240x\21#\201\374\370V\313", ) , ) == 0x0
 00905   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\17NH\374\237dz\322\212H\374\237dz\311#\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00906   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00907   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00908   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00909   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00910   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00911   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00912   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00913   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00914   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\372\15U\277\15\347\310U:\356\2679+\347X3\323Ff\213\353\22\236*+\344\333\08\205g{F\262\346\240\14V,\230\0\12\327GH\234Q\207F\362\275\231!\3455\222\300;_\243\223\331#3}\302j\236\215\345\25\331\377M\33\11\204\277\336\232", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\372\15U\277\15\347\310U:\356\2679+\347X3\323Ff\213\353\22\236*+\344\333\08\205g{F\262\346\240\14V,\230\0\12\327GH\234Q\207F\362\275\231!\3455\222\300;_\243\223\331#3}\302j\236\215\345\25\331\377M\33\11\204\277\336\232", 80, ... ) , 80, ... ) == 0x0
 00915   532   NtClose  (-2147482052, ... ) == 0x0
 00905   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "5\a\341\2100\257\342j\20\346b;\376\6h\23\332\217\272m\276x u(}&\207+<]3\254\261\35\34-\0\240\234\263j:\277\312i\317\337\3721]E\245C\3\3425}&[*\343\15\242TU\370*\225\22\373\360\217\251E\5\362J\353\371\27\374g\177\20\25\316\203L[C\325V\370\37\3043m\3665\220\202|\2034\342\12\310\233B\257\337\374\2=HW\0\33\346\352\312F\232\31\370pF0\246!\273\371|]\260.\261\341\2465\3545\345\35\274[\2\366;f\241\223\301\273\322UQ\326\323TGqj\314=\360i\302\242v\223\6\320\331\327\355\2\224\250\201T\2\203\275mIm\371\260\12\256\321\267Y\277\251\362\367\237\260\342s\330\265, ) , ) == 0x0
 00916   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\17NH\374\237dz\322\212H\374\237dz\322\212H\374\237dz\311#\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00917   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00918   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00919   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00920   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00921   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00922   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00923   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00924   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00925   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "R]Pl5\330\246\270\20\24\250Q\324\220"\31\307\211\267\214#\356\34Q\367\370\252\336\276\245\245i\212\26\303\241\23\237\222\30\375;\213u\21_\22\262\34U\\315\35\0\365m\240;\345\343\2c\205\323h+\375}\207\225vx\264\21\326\323\374\216\374", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "R]Pl5\330\246\270\20\24\250Q\324\220"\31\307\211\267\214#\356\34Q\367\370\252\336\276\245\245i\212\26\303\241\23\237\222\30\375;\213u\21_\22\262\34U\\315\35\0\365m\240;\345\343\2c\205\323h+\375}\207\225vx\264\21\326\323\374\216\374", 80, ... ) \31\307\211\267\214#\356\34Q\367\370\252\336\276\245\245i\212\26\303\241\23\237\222\30\375;\213u\21_\22\262\34U\\315\35\0\365m\240;\345\343\2c\205\323h+\375}\207\225vx\264\21\326\323\374\216\374", 80, ... ) == 0x0
 00926   532   NtClose  (-2147482052, ... ) == 0x0
 00916   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "U\233X@\256\234\222\204\260)\332\315\231\34\2355K\306\312\270=\363\30\373\201\36\305WP\371\330\304\261vZ\267\365\356H\353\3422\232\232\2457\237j8\244\353\322\11\36\236\13NN\377\232\11\344\16\2608\352pa\310\322\355b\10\4\2141t\375\373\223\367\207;\362\246\10(\11q1E\234A\230g\11\264X\7\234\263\234Q\352I4\15\311\232>PoC\375\25\24)\3764=\366t\216\372\22\214\341\241\245\1\265j\336\230\331\247\25\217\342m\270\27\302\317\350\340c\343\32\216M\362\307\257\256\313\115\230\25<\204\251\272\226\24'\370\347H\270\330\202\344`\365\12\30|y"\327\321\37baJ\353\377\316\250gw\213\344H\36t\207\336\13r\306\244\233\313\352\1\37\233\223yYR\305\7D/\270\321\4Y\324\357z\217\36?\376\311\37\325\344\2374\371)\13p(\274\244\37\223\27\352\257\204f%\34\11)\335@", ) \327\321\37baJ\353\377\316\250gw\213\344H\36t\207\336\13r\306\244\233\313\352\1\37\233\223yYR\305\7D/\270\321\4Y\324\357z\217\36?\376\311\37\325\344\2374\371)\13p(\274\244\37\223\27\352\257\204f%\34\11)\335@", ) == 0x0
 00927   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\17NH\374\237dz\322\212H\374\237dz\322\212H\374\237dz\322\212H\374\237dz\311#\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00928   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00929   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00930   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00931   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00932   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00933   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00934   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00935   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00936   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\233(\13\346\377)\34\360"\37o\314\205\264\260\307\315;.\340\256\177[v\4\5'\321\275\307w\233\351\237\5\216\315\355\340\260\371\340\230j\255\270dk\362\242'\223+\20\371\227\276\1\22U\347\312\233\354\34\351SD\26\261n3\372{"\203\213\236\34\340", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\233(\13\346\377)\34\360"\37o\314\205\264\260\307\315;.\340\256\177[v\4\5'\321\275\307w\233\351\237\5\216\315\355\340\260\371\340\230j\255\270dk\362\242'\223+\20\371\227\276\1\22U\347\312\233\354\34\351SD\26\261n3\372{"\203\213\236\34\340", 80, ... ) \37o\314\205\264\260\307\315;.\340\256\177[v\4\5'\321\275\307w\233\351\237\5\216\315\355\340\260\371\340\230j\255\270dk\362\242'\223+\20\371\227\276\1\22U\347\312\233\354\34\351SD\26\261n3\372{ (-2147482052, "Seed", 0, 3, "\233(\13\346\377)\34\360"\37o\314\205\264\260\307\315;.\340\256\177[v\4\5'\321\275\307w\233\351\237\5\216\315\355\340\260\371\340\230j\255\270dk\362\242'\223+\20\371\227\276\1\22U\347\312\233\354\34\351SD\26\261n3\372{"\203\213\236\34\340", 80, ... ) , 80, ... ) == 0x0
 00937   532   NtClose  (-2147482052, ... ) == 0x0
 00927   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\370\303Y\313-Efsg\347( T\201n!\251-7\347r\312\305\37M\244(\233\24JM\325\226\271\357\377\200i\255\202b*\342\354W\274\30\216)\207\27\360,x\327\372\216W{\247\267\262\223\264\234j\240\262U'+\214\241\260\7g\304\302\317\32X\303W\230\234L\260j\15h\14\355\321^%E\360DSF\224ix\314\222Uog\25\12:-\240\204\253&\322\206k\2611~\10O\331\307Bx5o-\300\310-\267\340\307P>\373\252)\311a\253Z\36\207\323z~\270\317\312\265Y\272\277m\354\26g\14\336v\15\355\2114\20\357\260\235\353H\5\305\301\353\226\367\2704\210\315bb\304.B\2605L4\16\352\303\363\26\164\362k\35AY\355\251\232KW\322E\25\245qLfn\2\30\302\370\273\312\213\344\341_J\307\36py\212\205\265\212&\267K\237\256M\5sZ\273\235<\306\347\277/U\200", ) , ) == 0x0
 00938   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\17NH\374\237dz\322\212H\374\237dz\322\212H\374\237dz\322\212H\374\237dz\322\212H\374\237dz\311#\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00939   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00940   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00941   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00942   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00943   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00944   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00945   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00946   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00947   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "D\371\200\377\365~\3340\254+\240>\2001:\274\7T\210\16R\27\340*I\7`\335:\203\3552\3\31\264\354\246\263y\11\366\323xJ\273\3N\256\330\5\256\323\255O_\230\342\300\31\26Z'\313\337\257\375Y\305\224\4\23R>/Y\250\336T\246\236", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "D\371\200\377\365~\3340\254+\240>\2001:\274\7T\210\16R\27\340*I\7`\335:\203\3552\3\31\264\354\246\263y\11\366\323xJ\273\3N\256\330\5\256\323\255O_\230\342\300\31\26Z'\313\337\257\375Y\305\224\4\23R>/Y\250\336T\246\236", 80, ... ) , 80, ... ) == 0x0
 00948   532   NtClose  (-2147482052, ... ) == 0x0
 00938   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\261\214\344i\225\336\34+\243\356~\254(\273\340\225\255O\273+&\27M\363\274\364Id\34\1O\206N\332\215\3\34\252\243\22\343\326\355\374Y\244l\341x]\374\326\276\235@\213\321\30\273\263|\372\263\351.XFi"\2\243\303\307K\256J\251\316'\35\340\362!\221\346\252\266E-\252\232|\230\367\212\11\0<"&\221\210\244*1\355\231\277\217\241\36\37c\230m\336\212\30K\0\210\221\254\224=\303\304Ik!k\256\32\203\353\345\12\214\246\200\23R>\34\254}>\343N\320\365/\331\337|\342uZe\241[\34\341tA#\325+4y\242\362"\351\271\355L\345\36\3342\260\215\351\357\217J}\354m\13;\267v\351\331\263\223o\267n\362\362\5RT\306\330\366/b\353\356\300\360dZ\342\\212\313\266\351\36\265\343\3779\2004i\205\341|\306IA\267\315&R\254XB+\364(\214X\310\320_\303d\336D", ) \2\243\303\307K\256J\251\316'\35\340\362!\221\346\252\266E-\252\232|\230\367\212\11\0< ... {status=0x0, info=256}, "\261\214\344i\225\336\34+\243\356~\254(\273\340\225\255O\273+&\27M\363\274\364Id\34\1O\206N\332\215\3\34\252\243\22\343\326\355\374Y\244l\341x]\374\326\276\235@\213\321\30\273\263|\372\263\351.XFi"\2\243\303\307K\256J\251\316'\35\340\362!\221\346\252\266E-\252\232|\230\367\212\11\0<"&\221\210\244*1\355\231\277\217\241\36\37c\230m\336\212\30K\0\210\221\254\224=\303\304Ik!k\256\32\203\353\345\12\214\246\200\23R>\34\254}>\343N\320\365/\331\337|\342uZe\241[\34\341tA#\325+4y\242\362"\351\271\355L\345\36\3342\260\215\351\357\217J}\354m\13;\267v\351\331\263\223o\267n\362\362\5RT\306\330\366/b\353\356\300\360dZ\342\\212\313\266\351\36\265\343\3779\2004i\205\341|\306IA\267\315&R\254XB+\364(\214X\310\320_\303d\336D", ) \351\271\355L\345\36\3342\260\215\351\357\217J}\354m\13;\267v\351\331\263\223o\267n\362\362\5RT\306\330\366/b\353\356\300\360dZ\342\\212\313\266\351\36\265\343\3779\2004i\205\341|\306IA\267\315&R\254XB+\364(\214X\310\320_\303d\336D", ) == 0x0
 00949   532   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\245\12\353'\262\300\21\17NH\374\237dz\322\212H\374\237dz\322\212H\374\237dz\322\212H\374\237dz\322\212H\374\237dz\322\212H\374\237dz\311#\31\345*\336\235Vd\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00950   532   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00951   532   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00952   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00953   532   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00954   532   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00955   532   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00956   532   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00957   532   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 00958   532   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\261\234\334x\351\17\35\267Z>\247\370f\260\16\373\361\275\376\11R\224\372c\231\2657\307\322\214\2554O\200\371&\276a+aG\240\316#t;\206\223\275\220\343\311\270\217WF\35\10\6\356\340\204Y\322u\224\246\240Bl\230\376\326\11@\211\211\325z", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\261\234\334x\351\17\35\267Z>\247\370f\260\16\373\361\275\376\11R\224\372c\231\2657\307\322\214\2554O\200\371&\276a+aG\240\316#t;\206\223\275\220\343\311\270\217WF\35\10\6\356\340\204Y\322u\224\246\240Bl\230\376\326\11@\211\211\325z", 80, ... ) , 80, ... ) == 0x0
 00959   532   NtClose  (-2147482052, ... ) == 0x0
 00949   532   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "^\342Y$Df\347\225\220xA\344\25\275\223\350T\343(\21c\344\243\343\250\234\236p?R=N`xZ\324l\225m\355\226\226\261\205\255\321\307P\211\215\33T\240\3\5*J\244k*#\266\217H\35\341<\361\207GI\354\300\272\334f\270\14\224\271\3340\221?\223\305\364\250\201\310\23gmHv\372\372\14\214\235\327\242\265@\37B\333d\259,x\315\316\322\342\224Q,\237\231\37\310\307\34\3773\363O\5Uj=\3\356Lx\372Q\363\376z\320\262\345DP\313@\310~\364A\370\247b~\221#u\277\212M\1\2\325\21S\304\30\320\233G\321\262\345\223\314\250y>mL\370'\235s\261K[\233u\333\272\264J\224\324\227^\16\374\26\230~\204-G\266\213\367\206\317]\375\242\344\215]\177#\332\273\320\213\263l__\272\3374*\211K\230\357\242\224T\233\252\240z\26;\323\376\327G$\250~\351\23w", ) , ) == 0x0
 00960   532   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 00961   532   NtQueryVolumeInformationFile  (108, 1238968, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00962   532   NtClose  (12, ... ) == 0x0
 00963   532   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238188,  (0x80100080, {24, 0, 0x40, 0, 1238188, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 00965   532   NtQueryInformationFile  (12, 1239124, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00966   532   NtQueryInformationFile  (12, 1239096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00967   532   NtQueryInformationFile  (12, 1239048, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00968   532   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 00969   532   NtQueryInformationFile  (12, 1382720, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00970   532   NtQueryInformationFile  (12, 1237592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00971   532   NtQueryInformationFile  (12, 1237436, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00972   532   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237444,  (0x40110080, {24, 0, 0x40, 0, 1237444, "\??\C:\WINDOWS\System32\algs.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00973   532   NtClose  (-2147482052, ... ) == 0x0
 00972   532   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00974   532   NtQueryVolumeInformationFile  (104, 1236816, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00975   532   NtQueryInformationFile  (104, 1236776, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00976   532   NtQueryVolumeInformationFile  (12, 1236816, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00977   532   NtSetInformationFile  (104, 1236604, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00978   532   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 116, ) == 0x0
 00979   532   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 57344, ) == 0x0
 00980   532   NtClose  (116, ... ) == 0x0
 00981   532   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\3\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\0\0\00\30\0\0\0\0\0\09\372\2\0\0\360\2\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\324\7\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\6\3\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.data\0\0\0\0 \2\0\0\20\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.pdata\0\0#\274\0\0\00\2\0#\274\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.ex_cod\0\324\27\0\0\0\360\2\0\324\27\0\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 55252, 0x0, 0, ... {status=0x0, info=55252}, ) , 55252, 0x0, 0, ... {status=0x0, info=55252}, ) == 0x0
 00982   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00983   532   NtSetInformationFile  (104, 1239048, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00984   532   NtClose  (12, ... ) == 0x0
 00985   532   NtClose  (104, ... ) == 0x0
 00986   532   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00987   532   NtSetInformationFile  (104, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00988   532   NtClose  (104, ... ) == 0x0
 00989   532   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00990   532   NtSetInformationFile  (104, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00991   532   NtClose  (104, ... ) == 0x0
 00992   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00993   532   NtQueryInformationFile  (104, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00994   532   NtClose  (104, ... ) == 0x0
 00995   532   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\System32\algs.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00996   532   NtSetInformationFile  (104, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00997   532   NtClose  (104, ... ) == 0x0
 00998   532   NtOpenFile  (0x10080, {24, 108, 0x40, 0, 0,  (0x10080, {24, 108, 0x40, 0, 0, "cmskcplu.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   532   NtCreateFile  (0x40100080, {24, 108, 0x40, 0, 1239200,  (0x40100080, {24, 108, 0x40, 0, 1239200, "cmskcplu.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 01000   532   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del cmskcplu.bat\15\12", 124, 0x0, 0, ... {status=0x0, info=124}, ) , 124, 0x0, 0, ... {status=0x0, info=124}, ) == 0x0
 01001   532   NtClose  (104, ... ) == 0x0
 01002   532   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232540, ... ) }, 1232540, ... ) == 0x0
 01004   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01005   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 12, ) == 0x0
 01006   532   NtClose  (104, ... ) == 0x0
 01007   532   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 262144, ) == 0x0
 01008   532   NtClose  (12, ... ) == 0x0
 01009   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01010   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01011   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01012   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01013   532   NtAllocateVirtualMemory  (-1, 1392640, 0, 16384, 4096, 4, ... 1392640, 16384, ) == 0x0
 01014   532   NtUserRegisterClassExWOW  (1234624, 1234704, 1234688, 1234720, 0, 384, 0, ... ) == 0x8126c038
 01015   532   NtUserGetAtomName  (49208, 1233388, ... ) == 0x15
 01016   532   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01017   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230912, ... ) }, 1230912, ... ) == 0x0
 01018   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01019   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 104, ) == 0x0
 01020   532   NtClose  (12, ... ) == 0x0
 01021   532   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 204800, ) == 0x0
 01022   532   NtClose  (104, ... ) == 0x0
 01023   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01024   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231228, ... ) }, 1231228, ... ) == 0x0
 01025   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01026   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 12, ) == 0x0
 01027   532   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01028   532   NtClose  (104, ... ) == 0x0
 01029   532   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01030   532   NtClose  (12, ... ) == 0x0
 01031   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01032   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01033   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01034   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01035   532   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01036   532   NtClose  (12, ... ) == 0x0
 01037   532   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01038   532   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01039   532   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 104, ) }, ... 104, ) == 0x0
 01040   532   NtQueryValueKey  (104,  (104, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   532   NtClose  (104, ... ) == 0x0
 01042   532   NtClose  (12, ... ) == 0x0
 01043   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01044   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01045   532   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01046   532   NtClose  (12, ... ) == 0x0
 01047   532   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01048   532   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 01049   532   NtQueryValueKey  (104,  (104, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   532   NtClose  (104, ... ) == 0x0
 01051   532   NtClose  (12, ... ) == 0x0
 01052   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == 0x0
 01055   532   NtUserGetProcessWindowStation  (... ) == 0x28
 01056   532   NtUserGetObjectInformation  (40, 2, 0, 0, 1233024, ... ) == 0x0
 01057   532   NtUserGetObjectInformation  (40, 2, 1347040, 16, 1233024, ... ) == 0x1
 01058   532   NtUserGetGUIThreadInfo  (532, 1232980, ... ) == 0x1
 01059   532   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01060   532   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 508, 532, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 508, 532, 1582, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 508, 532, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01061   532   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 508, 532, 1583, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 508, 532, 1583, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 508, 532, 1583, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01062   532   NtUserCallNoParam  (29, ...
 01063   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230272, ... ) }, 1230272, ... ) == 0x0
 01062   532   NtUserCallNoParam  ... ) == 0x0
 01064   532   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01065   532   NtGdiHfontCreate  (1232352, 356, 0, 0, 1356120, ... ) == 0x70a0454
 01066   532   NtGdiHfontCreate  (1232352, 356, 0, 0, 1356112, ... ) == 0x60a0455
 01067   532   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 508, 532, 1584, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 508, 532, 1584, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 508, 532, 1584, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01068   532   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 331776, ) == 0x0
 01069   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01070   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01071   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01072   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01073   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01074   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01075   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01076   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01077   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01078   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01079   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01080   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01081   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01082   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01083   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01084   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01085   532   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01086   532   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100457
 01087   532   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01088   532   NtUserCallNoParam  (29, ...
 01089   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229716, ... ) }, 1229716, ... ) == 0x0
 01088   532   NtUserCallNoParam  ... ) == 0x0
 01090   532   NtUserCallNoParam  (29, ...
 01091   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 01090   532   NtUserCallNoParam  ... ) == 0x0
 01092   532   NtUserMessageCall  (0x30060, WM_NCCREATE, 0x0, 0x12d198, 0, 670, 0, ... ) == 0x1
 01093   532   NtUserMessageCall  (0x30060, WM_NCCALCSIZE, 0x0, 0x12d1c0, 0, 670, 0, ... ) == 0x0
 01094   532   NtUserSetProp  (196704, 43288, -1, ... ) == 0x1
 01016   532   NtUserCreateWindowEx  ... ) == 0x30060
 01095   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01096   532   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01098   532   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   532   NtClose  (120, ... ) == 0x0
 01100   532   NtClose  (116, ... ) == 0x0
 01101   532   NtAllocateVirtualMemory  (-1, 1409024, 0, 24576, 4096, 4, ... 1409024, 24576, ) == 0x0
 01102   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01103   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 01105   532   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   532   NtClose  (116, ... ) == 0x0
 01107   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01109   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01110   532   NtQuerySystemTime  (... {904867170, 29873105}, ) == 0x0
 01111   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01112   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01114   532   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01115   532   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01116   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01117   532   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01118   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01119   532   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01120   532   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01121   532   NtClose  (140, ... ) == 0x0
 01122   532   NtClose  (136, ... ) == 0x0
 01123   532   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01124   532   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01125   532   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01126   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01127   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01128   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01129   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01130   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233152,  (0xc0100080, {24, 0, 0x40, 0, 1233152, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01131   532   NtSetInformationFile  (152, 1233208, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01132   532   NtSetInformationFile  (152, 1233200, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01133   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01134   532   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01135   532   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\305'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01136   532   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\305'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\305'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01137   532   NtClose  (148, ... ) == 0x0
 01138   532   NtClose  (152, ... ) == 0x0
 01139   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233196, ... ) }, 1233196, ... ) == 0x0
 01140   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01141   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01142   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "cmskcplu.bat"}, 1233016, ... ) }, 1233016, ... ) == 0x0
 01143   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01144   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01145   532   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356136, 0,  (0x1f0003, {24, 52, 0x80, 1356136, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 152, ) }, 0, 2147483647, ... 152, ) == STATUS_OBJECT_NAME_EXISTS
 01146   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01147   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01148   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01150   532   NtQueryValueKey  (148,  (148, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   532   NtClose  (148, ... ) == 0x0
 01152   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01153   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01154   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01156   532   NtQueryValueKey  (148,  (148, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   532   NtClose  (148, ... ) == 0x0
 01158   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01159   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01160   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01162   532   NtQueryValueKey  (148,  (148, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   532   NtClose  (148, ... ) == 0x0
 01164   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01165   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01166   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01168   532   NtQueryValueKey  (148,  (148, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   532   NtClose  (148, ... ) == 0x0
 01170   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 148, ) }, ... 148, ) == 0x0
 01171   532   NtEnumerateKey  (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01172   532   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 156, ) }, ... 156, ) == 0x0
 01173   532   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   532   NtClose  (156, ... ) == 0x0
 01175   532   NtEnumerateKey  (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01176   532   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 156, ) }, ... 156, ) == 0x0
 01177   532   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   532   NtClose  (156, ... ) == 0x0
 01179   532   NtEnumerateKey  (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01180   532   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 156, ) }, ... 156, ) == 0x0
 01181   532   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   532   NtClose  (156, ... ) == 0x0
 01183   532   NtEnumerateKey  (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01184   532   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 156, ) }, ... 156, ) == 0x0
 01185   532   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   532   NtClose  (156, ... ) == 0x0
 01187   532   NtEnumerateKey  (148, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01188   532   NtClose  (148, ... ) == 0x0
 01189   532   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   532   NtOpenProcessToken  (-1, 0x8, ... 148, ) == 0x0
 01191   532   NtQueryInformationToken  (148, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01192   532   NtClose  (148, ... ) == 0x0
 01193   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01194   532   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 148, 2, ) }, 0, 0x0, 0, ... 148, 2, ) == 0x0
 01195   532   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 156, ) == 0x0
 01196   532   NtCreateKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "SessionInfo\0000000000009176"}, 0, 0x0, 1, ... 160, 2, ) }, 0, 0x0, 1, ... 160, 2, ) == 0x0
 01197   532   NtClose  (156, ... ) == 0x0
 01198   532   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   532   NtClose  (160, ... ) == 0x0
 01200   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01201   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01202   532   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01203   532   NtClose  (160, ... ) == 0x0
 01204   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 160, ) }, ... 160, ) == 0x0
 01205   532   NtSetInformationObject  (162, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01206   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01207   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01209   532   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01210   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01211   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01212   532   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01213   532   NtClose  (164, ... ) == 0x0
 01214   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   532   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   532   NtClose  (158, ... ) == 0x0
 01217   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01218   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01220   532   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01221   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01222   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01223   532   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01224   532   NtClose  (164, ... ) == 0x0
 01225   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   532   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   532   NtClose  (158, ... ) == 0x0
 01228   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01229   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01231   532   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01232   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01233   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01234   532   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01235   532   NtClose  (164, ... ) == 0x0
 01236   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   532   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01238   532   NtClose  (158, ... ) == 0x0
 01239   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01241   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01243   532   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01244   532   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01245   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01246   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01247   532   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01248   532   NtClose  (164, ... ) == 0x0
 01249   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   532   NtQueryValueKey  (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01251   532   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01252   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01254   532   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   532   NtClose  (164, ... ) == 0x0
 01256   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   532   NtQueryValueKey  (158,  (158, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   532   NtClose  (158, ... ) == 0x0
 01259   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01260   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01261   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01263   532   NtQueryValueKey  (156,  (156, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   532   NtClose  (156, ... ) == 0x0
 01265   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01266   532   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01267   532   NtClose  (156, ... ) == 0x0
 01268   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 156, ) }, ... 156, ) == 0x0
 01269   532   NtQueryValueKey  (156,  (156, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   532   NtClose  (156, ... ) == 0x0
 01271   532   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01272   532   NtQueryValueKey  (156, " (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01273   532   NtClose  (156, ... ) == 0x0
 01274   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01275   532   NtQueryVolumeInformationFile  (156, 1233336, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01276   532   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 164, ) }, ... 164, ) == 0x0
 01277   532   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 01278   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 168, ) }, ... 168, ) == 0x0
 01279   532   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x960000), {0, 0}, 57344, ) == 0x0
 01280   532   NtQueryInformationFile  (156, 1233300, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01281   532   NtQueryInformationFile  (156, 1233340, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01282   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01283   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01284   532   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01285   532   NtClose  (172, ... ) == 0x0
 01286   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   532   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 01288   532   NtClose  (156, ... ) == 0x0
 01289   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01290   532   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01291   532   NtClose  (156, ... ) == 0x0
 01292   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == 0x0
 01296   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01297   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 172, ) == 0x0
 01298   532   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01299   532   NtClose  (156, ... ) == 0x0
 01300   532   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01301   532   NtClose  (172, ... ) == 0x0
 01302   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == 0x0
 01306   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01307   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 156, ) == 0x0
 01308   532   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01309   532   NtClose  (172, ... ) == 0x0
 01310   532   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01311   532   NtClose  (156, ... ) == 0x0
 01312   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01313   532   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01314   532   NtClose  (156, ... ) == 0x0
 01315   532   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 156, ) }, ... 156, ) == 0x0
 01318   532   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   532   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   532   NtClose  (156, ... ) == 0x0
 01321   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231116, ... ) }, 1231116, ... ) == 0x0
 01322   532   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   532   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01324   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01325   532   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01326   532   NtClose  (156, ... ) == 0x0
 01327   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 156, ) }, ... 156, ) == 0x0
 01328   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01329   532   NtNotifyChangeKey  (156, 172, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01330   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 176, ) }, ... 176, ) == 0x0
 01331   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01332   532   NtNotifyChangeKey  (176, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01333   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01334   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 188, ) }, ... 188, ) == 0x0
 01335   532   NtSetInformationObject  (188, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01336   532   NtNotifyChangeKey  (188, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01337   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 192, ) }, ... 192, ) == 0x0
 01338   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01339   532   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01340   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01341   532   NtNotifyChangeKey  (188, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01342   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01343   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01344   532   NtNotifyChangeKey  (204, 208, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01345   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01346   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01347   532   NtNotifyChangeKey  (212, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01348   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 220, ) }, ... 220, ) == 0x0
 01349   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01350   532   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01351   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 228, ) }, ... 228, ) == 0x0
 01352   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01353   532   NtNotifyChangeKey  (228, 232, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01354   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0
 01355   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01356   532   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01357   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01358   532   NtNotifyChangeKey  (188, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01359   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01360   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01361   532   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01362   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01363   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01364   532   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01365   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01366   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01367   532   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01368   532   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 272, ) }, ... 272, ) == 0x0
 01370   532   NtQueryValueKey  (272,  (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01371   532   NtClose  (272, ... ) == 0x0
 01372   532   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01373   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01374   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01375   532   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 272, ) }, ... 272, ) == 0x0
 01376   532   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x970000), {0, 0}, 24576, ) == 0x0
 01377   532   NtAllocateVirtualMemory  (-1, 8937472, 0, 8192, 4096, 4, ... 8937472, 8192, ) == 0x0
 01378   532   NtAllocateVirtualMemory  (-1, 8945664, 0, 8192, 4096, 4, ... 8945664, 8192, ) == 0x0
 01379   532   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01381   532   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01382   532   NtClose  (276, ... ) == 0x0
 01383   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01384   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01385   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 9961472, 65536, ) == 0x0
 01386   532   NtAllocateVirtualMemory  (-1, 9961472, 0, 4096, 4096, 4, ... 9961472, 4096, ) == 0x0
 01387   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01388   532   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01390   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01391   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01392   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01393   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01394   532   NtClose  (280, ... ) == 0x0
 01395   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   532   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   532   NtClose  (278, ... ) == 0x0
 01398   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01399   532   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01401   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01402   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01403   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01404   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01405   532   NtClose  (280, ... ) == 0x0
 01406   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01408   532   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01409   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01410   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01411   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01412   532   NtClose  (284, ... ) == 0x0
 01413   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   532   NtQueryValueKey  (282,  (282, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   532   NtClose  (282, ... ) == 0x0
 01416   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01417   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01418   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01419   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01420   532   NtClose  (280, ... ) == 0x0
 01421   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01424   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01425   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01426   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01427   532   NtClose  (280, ... ) == 0x0
 01428   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01431   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01432   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01433   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01434   532   NtClose  (280, ... ) == 0x0
 01435   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01437   532   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01438   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01439   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01440   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01441   532   NtClose  (284, ... ) == 0x0
 01442   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   532   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01444   532   NtClose  (282, ... ) == 0x0
 01445   532   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01446   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01447   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01448   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01449   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01450   532   NtClose  (280, ... ) == 0x0
 01451   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01454   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01455   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01456   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01457   532   NtClose  (280, ... ) == 0x0
 01458   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01461   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01462   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01463   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01464   532   NtClose  (280, ... ) == 0x0
 01465   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01468   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01469   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01470   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01471   532   NtClose  (280, ... ) == 0x0
 01472   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01475   532   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01477   532   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01478   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01479   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01480   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01481   532   NtClose  (284, ... ) == 0x0
 01482   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   532   NtQueryValueKey  (282,  (282, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   532   NtClose  (282, ... ) == 0x0
 01485   532   NtClose  (278, ... ) == 0x0
 01486   532   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {508, 0}, ... 276, ) == 0x0
 01487   532   NtQueryInformationProcess  (276, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01488   532   NtClose  (276, ... ) == 0x0
 01489   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01490   532   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01492   532   NtClose  (278, ... ) == 0x0
 01493   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01494   532   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01496   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01497   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01498   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01499   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01500   532   NtClose  (280, ... ) == 0x0
 01501   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   532   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01503   532   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01504   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01506   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507   532   NtClose  (284, ... ) == 0x0
 01508   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   532   NtQueryValueKey  (282,  (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01510   532   NtClose  (282, ... ) == 0x0
 01511   532   NtClose  (278, ... ) == 0x0
 01512   532   NtAllocateVirtualMemory  (-1, 1445888, 0, 8192, 4096, 4, ... 1445888, 8192, ) == 0x0
 01513   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01514   532   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01516   532   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01517   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01518   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01519   532   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01520   532   NtClose  (280, ... ) == 0x0
 01521   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   532   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   532   NtClose  (278, ... ) == 0x0
 01524   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227508, ... ) }, 1227508, ... ) == 0x0
 01525   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01526   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 01527   532   NtClose  (276, ... ) == 0x0
 01528   532   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x990000), 0x0, 1339392, ) == 0x0
 01529   532   NtClose  (280, ... ) == 0x0
 01530   532   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01531   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227824, ... ) }, 1227824, ... ) == 0x0
 01532   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01533   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 01534   532   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01535   532   NtClose  (280, ... ) == 0x0
 01536   532   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01537   532   NtClose  (276, ... ) == 0x0
 01538   532   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01539   532   NtQueryDefaultUILanguage  (1226188, ...
 01540   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01541   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 01542   532   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01543   532   NtClose  (-2147482052, ... ) == 0x0
 01544   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 01545   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   532   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482064, ) }, ... -2147482064, ) == 0x0
 01547   532   NtQueryValueKey  (-2147482064,  (-2147482064, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   532   NtClose  (-2147482064, ... ) == 0x0
 01549   532   NtClose  (-2147482052, ... ) == 0x0
 01539   532   NtQueryDefaultUILanguage  ... ) == 0x0
 01550   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 276, {status=0x0, info=1}, ) }, 1, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01552   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 276, ... 280, ) == 0x0
 01553   532   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x990000), 0x0, 1339392, ) == 0x0
 01554   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   532   NtQueryDefaultLocale  (1, 1224224, ... ) == 0x0
 01556   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   532   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340\244\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1585, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340\244\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 508, 532, 1585, 0}  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340\244\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 508, 532, 1585, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340\244\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" )  ) == 0x0
 01558   532   NtClose  (276, ... ) == 0x0
 01559   532   NtClose  (280, ... ) == 0x0
 01560   532   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01561   532   NtUnmapViewOfSection  (-1, 0x12b878, ... ) == STATUS_NOT_MAPPED_VIEW
 01562   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01563   532   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01565   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01566   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222764, ... ) }, 1222764, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01568   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01569   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01570   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223356, ... ) }, 1223356, ... ) == 0x0
 01571   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 280, {status=0x0, info=1}, ) }, 3, 33, ... 280, {status=0x0, info=1}, ) == 0x0
 01572   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01573   532   NtUserFindExistingCursorIcon  (1227308, 1227324, 1227892, ... ) == 0x10011
 01574   532   NtUserRegisterClassExWOW  (1227760, 1227840, 1227824, 1227856, 0, 384, 0, ... ) == 0x81260000
 01575   532   NtUserGetClassInfo  (1905590272, 1227924, 1227876, 1227952, 0, ... ) == 0xc05f
 01576   532   NtGdiCreateHalftonePalette  (0, ... ) == 0x1080458
 01577   532   NtGdiDoPalette  (17302616, 0, 256, 1227016, 2, 0, ... ) == 0x100
 01578   532   NtGdiDeleteObjectApp  (17302616, ... ) == 0x1
 01579   532   NtGdiCreateCompatibleDC  (0, ... ) == 0x2010458
 01580   532   NtGdiCreatePaletteInternal  (1227012, 256, ... ) == 0x1080459
 01581   532   NtGdiDeleteObjectApp  (33621080, ... ) == 0x1
 01582   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01583   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 276, ) }, ... 276, ) == 0x0
 01585   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01586   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01587   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01588   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01589   532   NtClose  (284, ... ) == 0x0
 01590   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   532   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01592   532   NtClose  (278, ... ) == 0x0
 01593   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01594   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01596   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01597   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01598   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01599   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01600   532   NtClose  (284, ... ) == 0x0
 01601   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   532   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01603   532   NtClose  (278, ... ) == 0x0
 01604   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01605   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01607   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01608   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01609   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01610   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01611   532   NtClose  (284, ... ) == 0x0
 01612   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   532   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01614   532   NtClose  (278, ... ) == 0x0
 01615   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01616   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01618   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01619   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01620   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01621   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01622   532   NtClose  (284, ... ) == 0x0
 01623   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   532   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01625   532   NtClose  (278, ... ) == 0x0
 01626   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01627   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01629   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01630   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01631   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01632   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01633   532   NtClose  (284, ... ) == 0x0
 01634   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01635   532   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01636   532   NtClose  (278, ... ) == 0x0
 01637   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   532   NtAllocateVirtualMemory  (-1, 1454080, 0, 12288, 4096, 4, ... 1454080, 12288, ) == 0x0
 01639   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01640   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01641   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01642   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01643   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01644   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01645   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01646   532   NtClose  (284, ... ) == 0x0
 01647   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   532   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   532   NtClose  (278, ... ) == 0x0
 01650   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01651   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01653   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 01654   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01655   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01656   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01657   532   NtClose  (284, ... ) == 0x0
 01658   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   532   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01660   532   NtClose  (278, ... ) == 0x0
 01661   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01662   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01663   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01664   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 01665   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01666   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01667   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01668   532   NtClose  (284, ... ) == 0x0
 01669   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   532   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   532   NtClose  (278, ... ) == 0x0
 01672   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01673   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01675   532   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01676   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01677   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01678   532   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01679   532   NtClose  (284, ... ) == 0x0
 01680   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   532   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01682   532   NtClose  (278, ... ) == 0x0
 01683   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 276, ) }, ... 276, ) == 0x0
 01684   532   NtEnumerateValueKey  (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01685   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01686   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01687   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01688   532   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01689   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01690   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01691   532   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01692   532   NtClose  (288, ... ) == 0x0
 01693   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01694   532   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01695   532   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01696   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01697   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01698   532   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01699   532   NtClose  (288, ... ) == 0x0
 01700   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   532   NtQueryValueKey  (286,  (286, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   532   NtClose  (286, ... ) == 0x0
 01703   532   NtEnumerateValueKey  (276, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01704   532   NtClose  (276, ... ) == 0x0
 01705   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01706   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01707   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 1232468, ... ) }, 1232468, ... ) == 0x0
 01708   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01709   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01710   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01711   532   NtQueryValueKey  (276,  (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01712   532   NtClose  (276, ... ) == 0x0
 01713   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01714   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01715   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 1233496, ... ) }, 1233496, ... ) == 0x0
 01716   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01717   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01718   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01719   532   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01720   532   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01721   532   NtClose  (276, ... ) == 0x0
 01722   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01723   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01724   532   NtQueryValueKey  (276,  (276, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725   532   NtClose  (276, ... ) == 0x0
 01726   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01727   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01728   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01729   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01730   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01731   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01732   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01733   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01734   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01735   532   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 01736   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 276, ) }, ... 276, ) == 0x0
 01737   532   NtEnumerateKey  (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01738   532   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 284, ) }, ... 284, ) == 0x0
 01739   532   NtQueryValueKey  (284,  (284, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (284, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01740   532   NtQueryValueKey  (284,  (284, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (284, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01741   532   NtClose  (284, ... ) == 0x0
 01742   532   NtEnumerateKey  (276, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01743   532   NtClose  (276, ... ) == 0x0
 01744   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01745   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01746   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01749   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01750   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01751   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01753   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01754   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01756   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01759   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01760   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01761   532   NtClose  (276, ... ) == 0x0
 01762   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01764   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01765   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01766   532   NtClose  (276, ... ) == 0x0
 01767   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01769   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01770   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01771   532   NtClose  (276, ... ) == 0x0
 01772   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01774   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01775   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01776   532   NtClose  (276, ... ) == 0x0
 01777   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01779   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01780   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01781   532   NtClose  (276, ... ) == 0x0
 01782   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01784   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01785   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01786   532   NtClose  (276, ... ) == 0x0
 01787   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01789   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01790   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01791   532   NtClose  (276, ... ) == 0x0
 01792   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01794   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01795   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   532   NtClose  (276, ... ) == 0x0
 01797   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01799   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01800   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01801   532   NtClose  (276, ... ) == 0x0
 01802   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01804   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01805   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01806   532   NtClose  (276, ... ) == 0x0
 01807   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01809   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01810   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01811   532   NtClose  (276, ... ) == 0x0
 01812   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01813   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01814   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01815   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01816   532   NtClose  (276, ... ) == 0x0
 01817   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01819   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01820   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01821   532   NtClose  (276, ... ) == 0x0
 01822   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01824   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01825   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01826   532   NtClose  (276, ... ) == 0x0
 01827   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01829   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01830   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01831   532   NtClose  (276, ... ) == 0x0
 01832   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01834   532   NtQueryValueKey  (276,  (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01835   532   NtClose  (276, ... ) == 0x0
 01836   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01837   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01838   532   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01839   532   NtClose  (276, ... ) == 0x0
 01840   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   532   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01842   532   NtOpenProcessToken  (-1, 0xa, ... 276, ) == 0x0
 01843   532   NtDuplicateToken  (276, 0xc, {24, 0, 0x0, 0, 1234304, 0x0}, 0, 2, ... 284, ) == 0x0
 01844   532   NtClose  (276, ... ) == 0x0
 01845   532   NtAccessCheck  (1455512, 284, 0x1, 1234432, 1234376, 56, 1234460, ... (0x1), ) == 0x0
 01846   532   NtClose  (284, ... ) == 0x0
 01847   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 284, ) }, ... 284, ) == 0x0
 01848   532   NtQueryValueKey  (284,  (284, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (284, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01849   532   NtClose  (284, ... ) == 0x0
 01850   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234320,  (0x80100080, {24, 0, 0x40, 0, 1234320, "\??\u:\work\cmskcplu.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01851   532   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 276, ) }, ... 276, ) == 0x0
 01852   532   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\WinDfs\U:0000000000009176", 66, ) , 66, ) == 0x0
 01853   532   NtClose  (276, ... ) == 0x0
 01854   532   NtQueryInformationFile  (284, 1232764, 528, Name, ... {status=0x0, info=76}, ) == 0x0
 01855   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01856   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01857   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\cmskcplu.bat"}, 1231444, ... ) }, 1231444, ... ) == 0x0
 01858   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 276, {status=0x0, info=1}, ) }, 3, 16417, ... 276, {status=0x0, info=1}, ) == 0x0
 01859   532   NtQueryDirectoryFile  (276, 0, 0, 0, 1230804, 616, BothDirectory, 1,  (276, 0, 0, 0, 1230804, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01860   532   NtClose  (276, ... ) == 0x0
 01861   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 276, {status=0x0, info=1}, ) }, 3, 16417, ... 276, {status=0x0, info=1}, ) == 0x0
 01862   532   NtQueryDirectoryFile  (276, 0, 0, 0, 1230804, 616, BothDirectory, 1,  (276, 0, 0, 0, 1230804, 616, BothDirectory, 1, "cmskcplu.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 01863   532   NtClose  (276, ... ) == 0x0
 01864   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01865   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01866   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == 0x0
 01870   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01871   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 288, ) == 0x0
 01872   532   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01873   532   NtClose  (276, ... ) == 0x0
 01874   532   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01875   532   NtClose  (288, ... ) == 0x0
 01876   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 288, ) }, ... 288, ) == 0x0
 01877   532   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01878   532   NtClose  (288, ... ) == 0x0
 01879   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01880   532   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 01881   532   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 01882   532   NtAllocateVirtualMemory  (-1, 10031104, 0, 8192, 4096, 4, ... 10031104, 8192, ) == 0x0
 01883   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01884   532   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10289152, 1048576, ) == 0x0
 01885   532   NtAllocateVirtualMemory  (-1, 10289152, 0, 1048576, 4096, 4, ... 10289152, 1048576, ) == 0x0
 01886   532   NtCreateMutant  (0x1f0001, 0x0, 0, ... 288, ) == 0x0
 01887   532   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 276, ) == 0x0
 01888   532   NtCreateMutant  (0x1f0001, 0x0, 0, ... 292, ) == 0x0
 01889   532   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 296, ) == 0x0
 01890   532   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 300, ) == 0x0
 01891   532   NtSetEvent  (300, ... 0x0, ) == 0x0
 01892   532   NtSetInformationFile  (284, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01893   532   NtReadFile  (284, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (284, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 01894   532   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01895   532   NtClearEvent  (276, ... ) == 0x0
 01896   532   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01897   532   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01898   532   NtSetEvent  (276, ... 0x0, ) == 0x0
 01899   532   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01900   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01901   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01902   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 01903   532   NtClose  (304, ... ) == 0x0
 01904   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01905   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01906   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01907   532   NtClose  (304, ... ) == 0x0
 01908   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01909   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01910   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 01911   532   NtClose  (304, ... ) == 0x0
 01912   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01913   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01914   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 01915   532   NtClose  (304, ... ) == 0x0
 01916   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01917   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01918   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 01919   532   NtClose  (304, ... ) == 0x0
 01920   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01921   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01922   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 01923   532   NtClose  (304, ... ) == 0x0
 01924   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01926   532   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01927   532   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 01928   532   NtClose  (304, ... ) == 0x0
 01929   532   NtWaitForMultipleObjects  (2, (288, 276, ), 0, 0, 0x0, ... ) == 0x0
 01930   532   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01931   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01932   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01933   532   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01934   532   NtClose  (304, ... ) == 0x0
 01935   532   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01936   532   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01937   532   NtClose  (304, ... ) == 0x0
 01938   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 304, ) }, ... 304, ) == 0x0
 01939   532   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01940   532   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01941   532   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01942   532   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01943   532   NtClose  (304, ... ) == 0x0
 01944   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 304, ) }, ... 304, ) == 0x0
 01945   532   NtQueryValueKey  (304,  (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01946   532   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01947   532   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01948   532   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01949   532   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01950   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231492, ... ) }, 1231492, ... ) == 0x0
 01951   532   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 308, ) }, ... 308, ) == 0x0
 01952   532   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01953   532   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01954   532   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01955   532   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01956   532   NtClose  (308, ... ) == 0x0
 01957   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01958   532   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01959   532   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 01960   532   NtQueryInformationToken  (308, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01961   532   NtClose  (308, ... ) == 0x0
 01962   532   NtClose  (304, ... ) == 0x0
 01963   532   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01964   532   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 01965   532   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01966   532   NtClose  (304, ... ) == 0x0
 01967   532   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01968   532   NtCreateKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 01969   532   NtClose  (304, ... ) == 0x0
 01970   532   NtQueryValueKey  (308,  (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 01971   532   NtClose  (308, ... ) == 0x0
 01972   532   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01973   532   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 01974   532   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01975   532   NtClose  (308, ... ) == 0x0
 01976   532   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 01977   532   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 304, ) }, ... 304, ) == 0x0
 01978   532   NtClose  (308, ... ) == 0x0
 01979   532   NtQueryValueKey  (304,  (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 01980   532   NtClose  (304, ... ) == 0x0
 01981   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982   532   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01983   532   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 01984   532   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01985   532   NtClose  (304, ... ) == 0x0
 01986   532   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01987   532   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01988   532   NtClose  (304, ... ) == 0x0
 01989   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   532   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 284, ... 304, ) == 0x0
 01991   532   NtMapViewOfSection  (304, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xad0000), {0, 0}, 4096, ) == 0x0
 01992   532   NtClose  (304, ... ) == 0x0
 01993   532   NtQueryInformationFile  (284, 1233708, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01994   532   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 01995   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 01996   532   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 01997   532   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 01998   532   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 01999   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02000   532   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02001   532   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02002   532   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02003   532   NtClose  (316, ... ) == 0x0
 02004   532   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02005   532   NtClose  (312, ... ) == 0x0
 02006   532   NtClose  (308, ... ) == 0x0
 02007   532   NtClose  (304, ... ) == 0x0
 02008   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02009   532   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02010   532   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 312, ) }, ... 312, ) == 0x0
 02011   532   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02012   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 316, ) }, ... 316, ) == 0x0
 02013   532   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02014   532   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02015   532   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02016   532   NtClose  (316, ... ) == 0x0
 02017   532   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02018   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02019   532   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02020   532   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02021   532   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02022   532   NtClose  (316, ... ) == 0x0
 02023   532   NtEnumerateKey  (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02024   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 316, ) }, ... 316, ) == 0x0
 02025   532   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02026   532   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02027   532   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02028   532   NtClose  (316, ... ) == 0x0
 02029   532   NtEnumerateKey  (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02030   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02031   532   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02032   532   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02033   532   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02034   532   NtClose  (316, ... ) == 0x0
 02035   532   NtEnumerateKey  (312, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02036   532   NtClose  (312, ... ) == 0x0
 02037   532   NtClose  (308, ... ) == 0x0
 02038   532   NtClose  (304, ... ) == 0x0
 02039   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02040   532   NtEnumerateKey  (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02041   532   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02042   532   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02043   532   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02044   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02045   532   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02046   532   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02047   532   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02048   532   NtClose  (316, ... ) == 0x0
 02049   532   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02050   532   NtClose  (312, ... ) == 0x0
 02051   532   NtClose  (308, ... ) == 0x0
 02052   532   NtEnumerateKey  (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02053   532   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 1"}, ... 308, ) }, ... 308, ) == 0x0
 02054   532   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02055   532   NtClose  (308, ... ) == 0x0
 02056   532   NtEnumerateKey  (304, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02057   532   NtClose  (304, ... ) == 0x0
 02058   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231236, ... ) }, 1231236, ... ) == 0x0
 02059   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02060   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 304, ... 308, ) == 0x0
 02061   532   NtClose  (304, ... ) == 0x0
 02062   532   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 16384, ) == 0x0
 02063   532   NtClose  (308, ... ) == 0x0
 02064   532   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02065   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231552, ... ) }, 1231552, ... ) == 0x0
 02066   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02067   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 02068   532   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02069   532   NtClose  (308, ... ) == 0x0
 02070   532   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02071   532   NtClose  (304, ... ) == 0x0
 02072   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230812, ... ) }, 1230812, ... ) == 0x0
 02073   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 304, ) == 0x0
 02074   532   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11468800, 1048576, ) == 0x0
 02075   532   NtAllocateVirtualMemory  (-1, 12509184, 0, 8192, 4096, 4, ... 12509184, 8192, ) == 0x0
 02076   532   NtProtectVirtualMemory  (-1, (0xbee000), 4096, 260, ... (0xbee000), 4096, 4, ) == 0x0
 02077   532   NtCreateThread  (0x1f03ff, 0x0, -1, 1232760, 1233476, 1, ... 308, {508, 944}, ) == 0x0
 02078   532   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=508,Tid=944,}, 0x0, ) == 0x0
 02079   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0\374\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 508, 532, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0\374\1\0\0\260\3\0\0" )  ... {28, 56, reply, 0, 508, 532, 1586, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0\374\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 508, 532, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0\374\1\0\0\260\3\0\0" )  ) == 0x0
 02080   532   NtResumeThread  (308, ... 1, ) == 0x0
 02081   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 312, ) }, ... 312, ) == 0x0
 02082   944   NtTestAlert  (... ) == 0x0
 02083   944   NtContinue  (12516656, 1, ...
 02084   944   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02085   944   NtWaitForMultipleObjects  (1, (304, ), 1, 0, {-150000000, -1}, ...
 02086   532   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02087   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 0"}, ... 316, ) }, ... 316, ) == 0x0
 02088   532   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 320, ) }, ... 320, ) == 0x0
 02089   532   NtEnumerateKey  (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02090   532   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 324, ) }, ... 324, ) == 0x0
 02091   532   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02092   532   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02093   532   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02094   532   NtClose  (324, ... ) == 0x0
 02095   532   NtEnumerateKey  (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02096   532   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02097   532   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02098   532   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02099   532   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02100   532   NtClose  (324, ... ) == 0x0
 02101   532   NtEnumerateKey  (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02102   532   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 324, ) }, ... 324, ) == 0x0
 02103   532   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02104   532   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02105   532   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02106   532   NtClose  (324, ... ) == 0x0
 02107   532   NtEnumerateKey  (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02108   532   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02109   532   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02110   532   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02111   532   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02112   532   NtClose  (324, ... ) == 0x0
 02113   532   NtEnumerateKey  (320, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02114   532   NtClose  (320, ... ) == 0x0
 02115   532   NtClose  (316, ... ) == 0x0
 02116   532   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02117   532   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 1"}, ... 316, ) }, ... 316, ) == 0x0
 02118   532   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02119   532   NtClose  (316, ... ) == 0x0
 02120   532   NtEnumerateKey  (312, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02121   532   NtClose  (312, ... ) == 0x0
 02122   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == 0x0
 02126   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02127   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02128   532   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02129   532   NtClose  (312, ... ) == 0x0
 02130   532   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02131   532   NtClose  (316, ... ) == 0x0
 02132   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02133   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 02134   532   NtAllocateVirtualMemory  (-1, 11337728, 0, 4096, 4096, 4, ... 11337728, 4096, ) == 0x0
 02135   532   NtAllocateVirtualMemory  (-1, 11341824, 0, 8192, 4096, 4, ... 11341824, 8192, ) == 0x0
 02136   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231132, ... ) }, 1231132, ... ) == 0x0
 02137   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02138   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02139   532   NtClose  (316, ... ) == 0x0
 02140   532   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 262144, ) == 0x0
 02141   532   NtClose  (312, ... ) == 0x0
 02142   532   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 02143   532   NtAllocateLocallyUniqueId  (... {97293, 0}, ) == 0x0
 02144   532   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02145   532   NtOpenProcessToken  (-1, 0x20008, ... 312, ) == 0x0
 02146   532   NtQueryInformationToken  (312, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02147   532   NtClose  (312, ... ) == 0x0
 02148   532   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232452, 0,  (0xf0007, {24, 52, 0x80, 1232452, 0, "DfSharedHeap17C0D"}, {4194304, 0}, 4, 67108864, 0, ... 312, ) }, {4194304, 0}, 4, 67108864, 0, ... 312, ) == 0x0
 02149   532   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xbf0000), {0, 0}, 4194304, ) == 0x0
 02150   532   NtAllocateVirtualMemory  (-1, 12517376, 0, 16376, 4096, 4, ... 12517376, 16384, ) == 0x0
 02151   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229968,  (0x80100080, {24, 0, 0x40, 0, 1229968, "\??\UNC\missouri\binaries\work\cmskcplu.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 02152   532   NtReadFile  (316, 0, 0, 1232672, 512, {0, 0}, 0, ... {status=0x0, info=124},  (316, 0, 0, 1232672, 512, {0, 0}, 0, ... {status=0x0, info=124}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del cmskcplu.bat\15\12", ) , ) == 0x0
 02153   532   NtClose  (316, ... ) == 0x0
 02154   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231236, ... ) }, 1231236, ... ) == 0x0
 02155   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02156   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 320, ) == 0x0
 02157   532   NtClose  (316, ... ) == 0x0
 02158   532   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xff0000), 0x0, 69632, ) == 0x0
 02159   532   NtClose  (320, ... ) == 0x0
 02160   532   NtUnmapViewOfSection  (-1, 0xff0000, ... ) == 0x0
 02161   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231552, ... ) }, 1231552, ... ) == 0x0
 02162   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02163   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 02164   532   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02165   532   NtClose  (320, ... ) == 0x0
 02166   532   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02167   532   NtClose  (316, ... ) == 0x0
 02168   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02169   532   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02170   532   NtClose  (316, ... ) == 0x0
 02171   532   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02172   532   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02173   532   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02174   532   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02175   532   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02176   532   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02177   532   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02178   532   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02179   532   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02180   532   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02181   532   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02182   532   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02183   532   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02184   532   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02185   532   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02186   532   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02187   532   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02188   532   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02189   532   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02190   532   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02191   532   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02192   532   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02193   532   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02194   532   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02195   532   NtClose  (316, ... ) == 0x0
 02196   532   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02197   532   NtReleaseMutant  (16, ...
 02198   532   NtContinue  (-136150904, 0, ...
 02197   532   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02199   532   NtQueryDefaultLocale  (1, 1230232, ... ) == 0x0
 02200   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   532   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02223   532   NtReleaseMutant  (16, ...
 02224   532   NtContinue  (-136150904, 0, ...
 02223   532   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02225   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02237   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02238   532   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02239   532   NtClose  (316, ... ) == 0x0
 02240   532   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 316, ) }, ... 316, ) == 0x0
 02241   532   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 320, ) }, ... 320, ) == 0x0
 02242   532   NtClose  (316, ... ) == 0x0
 02243   532   NtQueryValueKey  (320,  (320, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02244   532   NtQueryValueKey  (320,  (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02245   532   NtClose  (320, ... ) == 0x0
 02246   532   NtClose  (284, ... ) == 0x0
 02247   532   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 16711680, 4096, ) == 0x0
 02248   532   NtAllocateVirtualMemory  (-1, 16711680, 0, 4096, 4096, 4, ... 16711680, 4096, ) == 0x0
 02249   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 284, ) }, ... 284, ) == 0x0
 02250   532   NtQueryValueKey  (284,  (284, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02251   532   NtClose  (284, ... ) == 0x0
 02252   532   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253   532   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02254   532   NtOpenProcessToken  (-1, 0x2000a, ... 284, ) == 0x0
 02255   532   NtQueryInformationToken  (284, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02256   532   NtQueryInformationToken  (284, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02257   532   NtClose  (284, ... ) == 0x0
 02258   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02259   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02260   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02261   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 284, ) }, ... 284, ) == 0x0
 02263   532   NtQueryValueKey  (284,  (284, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   532   NtClose  (284, ... ) == 0x0
 02265   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02266   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02267   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 284, ) }, ... 284, ) == 0x0
 02269   532   NtQueryValueKey  (284,  (284, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02270   532   NtClose  (284, ... ) == 0x0
 02271   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02272   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02273   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 02274   532   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02275   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02276   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02277   532   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02278   532   NtClose  (320, ... ) == 0x0
 02279   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   532   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02281   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230840, ... ) }, 1230840, ... ) == 0x0
 02282   532   NtClose  (286, ... ) == 0x0
 02283   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02284   532   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 284, {status=0x0, info=1}, ) }, 3, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02285   532   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 320, ) }, ... 320, ) == 0x0
 02286   532   NtQuerySymbolicLinkObject  (320, ...  (320, ... "\Device\WinDfs\U:0000000000009176", 66, ) , 66, ) == 0x0
 02287   532   NtClose  (320, ... ) == 0x0
 02288   532   NtQueryVolumeInformationFile  (284, 1234192, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02289   532   NtClose  (284, ... ) == 0x0
 02290   532   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02291   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 284, ) }, ... 284, ) == 0x0
 02292   532   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 320, ) }, ... 320, ) == 0x0
 02293   532   NtQueryValueKey  (320,  (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02294   532   NtQueryValueKey  (320,  (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02295   532   NtClose  (320, ... ) == 0x0
 02296   532   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02297   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02298   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02299   532   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02300   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02301   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02302   532   NtClose  (320, ... ) == 0x0
 02303   532   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02304   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02305   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02306   532   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02307   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02308   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02309   532   NtClose  (320, ... ) == 0x0
 02310   532   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02311   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02312   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02313   532   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02315   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02316   532   NtClose  (320, ... ) == 0x0
 02317   532   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02318   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02319   532   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02320   532   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02322   532   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02323   532   NtClose  (320, ... ) == 0x0
 02324   532   NtClose  (284, ... ) == 0x0
 02325   532   NtQueryDefaultLocale  (1, 1233744, ... ) == 0x0
 02326   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02327   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02328   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 320, ) == 0x0
 02329   532   NtClose  (284, ... ) == 0x0
 02330   532   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1000000), 0x0, 12288, ) == 0x0
 02331   532   NtClose  (320, ... ) == 0x0
 02332   532   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 02333   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02334   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02335   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02336   532   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02337   532   NtClose  (320, ... ) == 0x0
 02338   532   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02339   532   NtClose  (284, ... ) == 0x0
 02340   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 284, ) }, ... 284, ) == 0x0
 02341   532   NtQueryValueKey  (284,  (284, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (284, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02342   532   NtClose  (284, ... ) == 0x0
 02343   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02344   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02345   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 320, ) == 0x0
 02346   532   NtClose  (284, ... ) == 0x0
 02347   532   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1000000), 0x0, 40960, ) == 0x0
 02348   532   NtClose  (320, ... ) == 0x0
 02349   532   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 02350   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02351   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02352   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02353   532   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02354   532   NtClose  (320, ... ) == 0x0
 02355   532   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02356   532   NtClose  (284, ... ) == 0x0
 02357   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02358   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231260, ... ) }, 1231260, ... ) == 0x0
 02359   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02360   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 320, ) == 0x0
 02361   532   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02362   532   NtClose  (284, ... ) == 0x0
 02363   532   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02364   532   NtClose  (320, ... ) == 0x0
 02365   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231260, ... ) }, 1231260, ... ) == 0x0
 02367   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02368   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02369   532   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02370   532   NtClose  (320, ... ) == 0x0
 02371   532   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02372   532   NtClose  (284, ... ) == 0x0
 02373   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02374   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230456, ... ) }, 1230456, ... ) == 0x0
 02375   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02376   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 320, ) == 0x0
 02377   532   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02378   532   NtClose  (284, ... ) == 0x0
 02379   532   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02380   532   NtClose  (320, ... ) == 0x0
 02381   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02382   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230456, ... ) }, 1230456, ... ) == 0x0
 02383   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02384   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02385   532   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02386   532   NtClose  (320, ... ) == 0x0
 02387   532   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02388   532   NtClose  (284, ... ) == 0x0
 02389   532   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 284, ) }, ... 284, ) == 0x0
 02390   532   NtQueryValueKey  (284,  (284, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   532   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 320, ) == 0x0
 02392   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02393   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02394   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 324, ) == 0x0
 02395   532   NtClose  (316, ... ) == 0x0
 02396   532   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1000000), 0x0, 24576, ) == 0x0
 02397   532   NtClose  (324, ... ) == 0x0
 02398   532   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 02399   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02400   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02401   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 316, ) == 0x0
 02402   532   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02403   532   NtClose  (324, ... ) == 0x0
 02404   532   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02405   532   NtClose  (316, ... ) == 0x0
 02406   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02407   532   NtQueryValueKey  (316,  (316, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02408   532   NtClose  (316, ... ) == 0x0
 02409   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02410   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02411   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02412   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02413   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == 0x0
 02414   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02415   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 324, ) == 0x0
 02416   532   NtClose  (316, ... ) == 0x0
 02417   532   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1000000), 0x0, 122880, ) == 0x0
 02418   532   NtClose  (324, ... ) == 0x0
 02419   532   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 02420   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02421   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02422   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02423   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02424   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == 0x0
 02425   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02426   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 316, ) == 0x0
 02427   532   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02428   532   NtClose  (324, ... ) == 0x0
 02429   532   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 02430   532   NtClose  (316, ... ) == 0x0
 02431   532   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02432   532   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02433   532   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02434   532   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02435   532   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02436   532   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02437   532   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02438   532   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02439   532   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02440   532   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02441   532   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02442   532   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02443   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02444   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 02445   532   NtAllocateVirtualMemory  (-1, 16777216, 0, 4096, 4096, 4, ... 16777216, 4096, ) == 0x0
 02446   532   NtAllocateVirtualMemory  (-1, 16781312, 0, 8192, 4096, 4, ... 16781312, 8192, ) == 0x0
 02447   532   NtAllocateVirtualMemory  (-1, 16789504, 0, 4096, 4096, 4, ... 16789504, 4096, ) == 0x0
 02448   532   NtQueryPerformanceCounter  (... {109053576, 0}, {3579545, 0}, ) == 0x0
 02449   532   NtRaiseException  (1231556, 1230816, 1, ...
 02450   532   NtContinue  (1229612, 0, ...
 02451   532   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 316, ) }, ... 316, ) == 0x0
 02452   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02453   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02454   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02455   532   NtRaiseException  (1221532, 1220792, 1, ...
 02456   532   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02457   532   NtContinue  (1219588, 0, ...
 02458   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02459   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02460   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02461   532   NtRaiseException  (1223292, 1222552, 1, ...
 02462   532   NtContinue  (1221348, 0, ...
 02463   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02464   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02465   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02466   532   NtRaiseException  (1223296, 1222556, 1, ...
 02467   532   NtContinue  (1221352, 0, ...
 02468   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02469   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02470   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02471   532   NtRaiseException  (1223292, 1222552, 1, ...
 02472   532   NtContinue  (1221348, 0, ...
 02473   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02474   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02475   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02476   532   NtRaiseException  (1223296, 1222556, 1, ...
 02477   532   NtContinue  (1221352, 0, ...
 02478   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02479   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02480   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02481   532   NtRaiseException  (1223292, 1222552, 1, ...
 02482   532   NtContinue  (1221348, 0, ...
 02483   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02484   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02485   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02486   532   NtRaiseException  (1223296, 1222556, 1, ...
 02487   532   NtContinue  (1221352, 0, ...
 02488   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02489   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02490   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02491   532   NtRaiseException  (1223292, 1222552, 1, ...
 02492   532   NtContinue  (1221348, 0, ...
 02493   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02494   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02495   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02496   532   NtRaiseException  (1223296, 1222556, 1, ...
 02497   532   NtContinue  (1221352, 0, ...
 02498   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02499   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02501   532   NtRaiseException  (1223292, 1222552, 1, ...
 02502   532   NtContinue  (1221348, 0, ...
 02503   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02504   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02506   532   NtRaiseException  (1223296, 1222556, 1, ...
 02507   532   NtContinue  (1221352, 0, ...
 02508   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02509   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02511   532   NtRaiseException  (1223292, 1222552, 1, ...
 02512   532   NtContinue  (1221348, 0, ...
 02513   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02514   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02515   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02516   532   NtRaiseException  (1223296, 1222556, 1, ...
 02517   532   NtContinue  (1221352, 0, ...
 02518   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02519   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02520   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02521   532   NtRaiseException  (1223292, 1222552, 1, ...
 02522   532   NtContinue  (1221348, 0, ...
 02523   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02524   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02525   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02526   532   NtRaiseException  (1223296, 1222556, 1, ...
 02527   532   NtContinue  (1221352, 0, ...
 02528   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02529   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02531   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 02532   532   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {508, 0}, ... 324, ) == 0x0
 02533   532   NtQueryInformationProcess  (324, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02534   532   NtClose  (324, ... ) == 0x0
 02535   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 02536   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02537   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 02538   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02539   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02540   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230772,  (0xc0100080, {24, 0, 0x40, 0, 1230772, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02541   532   NtSetInformationFile  (328, 1230828, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02542   532   NtSetInformationFile  (328, 1230820, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02543   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02544   532   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02545   532   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\306'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02546   532   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\306'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\306'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02547   532   NtClose  (324, ... ) == 0x0
 02548   532   NtClose  (328, ... ) == 0x0
 02549   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02550   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02551   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02552   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02553   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230772,  (0xc0100080, {24, 0, 0x40, 0, 1230772, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02554   532   NtSetInformationFile  (324, 1230828, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02555   532   NtSetInformationFile  (324, 1230820, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02556   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02557   532   NtWriteFile  (324, 129, 0, 0,  (324, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02558   532   NtReadFile  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02559   532   NtFsControlFile  (324, 129, 0x0, 0x0, 0x11c017,  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02560   532   NtClose  (328, ... ) == 0x0
 02561   532   NtClose  (324, ... ) == 0x0
 02562   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02563   532   NtQueryKey  (324, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02564   532   NtQuerySecurityObject  (324, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02565   532   NtQuerySecurityObject  (324, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02566   532   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 16842752, 524288, ) == 0x0
 02567   532   NtAllocateVirtualMemory  (-1, 16842752, 0, 4096, 4096, 4, ... 16842752, 4096, ) == 0x0
 02568   532   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02569   532   NtClose  (324, ... ) == 0x0
 02570   532   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02571   532   NtFsControlFile  (324, 0, 0x0, 0x0, 0x600bc,  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02572   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02573   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02574   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02575   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02576   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232212,  (0xc0100080, {24, 0, 0x40, 0, 1232212, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02577   532   NtSetInformationFile  (332, 1232268, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02578   532   NtSetInformationFile  (332, 1232260, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02579   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02580   532   NtWriteFile  (332, 129, 0, 0,  (332, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02581   532   NtReadFile  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\310'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02582   532   NtFsControlFile  (332, 129, 0x0, 0x0, 0x11c017,  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\274\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\310'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\274\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\310'\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02583   532   NtClose  (328, ... ) == 0x0
 02584   532   NtClose  (332, ... ) == 0x0
 02585   532   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02586   532   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02587   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 02588   532   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02589   532   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02590   532   NtClose  (332, ... ) == 0x0
 02591   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02592   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02593   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02594   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02595   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232248,  (0xc0100080, {24, 0, 0x40, 0, 1232248, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02596   532   NtSetInformationFile  (328, 1232304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02597   532   NtSetInformationFile  (328, 1232296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02598   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02599   532   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02600   532   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\&\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02601   532   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\&\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\&\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02602   532   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\325dJn\304?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\325dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\325dJn\304?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\325dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02603   532   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\326dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\326dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\326dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\326dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02604   532   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\325dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\325dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02605   532   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\326dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\326dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02606   532   NtClose  (332, ... ) == 0x0
 02607   532   NtClose  (328, ... ) == 0x0
 02608   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02609   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02610   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02611   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02612   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == 0x0
 02613   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02614   532   NtQueryValueKey  (328,  (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 02615   532   NtClose  (328, ... ) == 0x0
 02616   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02617   532   NtQueryValueKey  (328,  (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 02618   532   NtClose  (328, ... ) == 0x0
 02619   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 02620   532   NtQueryValueKey  (328,  (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02621   532   NtClose  (328, ... ) == 0x0
 02622   532   NtRaiseException  (1222216, 1221476, 1, ...
 02623   532   NtContinue  (1220272, 0, ...
 02624   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02625   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02626   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02627   532   NtRaiseException  (1222212, 1221472, 1, ...
 02628   532   NtContinue  (1220268, 0, ...
 02629   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02630   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02631   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02632   532   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232880, 0,  (0x1f0001, {24, 52, 0x80, 1232880, 0, "HGFSMUTEX"}, 1, ... 328, ) }, 1, ... 328, ) == 0x0
 02633   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02634   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1229900, ... ) }, 1229900, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "shfolder.dll"}, 1229900, ... ) }, 1229900, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02636   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1229900, ... ) }, 1229900, ... ) == 0x0
 02637   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02638   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 336, ) == 0x0
 02639   532   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02640   532   NtClose  (332, ... ) == 0x0
 02641   532   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 02642   532   NtClose  (336, ... ) == 0x0
 02643   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02644   532   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356136, 0,  (0x1f0003, {24, 52, 0x80, 1356136, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 336, ) }, 0, 2147483647, ... 336, ) == STATUS_OBJECT_NAME_EXISTS
 02645   532   NtReleaseSemaphore  (336, 1, ... 0, ) == 0x0
 02646   532   NtWaitForSingleObject  (336, 0, {0, 0}, ... ) == 0x0
 02647   532   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02648   532   NtQueryValueKey  (332,  (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 02649   532   NtClose  (332, ... ) == 0x0
 02650   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1230432, ... ) }, 1230432, ... ) == 0x0
 02651   532   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02652   532   NtSetValueKey  (332,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 02653   532   NtClose  (332, ... ) == 0x0
 02654   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02655   532   NtQueryDirectoryFile  (332, 0, 0, 0, 1230572, 616, BothDirectory, 1,  (332, 0, 0, 0, 1230572, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 02656   532   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 02657   532   NtRaiseException  (1221852, 1221112, 1, ...
 02658   532   NtContinue  (1219908, 0, ...
 02659   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02660   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02661   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02662   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232880, 1232456,  (0xc0100080, {24, 0, 0x40, 1232880, 1232456, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02663   532   NtRaiseException  (1221852, 1221112, 1, ...
 02664   532   NtContinue  (1219908, 0, ...
 02665   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02666   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02667   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02668   532   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232880, 0,  (0xf0007, {24, 52, 0x80, 1232880, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 340, ... 344, ) }, {27876, 0}, 4, 134217728, 340, ... 344, ) == 0x0
 02669   532   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x10a0000), {0, 0}, 28672, ) == 0x0
 02670   532   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02671   532   NtRaiseException  (1223268, 1222528, 1, ...
 02672   532   NtContinue  (1221324, 0, ...
 02673   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02674   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02675   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02676   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233924, 1233512,  (0xc0100080, {24, 0, 0x40, 1233924, 1233512, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 02677   532   NtDeviceIoControlFile  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 02678   532   NtClose  (348, ... ) == 0x0
 02679   532   NtRaiseException  (1223248, 1222508, 1, ...
 02680   532   NtContinue  (1221304, 0, ...
 02681   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02682   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02683   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02684   532   NtRaiseException  (1223268, 1222528, 1, ...
 02685   532   NtContinue  (1221324, 0, ...
 02686   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02687   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02688   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02689   532   NtAllocateVirtualMemory  (-1, 1466368, 0, 20480, 4096, 4, ... 1466368, 20480, ) == 0x0
 02690   532   NtAllocateVirtualMemory  (-1, 1486848, 0, 20480, 4096, 4, ... 1486848, 20480, ) == 0x0
 02691   532   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02692   532   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02693   532   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 02694   532   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 02695   532   NtClose  (348, ... ) == 0x0
 02696   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02697   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02698   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02699   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02700   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232188,  (0xc0100080, {24, 0, 0x40, 0, 1232188, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02701   532   NtSetInformationFile  (352, 1232244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02702   532   NtSetInformationFile  (352, 1232236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02703   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02704   532   NtWriteFile  (352, 129, 0, 0,  (352, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02705   532   NtReadFile  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20]&\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02706   532   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20]&\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20]&\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02707   532   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\327dJn\304?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\327dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\327dJn\304?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\327dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02708   532   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\330dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\330dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\330dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\330dJn\304?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02709   532   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\327dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\327dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02710   532   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\330dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\330dJn\304?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02711   532   NtClose  (348, ... ) == 0x0
 02712   532   NtClose  (352, ... ) == 0x0
 02713   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02714   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02715   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02716   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02717   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232280,  (0xc0100080, {24, 0, 0x40, 0, 1232280, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02718   532   NtSetInformationFile  (348, 1232336, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02719   532   NtSetInformationFile  (348, 1232328, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02720   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02721   532   NtWriteFile  (348, 129, 0, 0,  (348, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02722   532   NtReadFile  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\207+\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02723   532   NtFsControlFile  (348, 129, 0x0, 0x0, 0x11c017,  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\207+\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\207+\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02724   532   NtClose  (352, ... ) == 0x0
 02725   532   NtClose  (348, ... ) == 0x0
 02726   532   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02727   532   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02728   532   NtClose  (348, ... ) == 0x0
 02729   532   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02730   532   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02731   532   NtClose  (348, ... ) == 0x0
 02732   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02733   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02734   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02735   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02736   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02737   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02738   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02739   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740   532   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02741   532   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02742   532   NtClose  (348, ... ) == 0x0
 02743   532   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02744   532   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02745   532   NtClose  (348, ... ) == 0x0
 02746   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02747   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02748   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02749   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02750   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02751   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02752   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02753   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02754   532   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02755   532   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02756   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02757   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02758   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02759   532   NtClose  (348, ... ) == 0x0
 02760   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02761   532   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Network"}, ... 352, ) }, ... 352, ) == 0x0
 02762   532   NtClose  (348, ... ) == 0x0
 02763   532   NtQueryKey  (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 02764   532   NtQuerySecurityObject  (352, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02765   532   NtQuerySecurityObject  (352, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02766   532   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02767   532   NtEnumerateKey  (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 02768   532   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "f"}, ... 348, ) }, ... 348, ) == 0x0
 02769   532   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02770   532   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02771   532   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02772   532   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02773   532   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02774   532   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02775   532   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02776   532   NtClose  (348, ... ) == 0x0
 02777   532   NtEnumerateKey  (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 02778   532   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "u"}, ... 348, ) }, ... 348, ) == 0x0
 02779   532   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02780   532   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02781   532   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02782   532   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02783   532   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02784   532   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02785   532   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02786   532   NtClose  (348, ... ) == 0x0
 02787   532   NtClose  (352, ... ) == 0x0
 02788   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02789   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02790   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02791   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02792   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02793   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02794   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 352, ) }, ... 352, ) == 0x0
 02795   532   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02796   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02797   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02798   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02799   532   NtClose  (348, ... ) == 0x0
 02800   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02801   532   NtEnumerateKey  (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 02802   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02803   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02804   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 348, ) }, ... 348, ) == 0x0
 02805   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 02806   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02807   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02808   532   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02809   532   NtClose  (356, ... ) == 0x0
 02810   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   532   NtQueryValueKey  (350,  (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02812   532   NtClose  (350, ... ) == 0x0
 02813   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02814   532   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 348, {status=0x0, info=1}, ) }, 3, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02815   532   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 356, ) }, ... 356, ) == 0x0
 02816   532   NtQuerySymbolicLinkObject  (356, ...  (356, ... "\Device\WinDfs\U:0000000000009176", 66, ) , 66, ) == 0x0
 02817   532   NtClose  (356, ... ) == 0x0
 02818   532   NtQueryVolumeInformationFile  (348, 1233600, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02819   532   NtClose  (348, ... ) == 0x0
 02820   532   NtEnumerateKey  (354, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02821   532   NtClose  (354, ... ) == 0x0
 02822   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02823   532   NtQueryDirectoryFile  (352, 0, 0, 0, 1232384, 616, BothDirectory, 1,  (352, 0, 0, 0, 1232384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02824   532   NtClose  (352, ... ) == 0x0
 02825   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02826   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02827   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 352, ) }, ... 352, ) == 0x0
 02828   532   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02829   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02830   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02831   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02832   532   NtClose  (348, ... ) == 0x0
 02833   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02834   532   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02835   532   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02836   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02837   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02838   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02839   532   NtClose  (348, ... ) == 0x0
 02840   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02841   532   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 02842   532   NtClose  (354, ... ) == 0x0
 02843   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02844   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02845   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02846   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02847   532   NtQueryValueKey  (352,  (352, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02848   532   NtClose  (352, ... ) == 0x0
 02849   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02850   532   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 352, ) == 0x0
 02851   532   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02852   532   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02853   532   NtClose  (352, ... ) == 0x0
 02854   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02855   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02856   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02857   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02858   532   NtQueryValueKey  (352,  (352, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02859   532   NtClose  (352, ... ) == 0x0
 02860   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02861   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02862   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02863   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02864   532   NtQueryValueKey  (352,  (352, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02865   532   NtClose  (352, ... ) == 0x0
 02866   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02867   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02868   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02869   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02870   532   NtQueryValueKey  (352,  (352, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02871   532   NtClose  (352, ... ) == 0x0
 02872   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02873   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02874   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02875   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02876   532   NtQueryValueKey  (352,  (352, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02877   532   NtClose  (352, ... ) == 0x0
 02878   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02879   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02880   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02881   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02882   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02884   532   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02885   532   NtClose  (352, ... ) == 0x0
 02886   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02887   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02888   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02889   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02890   532   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02891   532   NtClose  (352, ... ) == 0x0
 02892   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02893   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02894   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02895   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02896   532   NtQueryValueKey  (352,  (352, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02897   532   NtClose  (352, ... ) == 0x0
 02898   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02899   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02900   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02901   532   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "Advanced"}, ... 352, ) }, ... 352, ) == 0x0
 02902   532   NtQueryValueKey  (352,  (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 02903   532   NtQueryValueKey  (352,  (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02904   532   NtQueryValueKey  (352,  (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02905   532   NtQueryValueKey  (352,  (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02906   532   NtQueryValueKey  (352,  (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02907   532   NtQueryValueKey  (352,  (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02908   532   NtQueryValueKey  (352,  (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02909   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02910   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02911   532   NtQueryValueKey  (352,  (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02912   532   NtQueryValueKey  (352,  (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02913   532   NtQueryValueKey  (352,  (352, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02914   532   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02915   532   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02916   532   NtClose  (352, ... ) == 0x0
 02917   532   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356136, 0,  (0x1f0003, {24, 52, 0x80, 1356136, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 352, ) }, 0, 2147483647, ... 352, ) == STATUS_OBJECT_NAME_EXISTS
 02918   532   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 02919   532   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 02920   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02921   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02922   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02923   532   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02924   532   NtClose  (356, ... ) == 0x0
 02925   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02926   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02927   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02928   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02929   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02930   532   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02931   532   NtClose  (356, ... ) == 0x0
 02932   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02933   532   NtQueryValueKey  (350,  (350, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02934   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02935   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02936   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02937   532   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02938   532   NtClose  (356, ... ) == 0x0
 02939   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02940   532   NtQueryValueKey  (350,  (350, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02941   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02942   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02943   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02944   532   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02945   532   NtClose  (356, ... ) == 0x0
 02946   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02947   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02948   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02949   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02950   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 356, ) }, ... 356, ) == 0x0
 02951   532   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 02952   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02953   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02954   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02955   532   NtClose  (360, ... ) == 0x0
 02956   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02957   532   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02958   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02959   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02960   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02961   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02962   532   NtClose  (360, ... ) == 0x0
 02963   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02964   532   NtQueryValueKey  (350,  (350, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02965   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02966   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02967   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02968   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02969   532   NtClose  (360, ... ) == 0x0
 02970   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02971   532   NtQueryValueKey  (350,  (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02972   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02973   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02974   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02975   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02976   532   NtClose  (360, ... ) == 0x0
 02977   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02978   532   NtQueryValueKey  (350,  (350, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02979   532   NtClose  (350, ... ) == 0x0
 02980   532   NtClose  (358, ... ) == 0x0
 02981   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02982   532   NtQueryDirectoryFile  (356, 0, 0, 0, 1232304, 616, BothDirectory, 1,  (356, 0, 0, 0, 1232304, 616, BothDirectory, 1, "cmskcplu.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02983   532   NtClose  (356, ... ) == 0x0
 02984   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02985   532   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "FileExts"}, ... 356, ) }, ... 356, ) == 0x0
 02986   532   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02987   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02988   532   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02989   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02990   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02991   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 348, ) }, ... 348, ) == 0x0
 02992   532   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02993   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02994   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02995   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02996   532   NtClose  (360, ... ) == 0x0
 02997   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02998   532   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02999   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03000   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03001   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 360, ) }, ... 360, ) == 0x0
 03002   532   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03003   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03004   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03005   532   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03006   532   NtClose  (364, ... ) == 0x0
 03007   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03008   532   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03009   532   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03010   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03011   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03012   532   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03013   532   NtClose  (364, ... ) == 0x0
 03014   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03015   532   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0, ""}, ... 364, ) == 0x0
 03016   532   NtClose  (362, ... ) == 0x0
 03017   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03018   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03019   532   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03020   532   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03021   532   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03022   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03023   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03024   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03025   532   NtClose  (360, ... ) == 0x0
 03026   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03027   532   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03028   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03029   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03030   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03031   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03032   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03033   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03034   532   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03035   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03036   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03037   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03038   532   NtClose  (368, ... ) == 0x0
 03039   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040   532   NtQueryValueKey  (362,  (362, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03041   532   NtClose  (362, ... ) == 0x0
 03042   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03043   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03044   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03045   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03046   532   NtClose  (360, ... ) == 0x0
 03047   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03048   532   NtQueryValueKey  (366,  (366, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03049   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03050   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03051   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03052   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03053   532   NtClose  (360, ... ) == 0x0
 03054   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03055   532   NtQueryValueKey  (366,  (366, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03056   532   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03057   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03058   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03059   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03060   532   NtClose  (360, ... ) == 0x0
 03061   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03062   532   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03064   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03065   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 360, ) }, ... 360, ) == 0x0
 03066   532   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03067   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03068   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03069   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03070   532   NtClose  (368, ... ) == 0x0
 03071   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03072   532   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03073   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03074   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03075   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03076   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03077   532   NtClose  (368, ... ) == 0x0
 03078   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03079   532   NtQueryValueKey  (366,  (366, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03080   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03081   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03082   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03083   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03084   532   NtClose  (368, ... ) == 0x0
 03085   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03086   532   NtQueryValueKey  (366,  (366, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03087   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03088   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03089   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03090   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03091   532   NtClose  (368, ... ) == 0x0
 03092   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03093   532   NtQueryValueKey  (366,  (366, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03094   532   NtClose  (350, ... ) == 0x0
 03095   532   NtClose  (366, ... ) == 0x0
 03096   532   NtClose  (362, ... ) == 0x0
 03097   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03098   532   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03099   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03100   532   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03101   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03102   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03103   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03104   532   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03105   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03106   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03107   532   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03108   532   NtClose  (364, ... ) == 0x0
 03109   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   532   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03111   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03112   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03113   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 364, ) }, ... 364, ) == 0x0
 03114   532   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03115   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03116   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03117   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03118   532   NtClose  (348, ... ) == 0x0
 03119   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03120   532   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03121   532   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03122   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03123   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03124   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03125   532   NtClose  (348, ... ) == 0x0
 03126   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03127   532   NtOpenKey  (0x2000000, {24, 366, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 03128   532   NtClose  (366, ... ) == 0x0
 03129   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03130   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03131   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03132   532   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03133   532   NtClose  (364, ... ) == 0x0
 03134   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03135   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03136   532   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03137   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03138   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03139   532   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03140   532   NtClose  (364, ... ) == 0x0
 03141   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03142   532   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03143   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03144   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03145   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03146   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03147   532   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03148   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03149   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03150   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03151   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03152   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03153   532   NtClose  (368, ... ) == 0x0
 03154   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03155   532   NtQueryValueKey  (366,  (366, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03156   532   NtClose  (366, ... ) == 0x0
 03157   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03158   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 364, ) }, ... 364, ) == 0x0
 03160   532   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03161   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03162   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03163   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03164   532   NtClose  (368, ... ) == 0x0
 03165   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166   532   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167   532   NtClose  (362, ... ) == 0x0
 03168   532   NtClose  (350, ... ) == 0x0
 03169   532   NtClose  (366, ... ) == 0x0
 03170   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03171   532   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03172   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03173   532   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03174   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03175   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03177   532   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03178   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03179   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03180   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03181   532   NtClose  (348, ... ) == 0x0
 03182   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03183   532   NtQueryValueKey  (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03184   532   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03185   532   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03186   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 348, ) }, ... 348, ) == 0x0
 03187   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03188   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03189   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03190   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03191   532   NtClose  (360, ... ) == 0x0
 03192   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03193   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03194   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03195   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03196   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03197   532   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03198   532   NtClose  (360, ... ) == 0x0
 03199   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03200   532   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0, ""}, ... 360, ) == 0x0
 03201   532   NtClose  (350, ... ) == 0x0
 03202   532   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03203   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03204   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03205   532   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03206   532   NtClose  (348, ... ) == 0x0
 03207   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03208   532   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0,  (0x2000000, {24, 362, 0x40, 0, 0, "shell\open"}, ... 348, ) }, ... 348, ) == 0x0
 03209   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03210   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03211   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03212   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03213   532   NtClose  (368, ... ) == 0x0
 03214   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03215   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03216   532   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03217   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03218   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03219   532   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03220   532   NtClose  (372, ... ) == 0x0
 03221   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03222   532   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03223   532   NtClose  (370, ... ) == 0x0
 03224   532   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03225   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03226   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03227   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03228   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03229   532   NtClose  (368, ... ) == 0x0
 03230   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03231   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03232   532   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03233   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03234   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03235   532   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03236   532   NtClose  (372, ... ) == 0x0
 03237   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03238   532   NtQueryValueKey  (370,  (370, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03239   532   NtClose  (370, ... ) == 0x0
 03240   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\cmskcplu.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03241   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03242   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03243   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03244   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03245   532   NtClose  (368, ... ) == 0x0
 03246   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03247   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03248   532   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03249   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03250   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03251   532   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03252   532   NtClose  (372, ... ) == 0x0
 03253   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03254   532   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03255   532   NtClose  (370, ... ) == 0x0
 03256   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03257   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03258   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03259   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03260   532   NtClose  (368, ... ) == 0x0
 03261   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03262   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03263   532   NtUserGetForegroundWindow  (... ) == 0x20064
 03264   532   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03265   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03266   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03267   532   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03268   532   NtClose  (368, ... ) == 0x0
 03269   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03270   532   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03271   532   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03272   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03273   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03274   532   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03275   532   NtClose  (372, ... ) == 0x0
 03276   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03277   532   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03278   532   NtClose  (370, ... ) == 0x0
 03279   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03280   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03281   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03282   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03283   532   NtQueryValueKey  (368,  (368, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03284   532   NtClose  (368, ... ) == 0x0
 03285   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03286   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03287   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03288   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03289   532   NtQueryValueKey  (368,  (368, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03290   532   NtClose  (368, ... ) == 0x0
 03291   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\cmskcplu.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03292   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03293   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\cmskcplu.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03294   532   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03295   532   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03296   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03297   532   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03298   532   NtQueryValueKey  (368,  (368, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299   532   NtClose  (368, ... ) == 0x0
 03300   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\cmskcplu.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   532   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03302   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 1228796, ... ) }, 1228796, ... ) == 0x0
 03303   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03304   532   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03305   532   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03306   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 372, ) }, ... 372, ) == 0x0
 03307   532   NtQueryValueKey  (372,  (372, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03308   532   NtClose  (372, ... ) == 0x0
 03309   532   NtQueryVolumeInformationFile  (368, 1228796, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03310   532   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03311   532   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03312   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226780, ... ) }, 1226780, ... ) == 0x0
 03313   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 03314   532   NtQueryInformationFile  (372, 1227384, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03315   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 372, ... 376, ) == 0x0
 03316   532   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x10b0000), 0x0, 1028096, ) == 0x0
 03317   532   NtQueryInformationFile  (372, 1227480, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03318   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03319   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03320   532   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03321   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03322   532   NtQueryDirectoryFile  (380, 0, 0, 0, 1225044, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225044, 616, BothDirectory, 1, "cmskcplu.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 03323   532   NtClose  (380, ... ) == 0x0
 03324   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03325   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03326   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 1224432, ... ) }, 1224432, ... ) == 0x0
 03327   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03328   532   NtQueryDirectoryFile  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1,  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03329   532   NtClose  (380, ... ) == 0x0
 03330   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03331   532   NtQueryDirectoryFile  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1,  (380, 0, 0, 0, 1223792, 616, BothDirectory, 1, "cmskcplu.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03332   532   NtClose  (380, ... ) == 0x0
 03333   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03334   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03335   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03336   532   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 380, {status=0x0, info=1}, ) }, 3, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03337   532   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 384, ) }, ... 384, ) == 0x0
 03338   532   NtQuerySymbolicLinkObject  (384, ...  (384, ... "\Device\WinDfs\U:0000000000009176", 66, ) , 66, ) == 0x0
 03339   532   NtClose  (384, ... ) == 0x0
 03340   532   NtQueryVolumeInformationFile  (380, 1225184, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03341   532   NtClose  (380, ... ) == 0x0
 03342   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03343   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 380, ) == 0x0
 03344   532   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03345   532   NtClose  (380, ... ) == 0x0
 03346   532   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03347   532   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmskcplu.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03348   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03349   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03350   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmskcplu.bat"}, 1226712, ... ) }, 1226712, ... ) == 0x0
 03351   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03352   532   NtQueryDirectoryFile  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1,  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03353   532   NtClose  (380, ... ) == 0x0
 03354   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03355   532   NtQueryDirectoryFile  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1,  (380, 0, 0, 0, 1226072, 616, BothDirectory, 1, "cmskcplu.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03356   532   NtClose  (380, ... ) == 0x0
 03357   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03358   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03359   532   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03360   532   NtQueryVolumeInformationFile  (368, 1227356, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03361   532   NtQueryInformationFile  (368, 1227336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03362   532   NtQueryInformationFile  (368, 1227376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03363   532   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03364   532   NtUnmapViewOfSection  (-1, 0x10b0000, ... ) == 0x0
 03365   532   NtClose  (376, ... ) == 0x0
 03366   532   NtClose  (372, ... ) == 0x0
 03367   532   NtClose  (368, ... ) == 0x0
 03368   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03369   532   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03370   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 03371   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03372   532   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03373   532   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... 372, ) == 0x0
 03374   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03375   532   NtQuerySection  (372, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03376   532   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03377   532   NtCreateProcessEx  (1231424, 2035711, 0, -1, 0, 372, 0, 0, 0, ... ) == 0x0
 03378   532   NtSetInformationProcess  (376, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03379   532   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=948,ParentPid=508,}, 0x0, ) == 0x0
 03380   532   NtReadVirtualMemory  (376, 0x7ffdf008, 4, ...  (376, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03381   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03382   532   NtReadVirtualMemory  (376, 0x4ad00000, 4096, ...  (376, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03383   532   NtReadVirtualMemory  (376, 0x4ad3b000, 256, ...  (376, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03384   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03385   532   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=948,ParentPid=508,}, 0x0, ) == 0x0
 03386   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03387   532   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 17498112, 4096, ) == 0x0
 03388   532   NtAllocateVirtualMemory  (376, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03389   532   NtWriteVirtualMemory  (376, 0x10000,  (376, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03390   532   NtAllocateVirtualMemory  (376, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03391   532   NtWriteVirtualMemory  (376, 0x20000,  (376, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0@\0B\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\24\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03392   532   NtWriteVirtualMemory  (376, 0x7ffdf010,  (376, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03393   532   NtWriteVirtualMemory  (376, 0x7ffdf1e8,  (376, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03394   532   NtFreeVirtualMemory  (-1, (0x10b0000), 0, 32768, ... (0x10b0000), 4096, ) == 0x0
 03395   532   NtAllocateVirtualMemory  (376, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03396   532   NtAllocateVirtualMemory  (376, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03397   532   NtCreateThread  (0x1f03ff, 0x0, 376, 1229688, 1230408, 1, ... 380, {948, 952}, ) == 0x0
 03398   532   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0\264\3\0\0\270\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 508, 532, 1588, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0\264\3\0\0\270\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 508, 532, 1588, 0}  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0\264\3\0\0\270\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 508, 532, 1588, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0\264\3\0\0\270\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03399   532   NtResumeThread  (380, ... 1, ) == 0x0
 03400   532   NtClose  (368, ... ) == 0x0
 03401   532   NtClose  (372, ... ) == 0x0
 03402   532   NtClose  (350, ... ) == 0x0
 03403   532   NtClose  (366, ... ) == 0x0
 03404   532   NtClose  (362, ... ) == 0x0
 03405   532   NtClose  (376, ... ) == 0x0
 03406   532   NtClose  (380, ... ) == 0x0
 03407   532   NtGdiDeleteObjectApp  (17302617, ... ) == 0x1
 03408   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03409   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03410   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03411   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03412   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03413   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03414   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03415   532   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03416   532   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 03417   532   NtClose  (280, ... ) == 0x0
 03418   532   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03419   532   NtUserDestroyWindow  (196704, ...
 03420   532   NtUserRemoveProp  (196704, 43288, ... ) == 0xffffffff
 03421   532   NtUserRemoveProp  (196704, 43282, ... ) == 0x0
 03422   532   NtUserRemoveProp  (196704, 43287, ... ) == 0x0
 03419   532   NtUserDestroyWindow  ... ) == 0x1
 03423   532   NtUserUnregisterClass  (1234868, 1998258176, 1234856, ... ) == 0x1
 03424   532   NtFreeVirtualMemory  (-1, (0x152000), 12288, 16384, ... (0x152000), 12288, ) == 0x0
 03425   532   NtClose  (184, ... ) == 0x0
 03426   532   NtClose  (176, ... ) == 0x0
 03427   532   NtClose  (180, ... ) == 0x0
 03428   532   NtClose  (156, ... ) == 0x0
 03429   532   NtClose  (172, ... ) == 0x0
 03430   532   NtClose  (204, ... ) == 0x0
 03431   532   NtClose  (208, ... ) == 0x0
 03432   532   NtClose  (200, ... ) == 0x0
 03433   532   NtClose  (192, ... ) == 0x0
 03434   532   NtClose  (196, ... ) == 0x0
 03435   532   NtClose  (220, ... ) == 0x0
 03436   532   NtClose  (224, ... ) == 0x0
 03437   532   NtClose  (212, ... ) == 0x0
 03438   532   NtClose  (216, ... ) == 0x0
 03439   532   NtClose  (244, ... ) == 0x0
 03440   532   NtClose  (236, ... ) == 0x0
 03441   532   NtClose  (240, ... ) == 0x0
 03442   532   NtClose  (228, ... ) == 0x0
 03443   532   NtClose  (232, ... ) == 0x0
 03444   532   NtClose  (248, ... ) == 0x0
 03445   532   NtClose  (252, ... ) == 0x0
 03446   532   NtClose  (264, ... ) == 0x0
 03447   532   NtClose  (268, ... ) == 0x0
 03448   532   NtClose  (256, ... ) == 0x0
 03449   532   NtClose  (260, ... ) == 0x0
 03450   532   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03451   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1235744, ... ) }, 1235744, ... ) == 0x0
 03452   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1236436, ... ) }, 1236436, ... ) == 0x0
 03453   532   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 03454   532   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 260, ... 256, ) == 0x0
 03455   532   NtQueryVolumeInformationFile  (260, 1235744, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03456   532   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03457   532   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03458   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 03459   532   NtQueryInformationFile  (268, 1234332, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03460   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 268, ... 264, ) == 0x0
 03461   532   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x10b0000), 0x0, 1028096, ) == 0x0
 03462   532   NtQueryInformationFile  (268, 1234428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03463   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03464   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03465   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1231992, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231992, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03466   532   NtClose  (252, ... ) == 0x0
 03467   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03468   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03469   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1231380, ... ) }, 1231380, ... ) == 0x0
 03470   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03471   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (252, 0, 0, 0, 1230740, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03472   532   NtClose  (252, ... ) == 0x0
 03473   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03474   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (252, 0, 0, 0, 1230740, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03475   532   NtClose  (252, ... ) == 0x0
 03476   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03477   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (252, 0, 0, 0, 1230740, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03478   532   NtClose  (252, ... ) == 0x0
 03479   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03480   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03481   532   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03482   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03483   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 252, ) == 0x0
 03484   532   NtQueryInformationToken  (252, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03485   532   NtClose  (252, ... ) == 0x0
 03486   532   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03487   532   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\algs.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03489   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03490   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1233660, ... ) }, 1233660, ... ) == 0x0
 03491   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03492   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (252, 0, 0, 0, 1233020, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03493   532   NtClose  (252, ... ) == 0x0
 03494   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03495   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (252, 0, 0, 0, 1233020, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03496   532   NtClose  (252, ... ) == 0x0
 03497   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03498   532   NtQueryDirectoryFile  (252, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (252, 0, 0, 0, 1233020, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03499   532   NtClose  (252, ... ) == 0x0
 03500   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03501   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03502   532   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03503   532   NtQueryVolumeInformationFile  (260, 1234304, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03504   532   NtQueryInformationFile  (260, 1234284, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03505   532   NtQueryInformationFile  (260, 1234324, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03506   532   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03507   532   NtUnmapViewOfSection  (-1, 0x10b0000, ... ) == 0x0
 03508   532   NtClose  (264, ... ) == 0x0
 03509   532   NtClose  (268, ... ) == 0x0
 03510   532   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03511   532   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algs.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03512   532   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03513   532   NtOpenProcessToken  (-1, 0xa, ... 268, ) == 0x0
 03514   532   NtQueryInformationToken  (268, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03515   532   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03516   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03517   532   NtQueryValueKey  (264,  (264, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (264, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03518   532   NtQueryValueKey  (264,  (264, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (264, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03519   532   NtClose  (264, ... ) == 0x0
 03520   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03521   532   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03522   532   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03523   532   NtClose  (264, ... ) == 0x0
 03524   532   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 264, ) }, ... 264, ) == 0x0
 03525   532   NtQuerySymbolicLinkObject  (264, ...  (264, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03526   532   NtClose  (264, ... ) == 0x0
 03527   532   NtQueryInformationFile  (260, 1234096, 528, Name, ... {status=0x0, info=56}, ) == 0x0
 03528   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03529   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03530   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1232776, ... ) }, 1232776, ... ) == 0x0
 03531   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03532   532   NtQueryDirectoryFile  (264, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (264, 0, 0, 0, 1232136, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03533   532   NtClose  (264, ... ) == 0x0
 03534   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03535   532   NtQueryDirectoryFile  (264, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (264, 0, 0, 0, 1232136, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03536   532   NtClose  (264, ... ) == 0x0
 03537   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03538   532   NtQueryDirectoryFile  (264, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (264, 0, 0, 0, 1232136, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03539   532   NtClose  (264, ... ) == 0x0
 03540   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03541   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03542   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03543   532   NtQueryValueKey  (264,  (264, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03544   532   NtClose  (264, ... ) == 0x0
 03545   532   NtQueryInformationToken  (268, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03546   532   NtQueryInformationToken  (268, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03547   532   NtClose  (268, ... ) == 0x0
 03548   532   NtCreateProcessEx  (1238372, 2035711, 0, -1, 4, 256, 0, 0, 0, ... ) == 0x0
 03549   532   NtSetInformationProcess  (268, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03550   532   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=956,ParentPid=508,}, 0x0, ) == 0x0
 03551   532   NtReadVirtualMemory  (268, 0x7ffdf008, 4, ...  (268, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03552   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553   532   NtReadVirtualMemory  (268, 0x400000, 4096, ...  (268, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\3\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\0\0\00\30\0\0\0\0\0\09\372\2\0\0\360\2\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\324\7\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\6\3\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.data\0\0\0\0 \2\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.pdata\0\0#\274\0\0\00\2\0#\274\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.ex_cod\0\324\27\0\0\0\360\2\0\324\27\0\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03554   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03555   532   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=956,ParentPid=508,}, 0x0, ) == 0x0
 03556   532   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 11403264, 4096, ) == 0x0
 03557   532   NtAllocateVirtualMemory  (268, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03558   532   NtWriteVirtualMemory  (268, 0x10000,  (268, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03559   532   NtAllocateVirtualMemory  (268, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03560   532   NtWriteVirtualMemory  (268, 0x20000,  (268, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0o\0\0\0\374\0\376\0\230\4\0\08\0:\0\230\5\0\08\0:\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0:\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03561   532   NtWriteVirtualMemory  (268, 0x7ffdf010,  (268, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03562   532   NtWriteVirtualMemory  (268, 0x7ffdf1e8,  (268, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03563   532   NtFreeVirtualMemory  (-1, (0xae0000), 0, 32768, ... (0xae0000), 4096, ) == 0x0
 03564   532   NtAllocateVirtualMemory  (268, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03565   532   NtAllocateVirtualMemory  (268, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03566   532   NtProtectVirtualMemory  (268, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03567   532   NtCreateThread  (0x1f03ff, 0x0, 268, 1236636, 1237356, 1, ... 264, {956, 980}, ) == 0x0
 03568   532   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442872, 1238456}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442872, 1238456} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0\274\3\0\0\324\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 508, 532, 1615, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0\274\3\0\0\324\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 508, 532, 1615, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442872, 1238456} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0\274\3\0\0\324\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 508, 532, 1615, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0\274\3\0\0\324\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03569   532   NtResumeThread  (264, ... 1, ) == 0x0
 03570   532   NtClose  (260, ... ) == 0x0
 03571   532   NtClose  (256, ... ) == 0x0
 03572   532   NtTerminateProcess  (0, 0, ...
 02085   944   NtWaitForMultipleObjects  ... ) == 0xc0
 03572   532   NtTerminateProcess  ... ) == 0x0
 03573   532   NtRaiseException  (1238120, 1237380, 1, ...
 03574   532   NtContinue  (1236176, 0, ...
 03575   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 03576   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03577   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 03578   532   NtRaiseException  (1228096, 1227356, 1, ...
 03579   532   NtContinue  (1226152, 0, ...
 03580   532   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 03581   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582   532   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 03583   532   NtUnmapViewOfSection  (-1, 0x10a0000, ... ) == 0x0
 03584   532   NtClose  (344, ... ) == 0x0
 03585   532   NtClose  (340, ... ) == 0x0
 03586   532   NtClose  (328, ... ) == 0x0
 03587   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03588   532   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 03589   532   NtClose  (320, ... ) == 0x0
 03590   532   NtClose  (324, ... ) == 0x0
 03591   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03592   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 03593   532   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03594   532   NtClose  (324, ... ) == 0x0
 03595   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03596   532   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 03597   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03598   532   NtFreeVirtualMemory  (-1, (0x990000), 0, 32768, ... (0x990000), 262144, ) == 0x0
 03599   532   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 03600   532   NtClose  (272, ... ) == 0x0
 03601   532   NtFreeVirtualMemory  (-1, (0x980000), 4096, 16384, ... (0x980000), 4096, ) == 0x0
 03602   532   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 65536, ) == 0x0
 03603   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03604   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03605   532   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 03606   532   NtClose  (104, ... ) == 0x0
 03607   532   NtGdiDeleteObjectApp  (17826903, ... ) == 0x1
 03608   532   NtUserGetProcessWindowStation  (... ) == 0x28
 03609   532   NtUserBuildNameList  (40, 256, 1331720, 1238760, ... ) == 0x0
 03610   532   NtUserGetProcessWindowStation  (... ) == 0x28
 03611   532   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x68
 03612   532   NtUserBuildHwndList  (104, 0, 0, 0, 64, ... (0x3004c, 0x100d8, 0x100ac, 0x100aa, 0x100a8, 0x60036, 0x100a4, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100e2, 0x100d4, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x20064, 0x100cc, 0x100c2, 0x100c0, 0x100b0, 0x100ae, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 41, ) == 0x0
 03613   532   NtUserQueryWindow  (196684, 0, ... ) == 0x758
 03614   532   NtUserQueryWindow  (196684, 1, ... ) == 0x768
 03615   532   NtUserQueryWindow  (65752, 0, ... ) == 0x758
 03616   532   NtUserQueryWindow  (65752, 1, ... ) == 0x768
 03617   532   NtUserQueryWindow  (65708, 0, ... ) == 0x7d4
 03618   532   NtUserQueryWindow  (65708, 1, ... ) == 0x7d8
 03619   532   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 03620   532   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 03621   532   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 03622   532   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 03623   532   NtUserQueryWindow  (393270, 0, ... ) == 0x7d4
 03624   532   NtUserQueryWindow  (393270, 1, ... ) == 0x7d8
 03625   532   NtUserQueryWindow  (65700, 0, ... ) == 0x758
 03626   532   NtUserQueryWindow  (65700, 1, ... ) == 0x768
 03627   532   NtUserQueryWindow  (65662, 0, ... ) == 0x758
 03628   532   NtUserQueryWindow  (65662, 1, ... ) == 0x768
 03629   532   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 03630   532   NtUserQueryWindow  (65664, 0, ... ) == 0x758
 03631   532   NtUserQueryWindow  (65664, 1, ... ) == 0x768
 03632   532   NtUserQueryWindow  (65670, 0, ... ) == 0x758
 03633   532   NtUserQueryWindow  (65670, 1, ... ) == 0x768
 03634   532   NtUserQueryWindow  (65672, 0, ... ) == 0x758
 03635   532   NtUserQueryWindow  (65672, 1, ... ) == 0x768
 03636   532   NtUserQueryWindow  (65674, 0, ... ) == 0x758
 03637   532   NtUserQueryWindow  (65674, 1, ... ) == 0x768
 03638   532   NtUserQueryWindow  (65678, 0, ... ) == 0x758
 03639   532   NtUserQueryWindow  (65678, 1, ... ) == 0x768
 03640   532   NtUserQueryWindow  (65680, 0, ... ) == 0x758
 03641   532   NtUserQueryWindow  (65680, 1, ... ) == 0x768
 03642   532   NtUserQueryWindow  (65682, 0, ... ) == 0x758
 03643   532   NtUserQueryWindow  (65682, 1, ... ) == 0x768
 03644   532   NtUserQueryWindow  (65684, 0, ... ) == 0x758
 03645   532   NtUserQueryWindow  (65684, 1, ... ) == 0x768
 03646   532   NtUserQueryWindow  (65686, 0, ... ) == 0x758
 03647   532   NtUserQueryWindow  (65686, 1, ... ) == 0x768
 03648   532   NtUserQueryWindow  (65690, 0, ... ) == 0x758
 03649   532   NtUserQueryWindow  (65690, 1, ... ) == 0x768
 03650   532   NtUserQueryWindow  (65692, 0, ... ) == 0x758
 03651   532   NtUserQueryWindow  (65692, 1, ... ) == 0x768
 03652   532   NtUserQueryWindow  (65694, 0, ... ) == 0x758
 03653   532   NtUserQueryWindow  (65694, 1, ... ) == 0x768
 03654   532   NtUserQueryWindow  (65652, 0, ... ) == 0x758
 03655   532   NtUserQueryWindow  (65652, 1, ... ) == 0x768
 03656   532   NtUserQueryWindow  (65640, 0, ... ) == 0x758
 03657   532   NtUserQueryWindow  (65640, 1, ... ) == 0x768
 03658   532   NtUserQueryWindow  (196682, 0, ... ) == 0x758
 03659   532   NtUserQueryWindow  (196682, 1, ... ) == 0x768
 03660   532   NtUserQueryWindow  (65638, 0, ... ) == 0x758
 03661   532   NtUserQueryWindow  (65638, 1, ... ) == 0x768
 03662   532   NtUserQueryWindow  (196668, 0, ... ) == 0x758
 03663   532   NtUserQueryWindow  (196668, 1, ... ) == 0x768
 03664   532   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 03665   532   NtUserQueryWindow  (196670, 0, ... ) == 0x758
 03666   532   NtUserQueryWindow  (196670, 1, ... ) == 0x768
 03667   532   NtUserQueryWindow  (196674, 0, ... ) == 0x758
 03668   532   NtUserQueryWindow  (196674, 1, ... ) == 0x768
 03669   532   NtUserQueryWindow  (196672, 0, ... ) == 0x758
 03670   532   NtUserQueryWindow  (196672, 1, ... ) == 0x768
 03671   532   NtUserQueryWindow  (196676, 0, ... ) == 0x758
 03672   532   NtUserQueryWindow  (196676, 1, ... ) == 0x768
 03673   532   NtUserQueryWindow  (196678, 0, ... ) == 0x758
 03674   532   NtUserQueryWindow  (196678, 1, ... ) == 0x768
 03675   532   NtUserQueryWindow  (196680, 0, ... ) == 0x758
 03676   532   NtUserQueryWindow  (196680, 1, ... ) == 0x768
 03677   532   NtUserQueryWindow  (65642, 0, ... ) == 0x758
 03678   532   NtUserQueryWindow  (65642, 1, ... ) == 0x768
 03679   532   NtUserQueryWindow  (65646, 0, ... ) == 0x758
 03680   532   NtUserQueryWindow  (65646, 1, ... ) == 0x768
 03681   532   NtUserQueryWindow  (65650, 0, ... ) == 0x758
 03682   532   NtUserQueryWindow  (65650, 1, ... ) == 0x768
 03683   532   NtUserQueryWindow  (65688, 0, ... ) == 0x758
 03684   532   NtUserQueryWindow  (65688, 1, ... ) == 0x768
 03685   532   NtUserQueryWindow  (65676, 0, ... ) == 0x758
 03686   532   NtUserQueryWindow  (65676, 1, ... ) == 0x768
 03687   532   NtUserQueryWindow  (65660, 0, ... ) == 0x758
 03688   532   NtUserQueryWindow  (65660, 1, ... ) == 0x75c
 03689   532   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03690   532   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 03691   532   NtUserQueryWindow  (65762, 0, ... ) == 0x3b4
 03692   532   NtUserQueryWindow  (65762, 1, ... ) == 0x3b8
 03693   532   NtUserQueryWindow  (65748, 0, ... ) == 0x17c
 03694   532   NtUserQueryWindow  (65748, 1, ... ) == 0x180
 03695   532   NtUserQueryWindow  (65744, 0, ... ) == 0x17c
 03696   532   NtUserQueryWindow  (65744, 1, ... ) == 0x180
 03697   532   NtUserQueryWindow  (65726, 0, ... ) == 0x7dc
 03698   532   NtUserQueryWindow  (65726, 1, ... ) == 0x7e0
 03699   532   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 03700   532   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 03701   532   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 03702   532   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 03703   532   NtUserQueryWindow  (65720, 0, ... ) == 0x7dc
 03704   532   NtUserQueryWindow  (65720, 1, ... ) == 0x7e0
 03705   532   NtUserQueryWindow  (65718, 0, ... ) == 0x7dc
 03706   532   NtUserQueryWindow  (65718, 1, ... ) == 0x7e0
 03707   532   NtUserQueryWindow  (65716, 0, ... ) == 0x7dc
 03708   532   NtUserQueryWindow  (65716, 1, ... ) == 0x7e0
 03709   532   NtUserQueryWindow  (65714, 0, ... ) == 0x7dc
 03710   532   NtUserQueryWindow  (65714, 1, ... ) == 0x7e0
 03711   532   NtUserQueryWindow  (131172, 0, ... ) == 0x7e8
 03712   532   NtUserQueryWindow  (131172, 1, ... ) == 0x7ec
 03713   532   NtUserQueryWindow  (65740, 0, ... ) == 0x758
 03714   532   NtUserQueryWindow  (65740, 1, ... ) == 0x18c
 03715   532   NtUserQueryWindow  (65730, 0, ... ) == 0x758
 03716   532   NtUserQueryWindow  (65730, 1, ... ) == 0x18c
 03717   532   NtUserBuildHwndList  (0, 65730, 1, 0, 64, ... (0x100c4, 0x100c6, 0x100c8, 0x100ca, 0x1, ), 5, ) == 0x0
 03718   532   NtUserQueryWindow  (65732, 0, ... ) == 0x758
 03719   532   NtUserQueryWindow  (65732, 1, ... ) == 0x18c
 03720   532   NtUserQueryWindow  (65734, 0, ... ) == 0x758
 03721   532   NtUserQueryWindow  (65734, 1, ... ) == 0x18c
 03722   532   NtUserQueryWindow  (65736, 0, ... ) == 0x758
 03723   532   NtUserQueryWindow  (65736, 1, ... ) == 0x18c
 03724   532   NtUserQueryWindow  (65738, 0, ... ) == 0x758
 03725   532   NtUserQueryWindow  (65738, 1, ... ) == 0x18c
 03726   532   NtUserQueryWindow  (65728, 0, ... ) == 0x758
 03727   532   NtUserQueryWindow  (65728, 1, ... ) == 0x768
 03728   532   NtUserQueryWindow  (65712, 0, ... ) == 0x7dc
 03729   532   NtUserQueryWindow  (65712, 1, ... ) == 0x7e0
 03730   532   NtUserQueryWindow  (65710, 0, ... ) == 0x7d4
 03731   532   NtUserQueryWindow  (65710, 1, ... ) == 0x7d8
 03732   532   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 03733   532   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 03734   532   NtUserQueryWindow  (65644, 0, ... ) == 0x758
 03735   532   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 03736   532   NtUserQueryWindow  (327760, 0, ... ) == 0x758
 03737   532   NtUserQueryWindow  (327760, 1, ... ) == 0x75c
 03738   532   NtUserQueryWindow  (262228, 0, ... ) == 0x758
 03739   532   NtUserQueryWindow  (262228, 1, ... ) == 0x75c
 03740   532   NtUserQueryWindow  (327758, 0, ... ) == 0x758
 03741   532   NtUserQueryWindow  (327758, 1, ... ) == 0x75c
 03742   532   NtUserQueryWindow  (65666, 0, ... ) == 0x758
 03743   532   NtUserQueryWindow  (65666, 1, ... ) == 0x75c
 03744   532   NtUserQueryWindow  (65654, 0, ... ) == 0x758
 03745   532   NtUserQueryWindow  (65654, 1, ... ) == 0x75c
 03746   532   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 03747   532   NtUserQueryWindow  (65656, 0, ... ) == 0x758
 03748   532   NtUserQueryWindow  (65656, 1, ... ) == 0x75c
 03749   532   NtUserQueryWindow  (65658, 0, ... ) == 0x758
 03750   532   NtUserQueryWindow  (65658, 1, ... ) == 0x75c
 03751   532   NtUserCloseDesktop  (104, ...
 03752   532   NtClose  (104, ... ) == 0x0
 03751   532   NtUserCloseDesktop  ... ) == 0x1
 03753   532   NtUserGetProcessWindowStation  (... ) == 0x28
 03754   532   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03755   532   NtUserGetProcessWindowStation  (... ) == 0x28
 03756   532   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03757   532   NtGdiDeleteObjectApp  (118096980, ... ) == 0x1
 03758   532   NtGdiDeleteObjectApp  (101319765, ... ) == 0x1
 03759   532   NtClose  (12, ... ) == 0x0
 03760   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03761   532   NtFreeVirtualMemory  (-1, (0x14c000), 16384, 16384, ... (0x14c000), 16384, ) == 0x0
 03762   532   NtClose  (96, ... ) == 0x0
 03763   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 03764   532   NtClose  (100, ... ) == 0x0
 03765   532   NtClose  (92, ... ) == 0x0
 03766   532   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 262144, ) == 0x0
 03767   532   NtUserUnregisterClass  (1238720, 1991376896, 1238708, ... ) == 0x0
 03768   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03769   532   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 03770   532   NtClose  (312, ... ) == 0x0
 03771   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03b
 03772   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03773   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03d
 03774   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03775   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03f
 03776   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03777   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc041
 03778   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03779   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc043
 03780   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03781   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc045
 03782   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03783   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc047
 03784   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03785   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc049
 03786   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03787   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04b
 03788   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03789   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04d
 03790   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03791   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04f
 03792   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03793   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc051
 03794   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03795   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc053
 03796   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03797   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc057
 03798   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03799   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc059
 03800   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03801   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05b
 03802   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03803   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05d
 03804   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03805   532   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05f
 03806   532   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 03807   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03b
 03808   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03809   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03d
 03810   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03811   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03f
 03812   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03813   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc041
 03814   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03815   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc043
 03816   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03817   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc045
 03818   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03819   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc047
 03820   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03821   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc049
 03822   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03823   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04b
 03824   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03825   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04d
 03826   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03827   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04f
 03828   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03829   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc051
 03830   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03831   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc053
 03832   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03833   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc057
 03834   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03835   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc059
 03836   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03837   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05b
 03838   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03839   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05d
 03840   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03841   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05f
 03842   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03843   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc017
 03844   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03845   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc019
 03846   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03847   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc018
 03848   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03849   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01a
 03850   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03851   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01c
 03852   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03853   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01e
 03854   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03855   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01b
 03856   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03857   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc068
 03858   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03859   532   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc06a
 03860   532   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 03861   532   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 03862   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03863   532   NtClose  (336, ... ) == 0x0
 03864   532   NtClose  (152, ... ) == 0x0
 03865   532   NtClose  (352, ... ) == 0x0
 03866   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03867   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03868   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03869   532   NtClose  (148, ... ) == 0x0
 03870   532   NtClose  (356, ... ) == 0x0
 03871   532   NtClose  (112, ... ) == 0x0
 03872   532   NtFreeVirtualMemory  (-1, (0x156000), 20480, 16384, ... (0x156000), 20480, ) == 0x0
 03873   532   NtFreeVirtualMemory  (-1, (0xff0000), 4096, 32768, ... (0xff0000), 4096, ) == 0x0
 03874   532   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 2147348480, 1310720, 1238944}  (24, {20, 48, new_msg, 0, 0, 2147348480, 1310720, 1238944} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 508, 532, 1630, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ... {20, 48, reply, 0, 508, 532, 1630, 0}  (24, {20, 48, new_msg, 0, 0, 2147348480, 1310720, 1238944} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 508, 532, 1630, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ) == 0x0
 03875   532   NtTerminateProcess  (-1, 0, ...
 03876   532   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtContinue(>)	29
NtAllocateLocallyUniqueId(>)	1	NtGdiHfontCreate(>)	2	NtQuerySymbolicLinkObject(>)	6	NtQueryInformationFile(>)	30
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtCreateSemaphore(>)	7	NtEnumerateKey(>)	31
NtClearEvent(>)	1	NtQueryInformationJobObject(>)	2	NtUserCallNoParam(>)	7	NtCreateEvent(>)	32
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryVirtualMemory(>)	8	NtOpenThreadToken(>)	33
NtDelayExecution(>)	1	NtRegisterThreadTerminatePort(>)	2	NtWriteVirtualMemory(>)	8	NtReleaseMutant(>)	38
NtDuplicateToken(>)	1	NtSetEvent(>)	2	NtWriteFile(>)	9	NtUnmapViewOfSection(>)	38
NtGdiCreateBitmap(>)	1	NtTestAlert(>)	2	NtQueryDefaultUILanguage(>)	10	NtQueryInformationProcess(>)	39
NtGdiCreateHalftonePalette(>)	1	NtUserCloseDesktop(>)	2	NtUserGetWindowDC(>)	10	NtQueryDefaultLocale(>)	42
NtGdiCreatePaletteInternal(>)	1	NtUserCreateWindowEx(>)	2	NtSetValueKey(>)	11	NtUserUnregisterClass(>)	47
NtGdiCreatePatternBrushInternal(>)	1	NtUserDestroyWindow(>)	2	NtUserCallOneParam(>)	11	NtUserFindExistingCursorIcon(>)	49
NtGdiDoPalette(>)	1	NtUserGetObjectInformation(>)	2	NtUserSystemParametersInfo(>)	11	NtProtectVirtualMemory(>)	50
NtGdiInit(>)	1	NtUserMessageCall(>)	2	NtOpenProcessToken(>)	14	NtCreateSection(>)	56
NtGdiQueryFontAssocInfo(>)	1	NtCreateThread(>)	3	NtQueryVolumeInformationFile(>)	14	NtUserRegisterClassExWOW(>)	65
NtGdiSelectBitmap(>)	1	NtDuplicateObject(>)	3	NtRequestWaitReplyPort(>)	14	NtWaitForSingleObject(>)	66
NtOpenKeyedEvent(>)	1	NtOpenMutant(>)	3	NtNotifyChangeKey(>)	15	NtOpenSection(>)	74
NtQueryFullAttributesFile(>)	1	NtOpenProcess(>)	3	NtCreateKey(>)	17	NtReadFile(>)	77
NtQueryInformationThread(>)	1	NtResumeThread(>)	3	NtDeviceIoControlFile(>)	17	NtMapViewOfSection(>)	80
NtQueryObject(>)	1	NtTerminateProcess(>)	3	NtFsControlFile(>)	17	NtAllocateVirtualMemory(>)	84
NtQueryPerformanceCounter(>)	1	NtUserOpenDesktop(>)	3	NtFlushInstructionCache(>)	19	NtOpenFile(>)	88
NtQuerySystemTime(>)	1	NtUserRemoveProp(>)	3	NtFreeVirtualMemory(>)	19	NtQuerySystemInformation(>)	89
NtSecureConnectPort(>)	1	NtWaitForMultipleObjects(>)	3	NtUserRegisterWindowMessage(>)	19	NtUserGetClassInfo(>)	91
NtUserBuildNameList(>)	1	NtCreateMutant(>)	4	NtQueryDirectoryFile(>)	20	NtOpenProcessTokenEx(>)	110
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtSetInformationProcess(>)	21	NtOpenThreadTokenEx(>)	110
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtEnumerateValueKey(>)	23	NtQueryInformationToken(>)	126
NtUserGetForegroundWindow(>)	1	NtQuerySecurityObject(>)	4	NtQueryDebugFilterState(>)	24	NtQueryKey(>)	129
NtUserGetGUIThreadInfo(>)	1	NtGdiGetStockObject(>)	5	NtRaiseException(>)	25	NtUserQueryWindow(>)	134
NtUserGetThreadDesktop(>)	1	NtReadVirtualMemory(>)	5	NtSetInformationFile(>)	25	NtQueryAttributesFile(>)	147
NtUserSetProp(>)	1	NtSetInformationObject(>)	5	NtCreateFile(>)	27	NtQueryValueKey(>)	223
NtAccessCheck(>)	2	NtUserBuildHwndList(>)	5	NtSetInformationThread(>)	27	NtOpenKey(>)	475
NtCreateIoCompletion(>)	2	NtUserGetProcessWindowStation(>)	5	NtQuerySection(>)	28	NtClose(>)	570
NtCreateProcessEx(>)	2	NtGdiDeleteObjectApp(>)	6	NtReleaseSemaphore(>)	28