Summary:





NtAddAtom(>)  1 
NtLockFile(>)  2 
NtOpenSymbolicLinkObject(>)  7 
NtSetInformationProcess(>)  33 


NtAllocateLocallyUniqueId(>)  1 
NtOpenDirectoryObject(>)  2 
NtQuerySymbolicLinkObject(>)  7 
NtOpenThreadToken(>)  34 


NtCallbackReturn(>)  1 
NtQueryInstallUILanguage(>)  2 
NtReadVirtualMemory(>)  7 
NtSetInformationFile(>)  35 


NtClearEvent(>)  1 
NtSetEvent(>)  2 
NtResumeThread(>)  7 
NtCreateEvent(>)  36 


NtConnectPort(>)  1 
NtUnlockFile(>)  2 
NtTestAlert(>)  7 
NtCreateFile(>)  39 


NtDuplicateToken(>)  1 
NtUserCloseDesktop(>)  2 
NtUserCallNoParam(>)  7 
NtReleaseMutant(>)  39 


NtGdiCreateBitmap(>)  1 
NtUserCreateWindowEx(>)  2 
NtDelayExecution(>)  8 
NtQueryInformationFile(>)  41 


NtGdiCreateHalftonePalette(>)  1 
NtUserDestroyWindow(>)  2 
NtQueryVirtualMemory(>)  8 
NtQueryDefaultLocale(>)  42 


NtGdiCreatePaletteInternal(>)  1 
NtUserGetObjectInformation(>)  2 
NtRegisterThreadTerminatePort(>)  8 
NtUnmapViewOfSection(>)  44 


NtGdiCreatePatternBrushInternal(>)  1 
NtUserMessageCall(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtUserUnregisterClass(>)  47 


NtGdiDoPalette(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  49 


NtGdiInit(>)  1 
NtYieldExecution(>)  2 
NtUserCallOneParam(>)  11 
NtQueryInformationProcess(>)  55 


NtGdiQueryFontAssocInfo(>)  1 
NtCreateProcessEx(>)  3 
NtUserSystemParametersInfo(>)  11 
NtCreateSection(>)  63 


NtGdiSelectBitmap(>)  1 
NtOpenMutant(>)  3 
NtSetValueKey(>)  12 
NtUserRegisterClassExWOW(>)  65 


NtOpenKeyedEvent(>)  1 
NtOpenProcess(>)  3 
NtWriteVirtualMemory(>)  12 
NtProtectVirtualMemory(>)  68 


NtQueryFullAttributesFile(>)  1 
NtQueryInformationJobObject(>)  3 
NtWriteFile(>)  15 
NtOpenSection(>)  75 


NtQueryObject(>)  1 
NtTerminateProcess(>)  3 
NtOpenProcessToken(>)  16 
NtWaitForSingleObject(>)  75 


NtQueryPerformanceCounter(>)  1 
NtTerminateThread(>)  3 
NtCreateKey(>)  17 
NtReadFile(>)  82 


NtQuerySystemTime(>)  1 
NtUserOpenDesktop(>)  3 
NtDeviceIoControlFile(>)  17 
NtMapViewOfSection(>)  88 


NtSecureConnectPort(>)  1 
NtUserRemoveProp(>)  3 
NtFsControlFile(>)  17 
NtQuerySystemInformation(>)  91 


NtUserBuildNameList(>)  1 
NtWaitForMultipleObjects(>)  3 
NtNotifyChangeKey(>)  17 
NtUserGetClassInfo(>)  91 


NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtFreeVirtualMemory(>)  18 
NtOpenFile(>)  102 


NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtQueryVolumeInformationFile(>)  19 
NtAllocateVirtualMemory(>)  104 


NtUserGetForegroundWindow(>)  1 
NtQueryInformationThread(>)  4 
NtRequestWaitReplyPort(>)  19 
NtOpenProcessTokenEx(>)  111 


NtUserGetGUIThreadInfo(>)  1 
NtQuerySecurityObject(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtOpenThreadTokenEx(>)  111 


NtUserGetThreadDesktop(>)  1 
NtCreateMutant(>)  5 
NtEnumerateValueKey(>)  23 
NtQueryKey(>)  129 


NtUserKillTimer(>)  1 
NtDuplicateObject(>)  5 
NtQueryDebugFilterState(>)  25 
NtQueryInformationToken(>)  130 


NtUserSetProp(>)  1 
NtGdiGetStockObject(>)  5 
NtRaiseException(>)  25 
NtUserQueryWindow(>)  138 


NtUserSetTimer(>)  1 
NtSetInformationObject(>)  5 
NtSetInformationThread(>)  27 
NtQueryAttributesFile(>)  159 


NtUserSetWindowsHookEx(>)  1 
NtUserBuildHwndList(>)  5 
NtReleaseSemaphore(>)  28 
NtQueryValueKey(>)  307 


NtUserUnhookWindowsHookEx(>)  1 
NtUserGetProcessWindowStation(>)  5 
NtFlushInstructionCache(>)  29 
NtOpenKey(>)  503 


NtAccessCheck(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtQueryDirectoryFile(>)  29 
NtClose(>)  634 


NtCreateIoCompletion(>)  2 
NtSetEventBoostPriority(>)  6 
NtEnumerateKey(>)  31 


NtGdiCreateSolidBrush(>)  2 
NtCreateSemaphore(>)  7 
NtQuerySection(>)  31 


NtGdiHfontCreate(>)  2 



Trace:

 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 440, 456, 1494, 0} "\240=\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 440, 456, 1494, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 440, 456, 1494, 0} "\240=\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 440, 456, 1512, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 440, 456, 1512, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 440, 456, 1512, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 128, ) == 0x0
 00057   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 128, ... (0x422000), 69632, 4, ) == 0x0
 00058   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00059   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 64, ) == 0x0
 00066   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 64, ... (0x422000), 69632, 4, ) == 0x0
 00067   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00068   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   456   NtClose  (28, ... ) == 0x0
 00071   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 64, ) == 0x0
 00072   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 64, ... (0x422000), 69632, 4, ) == 0x0
 00073   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00074   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00076   456   NtClose  (28, ... ) == 0x0
 00077   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00078   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00079   456   NtClose  (28, ... ) == 0x0
 00080   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00082   456   NtClose  (28, ... ) == 0x0
 00083   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00085   456   NtClose  (28, ... ) == 0x0
 00086   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 64, ) == 0x0
 00087   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 64, ... (0x422000), 69632, 4, ) == 0x0
 00088   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00089   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00091   456   NtClose  (28, ... ) == 0x0
 00092   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00094   456   NtClose  (28, ... ) == 0x0
 00095   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 64, ) == 0x0
 00096   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 64, ... (0x422000), 69632, 4, ) == 0x0
 00097   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00098   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 64, ) == 0x0
 00099   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 64, ... (0x422000), 69632, 4, ) == 0x0
 00100   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00101   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   456   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00103   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00106   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00107   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00108   456   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00109   456   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00110   456   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00111   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00113   456   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00114   456   NtClose  (40, ... ) == 0x0
 00115   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00116   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00117   456   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00118   456   NtClose  (40, ... ) == 0x0
 00119   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   456   NtClose  (36, ... ) == 0x0
 00121   456   NtClose  (28, ... ) == 0x0
 00122   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00123   456   NtClose  (32, ... ) == 0x0
 00124   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00128   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00129   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00130   456   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00131   456   NtClose  (32, ... ) == 0x0
 00132   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00133   456   NtClose  (28, ... ) == 0x0
 00134   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 4, ... (0x422000), 69632, 64, ) == 0x0
 00135   456   NtProtectVirtualMemory  (-1, (0x422000), 69632, 64, ... (0x422000), 69632, 4, ) == 0x0
 00136   456   NtFlushInstructionCache  (-1, 4333568, 69632, ... ) == 0x0
 00137   456   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   456   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   456   NtClose  (28, ... ) == 0x0
 00140   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   456   NtClose  (28, ... ) == 0x0
 00143   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   456   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   456   NtClose  (28, ... ) == 0x0
 00147   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   456   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   456   NtClose  (28, ... ) == 0x0
 00150   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   456   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00155   456   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00156   456   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00157   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00158   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00159   456   NtClose  (32, ... ) == 0x0
 00160   456   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00161   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00162   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 440, 456, 1558, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 440, 456, 1558, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 440, 456, 1558, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00163   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00165   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00166   456   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00167   456   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00168   456   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00169   456   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00170   456   NtClose  (-2147482020, ... ) == 0x0
 00171   456   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00172   456   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00173   456   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00174   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00175   456   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   456   NtClose  (-2147482020, ... ) == 0x0
 00177   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   456   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   456   NtClose  (-2147482020, ... ) == 0x0
 00180   456   NtQueryDefaultLocale  (0, -136214004, ... ) == 0x0
 00181   456   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00182   456   NtUserCallNoParam  (24, ... ) == 0x0
 00183   456   NtGdiCreateCompatibleDC  (0, ...
 00184   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00183   456   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00185   456   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00186   456   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00187   456   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00188   456   NtGdiCreateSolidBrush  (0, 0, ...
 00189   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00188   456   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00190   456   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00191   456   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00192   456   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00193   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x2c
 00194   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00195   456   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00196   456   NtClose  (52, ... ) == 0x0
 00197   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00198   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00199   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00201   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00203   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00205   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00206   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00207   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00208   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00209   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00210   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00211   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00212   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00213   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00214   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00215   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00216   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00217   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00218   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00219   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00220   456   NtAllocateVirtualMemory  (-1, 6533120, 0, 4096, 4096, 32, ... 6533120, 4096, ) == 0x0
 00219   456   NtUserRegisterClassExWOW  ... ) == 0x810dc025
 00221   456   NtCallbackReturn  (0, 0, 0, ...
 00222   456   NtGdiInit  (... ) == 0x1
 00223   456   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00224   456   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00225   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00228   456   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00229   456   NtClose  (52, ... ) == 0x0
 00230   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00231   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00232   456   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00233   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00234   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00235   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00236   456   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   456   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   456   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   456   NtClose  (52, ... ) == 0x0
 00240   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00241   456   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   456   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   456   NtClose  (52, ... ) == 0x0
 00244   456   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00245   456   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   456   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00247   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   456   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00250   456   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   456   NtClose  (56, ... ) == 0x0
 00252   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00255   456   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   456   NtClose  (56, ... ) == 0x0
 00257   456   NtQueryDefaultUILanguage  (1241756, ...
 00258   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00259   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00260   456   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00261   456   NtClose  (-2147482020, ... ) == 0x0
 00262   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00263   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   456   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00265   456   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   456   NtClose  (-2147482032, ... ) == 0x0
 00267   456   NtClose  (-2147482020, ... ) == 0x0
 00257   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00268   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   456   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00270   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00271   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00272   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8323072, ) == 0x0
 00273   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   456   NtQueryDefaultUILanguage  (2013024600, ...
 00275   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00277   456   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   456   NtClose  (-2147482020, ... ) == 0x0
 00279   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00280   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   456   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00282   456   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   456   NtClose  (-2147482032, ... ) == 0x0
 00284   456   NtClose  (-2147482020, ... ) == 0x0
 00274   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00285   456   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00286   456   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00287   456   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00288   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 1559, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 456, 1559, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 1559, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00290   456   NtClose  (56, ... ) == 0x0
 00291   456   NtClose  (60, ... ) == 0x0
 00292   456   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00293   456   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00294   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00295   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00298   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00300   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00301   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00302   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00303   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00305   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00306   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00307   456   NtClose  (56, ... ) == 0x0
 00308   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 921600, ) == 0x0
 00309   456   NtClose  (64, ... ) == 0x0
 00310   456   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00311   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00312   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00313   456   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   456   NtClose  (64, ... ) == 0x0
 00315   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00316   456   NtClose  (56, ... ) == 0x0
 00317   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00318   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00319   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00320   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00321   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00322   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00323   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00324   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00325   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00326   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00327   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00328   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00329   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00330   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00331   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00332   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   456   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00339   456   NtQueryDefaultUILanguage  (1239368, ...
 00340   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00341   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00342   456   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00343   456   NtClose  (-2147482020, ... ) == 0x0
 00344   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00345   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   456   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00347   456   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   456   NtClose  (-2147482032, ... ) == 0x0
 00349   456   NtClose  (-2147482020, ... ) == 0x0
 00339   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00350   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00352   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00353   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00354   456   NtClose  (56, ... ) == 0x0
 00355   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00356   456   NtClose  (64, ... ) == 0x0
 00357   456   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00358   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00359   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00360   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00361   456   NtClose  (64, ... ) == 0x0
 00362   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00363   456   NtClose  (56, ... ) == 0x0
 00364   456   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00365   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00366   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00367   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00368   456   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00369   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 1560, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 456, 1560, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 1560, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00371   456   NtClose  (56, ... ) == 0x0
 00372   456   NtClose  (64, ... ) == 0x0
 00373   456   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00374   456   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00375   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00376   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00377   456   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00378   456   NtUserGetDC  (0, ... ) == 0x1010052
 00379   456   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00380   456   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00381   456   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00382   456   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00383   456   NtAccessCheck  (1327448, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00384   456   NtClose  (64, ... ) == 0x0
 00385   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00386   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00387   456   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00388   456   NtClose  (64, ... ) == 0x0
 00389   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00390   456   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00391   456   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00392   456   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   456   NtClose  (56, ... ) == 0x0
 00394   456   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00395   456   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00396   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00397   456   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00399   456   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   456   NtClose  (68, ... ) == 0x0
 00401   456   NtClose  (56, ... ) == 0x0
 00402   456   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00403   456   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00404   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00405   456   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00406   456   NtClose  (56, ... ) == 0x0
 00407   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00409   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00410   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00411   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00412   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00414   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00415   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00416   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00417   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00419   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00421   456   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00422   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00423   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00424   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00426   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00428   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00429   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00431   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00433   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00434   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00436   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00437   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00438   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00440   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00441   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00442   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00443   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00444   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00446   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00447   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00448   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00449   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00450   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00451   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00452   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00453   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00454   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00455   456   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00456   456   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00457   456   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00458   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00459   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00460   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00461   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00462   456   NtClose  (56, ... ) == 0x0
 00463   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 56, ) == 0x0
 00464   456   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00465   456   NtClose  (56, ... ) == 0x0
 00466   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00467   456   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00468   456   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00469   456   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00470   456   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   456   NtClose  (56, ... ) == 0x0
 00472   456   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00473   456   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00474   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00475   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00476   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ...
 00477   456   NtAllocateVirtualMemory  (-1, 6537216, 0, 4096, 4096, 32, ... 6537216, 4096, ) == 0x0
 00476   456   NtUserRegisterClassExWOW  ... ) == 0x810dc03b
 00478   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03d
 00480   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03f
 00483   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00484   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00485   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc041
 00486   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc043
 00489   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc045
 00491   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00492   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00493   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc047
 00494   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00495   456   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00496   456   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810dc049
 00497   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00498   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00499   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04b
 00500   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00501   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00502   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04d
 00503   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00504   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00505   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04f
 00506   456   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00507   456   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810dc051
 00508   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00509   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00510   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc053
 00511   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00512   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00513   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc055
 00514   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc057
 00515   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00516   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00517   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc059
 00518   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00519   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00520   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05b
 00521   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00522   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00523   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05d
 00524   456   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00525   456   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00526   456   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05f
 00527   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00528   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00529   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00530   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00531   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00532   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00533   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00534   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00535   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00536   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00537   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00538   456   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00539   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00540   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00541   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00542   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00543   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00544   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00545   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00546   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00547   456   NtTestAlert  (... ) == 0x0
 00548   456   NtContinue  (1244464, 1, ...
 00549   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x428000,}, 4, ... ) == 0x0
 00550   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00551   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 1329608, 15, 1312096}  (24, {20, 48, new_msg, 0, 1310720, 1329608, 15, 1312096} "\0\0\0\0\2\0\1\08\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 440, 456, 1561, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 440, 456, 1561, 0}  (24, {20, 48, new_msg, 0, 1310720, 1329608, 15, 1312096} "\0\0\0\0\2\0\1\08\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 440, 456, 1561, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00552   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00553   456   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -518660096, 4096, Names, 1,  (-2147482020, 0, 0, 0, -518660096, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00554   456   NtClose  (-2147482020, ... ) == 0x0
 00552   456   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00555   456   NtClose  (56, ... ) == 0x0
 00556   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00558   456   NtClose  (-2147482020, ... ) == 0x0
 00559   456   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -518660096, 4096, Names, 1,  (-2147482020, 0, 0, 0, -518660096, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00560   456   NtClose  (-2147482020, ... ) == 0x0
 00557   456   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00561   456   NtQueryVolumeInformationFile  (56, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00562   456   NtQueryInformationFile  (56, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   456   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... {status=0x0, info=43520}, ) , 43520, 0x0, 0, ... {status=0x0, info=43520}, ) == 0x0
 00564   456   NtClose  (56, ... ) == 0x0
 00565   456   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00566   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00567   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00568   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00569   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00570   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 72, ) }, ... 72, ) == 0x0
 00572   456   NtQueryValueKey  (72,  (72, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   456   NtClose  (72, ... ) == 0x0
 00574   456   NtQueryVolumeInformationFile  (56, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00575   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00576   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00577   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0
 00578   456   NtClose  (72, ... ) == 0x0
 00579   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 106496, ) == 0x0
 00580   456   NtClose  (76, ... ) == 0x0
 00581   456   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00582   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00583   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00584   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 72, ) == 0x0
 00585   456   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00586   456   NtClose  (76, ... ) == 0x0
 00587   456   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00588   456   NtClose  (72, ... ) == 0x0
 00589   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00590   456   NtQueryInformationFile  (72, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00591   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00592   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x920000), 0x0, 1028096, ) == 0x0
 00593   456   NtQueryInformationFile  (72, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00594   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00596   456   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00597   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00598   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00599   456   NtClose  (80, ... ) == 0x0
 00600   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00601   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00602   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00603   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00604   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00605   456   NtClose  (80, ... ) == 0x0
 00606   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00607   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00608   456   NtClose  (80, ... ) == 0x0
 00609   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00610   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00611   456   NtClose  (80, ... ) == 0x0
 00612   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00613   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00614   456   NtClose  (80, ... ) == 0x0
 00615   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00616   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00617   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00618   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00619   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00620   456   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00621   456   NtClose  (80, ... ) == 0x0
 00622   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   456   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00625   456   NtClose  (76, ... ) == 0x0
 00626   456   NtClose  (72, ... ) == 0x0
 00627   456   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00628   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00630   456   NtOpenProcessToken  (-1, 0xa, ... 72, ) == 0x0
 00631   456   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00632   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00634   456   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00635   456   NtQueryValueKey  (76,  (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00636   456   NtClose  (76, ... ) == 0x0
 00637   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00638   456   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00639   456   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00640   456   NtClose  (76, ... ) == 0x0
 00641   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00643   456   NtQueryValueKey  (76,  (76, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   456   NtClose  (76, ... ) == 0x0
 00645   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00646   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00647   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00648   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00649   456   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00650   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00651   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00652   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00653   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00654   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00655   456   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00656   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 76, ) }, ... 76, ) == 0x0
 00657   456   NtEnumerateKey  (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00658   456   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 80, ) }, ... 80, ) == 0x0
 00659   456   NtQueryValueKey  (80,  (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00660   456   NtQueryValueKey  (80,  (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661   456   NtClose  (80, ... ) == 0x0
 00662   456   NtEnumerateKey  (76, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00663   456   NtClose  (76, ... ) == 0x0
 00664   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00680   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   456   NtClose  (76, ... ) == 0x0
 00682   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00684   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00685   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00686   456   NtClose  (76, ... ) == 0x0
 00687   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00689   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00690   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00691   456   NtClose  (76, ... ) == 0x0
 00692   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00694   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00695   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00696   456   NtClose  (76, ... ) == 0x0
 00697   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00699   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00700   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00701   456   NtClose  (76, ... ) == 0x0
 00702   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00704   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00705   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00706   456   NtClose  (76, ... ) == 0x0
 00707   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00709   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00710   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00711   456   NtClose  (76, ... ) == 0x0
 00712   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00715   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   456   NtClose  (76, ... ) == 0x0
 00717   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00720   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   456   NtClose  (76, ... ) == 0x0
 00722   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00725   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   456   NtClose  (76, ... ) == 0x0
 00727   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00729   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00730   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00731   456   NtClose  (76, ... ) == 0x0
 00732   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00734   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00735   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00736   456   NtClose  (76, ... ) == 0x0
 00737   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00740   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   456   NtClose  (76, ... ) == 0x0
 00742   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00744   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00745   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00746   456   NtClose  (76, ... ) == 0x0
 00747   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00750   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00751   456   NtClose  (76, ... ) == 0x0
 00752   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00754   456   NtQueryValueKey  (76,  (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00755   456   NtClose  (76, ... ) == 0x0
 00756   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00757   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00758   456   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00759   456   NtClose  (76, ... ) == 0x0
 00760   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   456   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00762   456   NtOpenProcessToken  (-1, 0xa, ... 76, ) == 0x0
 00763   456   NtDuplicateToken  (76, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 80, ) == 0x0
 00764   456   NtClose  (76, ... ) == 0x0
 00765   456   NtAccessCheck  (1337496, 80, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 00766   456   NtClose  (80, ... ) == 0x0
 00767   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 80, ) }, ... 80, ) == 0x0
 00768   456   NtQueryValueKey  (80,  (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   456   NtClose  (80, ... ) == 0x0
 00770   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 80, ) }, ... 80, ) == 0x0
 00771   456   NtQuerySymbolicLinkObject  (80, ...  (80, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00772   456   NtClose  (80, ... ) == 0x0
 00773   456   NtQueryInformationFile  (56, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00774   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00775   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00776   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 00777   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00778   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00779   456   NtClose  (80, ... ) == 0x0
 00780   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00781   456   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00782   456   NtClose  (80, ... ) == 0x0
 00783   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00784   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00785   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00786   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00787   456   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00788   456   NtClose  (80, ... ) == 0x0
 00789   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00790   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 76, ) }, ... 76, ) == 0x0
 00791   456   NtClose  (80, ... ) == 0x0
 00792   456   NtQueryValueKey  (76,  (76, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00793   456   NtQueryValueKey  (76,  (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00794   456   NtClose  (76, ... ) == 0x0
 00795   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3604480, 4096, ) == 0x0
 00796   456   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00797   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00798   456   NtQueryValueKey  (76,  (76, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   456   NtClose  (76, ... ) == 0x0
 00800   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   456   NtQueryInformationToken  (72, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00802   456   NtQueryInformationToken  (72, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00803   456   NtClose  (72, ... ) == 0x0
 00804   456   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 68, 0, 0, 0, ... ) == 0x0
 00805   456   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=440,}, 0x0, ) == 0x0
 00806   456   NtReadVirtualMemory  (72, 0x7ffdf008, 4, ...  (72, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00807   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   456   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00809   456   NtReadVirtualMemory  (72, 0x9800000, 4096, ...  (72, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00810   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00811   456   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=440,}, 0x0, ) == 0x0
 00812   456   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 3735552, 4096, ) == 0x0
 00813   456   NtAllocateVirtualMemory  (72, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00814   456   NtWriteVirtualMemory  (72, 0x10000,  (72, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00815   456   NtAllocateVirtualMemory  (72, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00816   456   NtWriteVirtualMemory  (72, 0x20000,  (72, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00817   456   NtWriteVirtualMemory  (72, 0x7ffdf010,  (72, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00818   456   NtWriteVirtualMemory  (72, 0x7ffdf1e8,  (72, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00819   456   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 4096, ) == 0x0
 00820   456   NtAllocateVirtualMemory  (72, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00821   456   NtAllocateVirtualMemory  (72, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00822   456   NtProtectVirtualMemory  (72, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00823   456   NtCreateThread  (0x1f03ff, 0x0, 72, 1241260, 1241980, 1, ... 76, {916, 920}, ) == 0x0
 00824   456   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243080}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 456, 1562, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 440, 456, 1562, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 456, 1562, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00825   456   NtResumeThread  (76, ... 1, ) == 0x0
 00826   456   NtClose  (56, ... ) == 0x0
 00827   456   NtClose  (68, ... ) == 0x0
 00828   456   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=440,}, 0x0, ) == 0x0
 00829   456   NtUserWaitForInputIdle  (916, 30000, 0, ...
 00830   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00831   456   NtClose  (68, ... ) == 0x0
 00829   456   NtUserWaitForInputIdle  ... ) == 0x102
 00832   456   NtClose  (72, ... ) == 0x0
 00833   456   NtClose  (76, ... ) == 0x0
 00834   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00835   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00836   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00837   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00838   456   NtClose  (76, ... ) == 0x0
 00839   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00840   456   NtClose  (-2147482028, ... ) == 0x0
 00839   456   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00841   456   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00842   456   NtClose  (76, ... ) == 0x0
 00843   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00844   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00845   456   NtQueryVolumeInformationFile  (76, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00846   456   NtQueryInformationFile  (76, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00847   456   NtQueryInformationFile  (76, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00848   456   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00849   456   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00850   456   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00851   456   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9568256, 524288, ) == 0x0
 00852   456   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00853   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00855   456   NtClose  (-2147482028, ... ) == 0x0
 00854   456   NtCreateFile  ... 72, {status=0x0, info=2}, ) == 0x0
 00856   456   NtQueryVolumeInformationFile  (72, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00857   456   NtQueryInformationFile  (72, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00858   456   NtAllocateVirtualMemory  (-1, 1347584, 0, 36864, 4096, 4, ... 1347584, 36864, ) == 0x0
 00859   456   NtAllocateVirtualMemory  (-1, 1384448, 0, 36864, 4096, 4, ... 1384448, 36864, ) == 0x0
 00860   456   NtQueryInformationFile  (76, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00861   456   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00862   456   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00863   456   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00864   456   NtSetInformationFile  (76, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00865   456   NtSetInformationFile  (72, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00866   456   NtReadFile  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00867   456   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00868   456   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00869   456   NtQueryInformationFile  (76, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00870   456   NtSetInformationFile  (72, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00871   456   NtFreeVirtualMemory  (-1, (0x147000), 81920, 16384, ... (0x147000), 81920, ) == 0x0
 00872   456   NtClose  (72, ... ) == 0x0
 00873   456   NtClose  (76, ... ) == 0x0
 00874   456   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00875   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00876   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00877   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 72, ) == 0x0
 00878   456   NtClose  (76, ... ) == 0x0
 00879   456   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 36864, ) == 0x0
 00880   456   NtClose  (72, ... ) == 0x0
 00881   456   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00882   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00883   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00884   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 00885   456   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00886   456   NtClose  (72, ... ) == 0x0
 00887   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00888   456   NtClose  (76, ... ) == 0x0
 00889   456   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00890   456   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00891   456   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00892   456   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00893   456   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00894   456   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00895   456   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00896   456   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00897   456   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00898   456   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00899   456   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00900   456   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00901   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00902   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00903   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00904   456   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00905   456   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00906   456   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x3003b
 00907   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10092544, 1048576, ) == 0x0
 00908   456   NtAllocateVirtualMemory  (-1, 11132928, 0, 8192, 4096, 4, ... 11132928, 8192, ) == 0x0
 00909   456   NtProtectVirtualMemory  (-1, (0xa9e000), 4096, 260, ... (0xa9e000), 4096, 4, ) == 0x0
 00910   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 72, {440, 1448}, ) == 0x0
 00911   456   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=440,Tid=1448,}, 0x0, ) == 0x0
 00912   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0\270\1\0\0\250\5\0\0" ... {28, 56, reply, 0, 440, 456, 2252, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\270\1\0\0\250\5\0\0" )  ... {28, 56, reply, 0, 440, 456, 2252, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0\270\1\0\0\250\5\0\0" ... {28, 56, reply, 0, 440, 456, 2252, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\270\1\0\0\250\5\0\0" )  ) == 0x0
 00913   456   NtResumeThread  (72, ... 1, ) == 0x0
 00914   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11141120, 1048576, ) == 0x0
 00915  1448   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 68, ) == 0x0
 00916  1448   NtWaitForSingleObject  (68, 0, 0x0, ...
 00917   456   NtAllocateVirtualMemory  (-1, 12181504, 0, 8192, 4096, 4, ... 12181504, 8192, ) == 0x0
 00918   456   NtProtectVirtualMemory  (-1, (0xb9e000), 4096, 260, ... (0xb9e000), 4096, 4, ) == 0x0
 00919   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 56, {440, 1552}, ) == 0x0
 00920   456   NtQueryInformationThread  (56, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=440,Tid=1552,}, 0x0, ) == 0x0
 00921   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 440, 456, 2252, 0}  (24, {28, 56, new_msg, 0, 440, 456, 2252, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\270\1\0\0\20\6\0\0" ... {28, 56, reply, 0, 440, 456, 2253, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\270\1\0\0\20\6\0\0" )  ... {28, 56, reply, 0, 440, 456, 2253, 0}  (24, {28, 56, new_msg, 0, 440, 456, 2252, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\270\1\0\0\20\6\0\0" ... {28, 56, reply, 0, 440, 456, 2253, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\270\1\0\0\20\6\0\0" )  ) == 0x0
 00922   456   NtResumeThread  (56, ... 1, ) == 0x0
 00923   456   NtUserSetTimer  (0, 0, 4096, 268451664, ... ) == 0x7ff9
 00924   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12189696, 1048576, ) == 0x0
 00925   456   NtAllocateVirtualMemory  (-1, 13230080, 0, 8192, 4096, 4, ...
 00926  1552   NtWaitForSingleObject  (68, 0, 0x0, ...
 00925   456   NtAllocateVirtualMemory  ... 13230080, 8192, ) == 0x0
 00927   456   NtProtectVirtualMemory  (-1, (0xc9e000), 4096, 260, ... (0xc9e000), 4096, 4, ) == 0x0
 00928   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 80, {440, 1612}, ) == 0x0
 00929   456   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=440,Tid=1612,}, 0x0, ) == 0x0
 00930   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 440, 456, 2253, 0}  (24, {28, 56, new_msg, 0, 440, 456, 2253, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\270\1\0\0L\6\0\0" ... {28, 56, reply, 0, 440, 456, 2254, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\270\1\0\0L\6\0\0" )  ... {28, 56, reply, 0, 440, 456, 2254, 0}  (24, {28, 56, new_msg, 0, 440, 456, 2253, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\270\1\0\0L\6\0\0" ... {28, 56, reply, 0, 440, 456, 2254, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\270\1\0\0L\6\0\0" )  ) == 0x0
 00931   456   NtResumeThread  (80, ... 1, ) == 0x0
 00932  1612   NtWaitForSingleObject  (68, 0, 0x0, ...
 00933   456   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   456   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... 84, ) }, {20480, 0}, 4, 134217728, 0, ... 84, ) == 0x0
 00935   456   NtSetEventBoostPriority  (68, ...
 00916  1448   NtWaitForSingleObject  ... ) == 0x0
 00936  1448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00937  1448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00938  1448   NtSetEventBoostPriority  (68, ...
 00926  1552   NtWaitForSingleObject  ... ) == 0x0
 00939  1552   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00940  1552   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00941  1552   NtSetEventBoostPriority  (68, ...
 00932  1612   NtWaitForSingleObject  ... ) == 0x0
 00942  1612   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00943  1612   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00944  1612   NtTestAlert  (... ) == 0x0
 00945  1612   NtContinue  (13237552, 1, ...
 00946  1612   NtRegisterThreadTerminatePort  (24, ...
 00941  1552   NtSetEventBoostPriority  ... ) == 0x0
 00938  1448   NtSetEventBoostPriority  ... ) == 0x0
 00935   456   NtSetEventBoostPriority  ... ) == 0x0
 00947  1552   NtTestAlert  (...
 00948  1448   NtTestAlert  (...
 00946  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 00947  1552   NtTestAlert  ... ) == 0x0
 00948  1448   NtTestAlert  ... ) == 0x0
 00949  1612   NtDelayExecution  (0, {-20480000, -1}, ...
 00950   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00951  1552   NtContinue  (12188976, 1, ...
 00950   456   NtMapViewOfSection  ... (0x390000), {0, 0}, 20480, ) == 0x0
 00952  1552   NtRegisterThreadTerminatePort  (24, ...
 00953   456   NtUnmapViewOfSection  (-1, 0x390000, ...
 00952  1552   NtRegisterThreadTerminatePort  ... ) == 0x0
 00953   456   NtUnmapViewOfSection  ... ) == 0x0
 00954  1552   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00955  1552   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... , Partial, 144, ...
 00956   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ...
 00957  1448   NtContinue  (11140400, 1, ...
 00956   456   NtQueryInformationProcess  ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00958  1448   NtRegisterThreadTerminatePort  (24, ...
 00959   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ...
 00958  1448   NtRegisterThreadTerminatePort  ... ) == 0x0
 00955  1552   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00960  1448   NtDelayExecution  (0, {-40960000, -1}, ...
 00961  1552   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00962  1552   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00963  1552   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00964  1552   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00965  1552   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00966  1552   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00959   456   NtSetInformationProcess  ... ) == 0x0
 00967   456   NtDelayExecution  (0, {-10000000, -1}, ...
 00966  1552   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00968  1552   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1552   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00970  1552   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00971  1552   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00972  1552   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00973  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00974  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00975  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00976  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\321\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\321\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\322\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\321\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\321\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\322\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\321\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\321\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\322\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00977  1552   NtClose  (104, ... ) == 0x0
 00978  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00979  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00980  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00981  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\326\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\326\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\327\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\326\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\326\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\327\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\326\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\326\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\327\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00982  1552   NtClose  (104, ... ) == 0x0
 00983  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00984  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00985  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00986  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\333\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\334\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\333\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\334\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\333\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\334\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00987  1552   NtClose  (104, ... ) == 0x0
 00988  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 00989  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00990  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00991  1552   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00992  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\341\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\341\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\342\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\341\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\341\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\342\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\341\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\341\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\342\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\343\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\344\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00993  1552   NtClose  (104, ... ) == 0x0
 00994  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 00995  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00996  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00997  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\346\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\346\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\347\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\351\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\346\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\346\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\347\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\351\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\351\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\346\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\346\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\347\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\350\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\351\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00998  1552   NtClose  (104, ... ) == 0x0
 00999  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 01000  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01001  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01002  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\353\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\353\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\354\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\353\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\353\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\354\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\353\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\353\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\354\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01003  1552   NtClose  (104, ... ) == 0x0
 01004  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 01005  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01006  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01007  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\360\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\360\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\361\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\360\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\360\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\361\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\360\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\360\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\361\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01008  1552   NtClose  (104, ... ) == 0x0
 01009  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 01010  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01012  1552   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01013  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\366\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\366\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\367\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\367\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\371\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\366\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\366\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\367\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\367\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\371\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\371\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\366\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\366\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\367\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\367\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\370\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\371\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01014  1552   NtClose  (104, ... ) == 0x0
 01015  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 01016  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01017  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01018  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\373\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\373\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\374\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\373\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\373\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\374\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\373\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\373\3\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\374\3\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\3\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01019  1552   NtClose  (104, ... ) == 0x0
 01020  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 01021  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01022  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01023  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\0\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\0\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\1\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\0\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\0\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\1\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\0\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\0\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xm\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\1\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\270\1\0\0\20\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01024  1552   NtClose  (104, ... ) == 0x0
 01025  1552   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 01026  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01027  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01028  1552   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\5\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\5\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\6\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\4\0\0\270\1\0\0\20\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\4\0\0\270\1\0\0\20\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\10\4\0\0\270\1\0\0\20\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\10\4\0\0\270\1\0\0\20\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\11\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0`l\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\5\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\5\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\6\4\0\0\270\1\0\0\20\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\4\0\0\270\1\0\0\20\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\4\0\0\270\1\0\0\20\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\10\4\0\0\270\1\0\0\20\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\10\4\0\0\270\1\0\0\20\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\11\4\0\0\270\1\0\0\20\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0`l\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01029  1552   NtClose  (104, ... ) == 0x0
 01030  1552   NtClose  (100, ... ) == 0x0
 01031  1552   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 01032  1552   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 01033  1552   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 01034  1552   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01035  1552   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01036  1552   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01037  1552   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038  1552   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01039  1552   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 108, ) }, ... 108, ) == 0x0
 01040  1552   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 01041  1552   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01042  1552   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01043  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01044  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01045  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01046  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01047  1552   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01048  1552   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049  1552   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01050  1552   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01051  1552   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01052  1552   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01053  1552   NtClose  (112, ... ) == 0x0
 01054  1552   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01055  1552   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 01056  1552   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01057  1552   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01058  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01059  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01060  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01061  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01062  1552   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01063  1552   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064  1552   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01065  1552   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01066  1552   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01067  1552   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068  1552   NtClose  (112, ... ) == 0x0
 01069  1552   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 01070  1552   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01071  1552   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01072  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01073  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01074  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01075  1552   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01076  1552   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01077  1552   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01078  1552   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01079  1552   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01080  1552   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01081  1552   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01082  1552   NtClose  (112, ... ) == 0x0
 01083  1552   NtClose  (108, ... ) == 0x0
 01084  1552   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01085  1552   NtClose  (88, ... ) == 0x0
 01086  1552   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01087  1552   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01088  1552   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 01089  1552   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090  1552   NtClose  (88, ... ) == 0x0
 01091  1552   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 01092  1552   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 108, {status=0x0, info=1}, ) }, 7, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01093  1552   NtLockFile  (108, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01094  1552   NtQueryInformationFile  (108, 1354192, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01095  1552   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 13238272, 1052672, ) == 0x0
 01096  1552   NtAllocateVirtualMemory  (-1, 13238272, 0, 235, 4096, 4, ... 13238272, 4096, ) == 0x0
 01097  1552   NtReadFile  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01098  1552   NtFreeVirtualMemory  (-1, (0xca0000), 1052672, 32768, ... (0xca0000), 1052672, ) == 0x0
 01099  1552   NtUnlockFile  (108, {0, 0}, {-1, -1}, 1552, ... ) == STATUS_RANGE_NOT_LOCKED
 01100  1552   NtClose  (108, ... ) == 0x0
 01101  1552   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 01102  1552   NtQueryInformationToken  (108, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01103  1552   NtClose  (108, ... ) == 0x0
 01104  1552   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 01105  1552   NtLockFile  (108, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 01106  1552   NtQueryInformationFile  (108, 1354192, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01107  1552   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 13238272, 1052672, ) == 0x0
 01108  1552   NtAllocateVirtualMemory  (-1, 13238272, 0, 235, 4096, 4, ... 13238272, 4096, ) == 0x0
 01109  1552   NtReadFile  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (108, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01110  1552   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=55859cgoifh13992\15\12", 39, {231, 0}, 2012046884, ... {status=0x0, info=39}, ) , 39, {231, 0}, 2012046884, ... {status=0x0, info=39}, ) == 0x0
 01111  1552   NtSetInformationFile  (108, 12188840, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01112  1552   NtFreeVirtualMemory  (-1, (0xca0000), 1052672, 32768, ... (0xca0000), 1052672, ) == 0x0
 01113  1552   NtUnlockFile  (108, {0, 0}, {-1, -1}, 1552, ... ) == STATUS_RANGE_NOT_LOCKED
 01114  1552   NtClose  (108, ... ) == 0x0
 01115  1552   NtDelayExecution  (0, {-122880000, -1}, ...
 00967   456   NtDelayExecution  ... ) == 0x0
 01116   456   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "b1790f4c06f035c083b712e3f4f6a1a8c30c"}, 0, ... 108, ) }, 0, ... 108, ) == 0x0
 01117   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   456   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01119   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01122   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01123   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 01124   456   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01125   456   NtClose  (112, ... ) == 0x0
 01126   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01127   456   NtClose  (116, ... ) == 0x0
 01128   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 116, ) }, ... 116, ) == 0x0
 01129   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01130   456   NtClose  (116, ... ) == 0x0
 01131   456   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 116, ) == 0x0
 01132   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 01133   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 120, ) }, ... 120, ) == 0x0
 01134   456   NtNotifyChangeKey  (120, 112, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01135   456   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01136   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 01137   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 01138   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01142   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01143   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 136, ) == 0x0
 01144   456   NtQuerySection  (136, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01145   456   NtClose  (132, ... ) == 0x0
 01146   456   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01147   456   NtClose  (136, ... ) == 0x0
 01148   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == 0x0
 01152   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01153   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 132, ) == 0x0
 01154   456   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01155   456   NtClose  (136, ... ) == 0x0
 01156   456   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01157   456   NtClose  (132, ... ) == 0x0
 01158   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01159   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3735552, 262144, ) == 0x0
 01160   456   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 01161   456   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 01162   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01163   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01164   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 132, ) }, ... 132, ) == 0x0
 01165   456   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01166   456   NtClose  (132, ... ) == 0x0
 01167   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 132, ) }, ... 132, ) == 0x0
 01168   456   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01169   456   NtClose  (132, ... ) == 0x0
 01170   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 132, ) }, ... 132, ) == 0x0
 01171   456   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01172   456   NtClose  (132, ... ) == 0x0
 01173   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   456   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01175   456   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01176   456   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01177   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238324, 0,  (0x1f0003, {24, 52, 0x80, 1238324, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01178   456   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 132, ) }, ... 132, ) == 0x0
 01179   456   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01180   456   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01181   456   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 01182   456   NtQueryDefaultUILanguage  (1236560, ...
 01183   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01184   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 01185   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01186   456   NtClose  (-2147482028, ... ) == 0x0
 01187   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01188   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 01190   456   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   456   NtClose  (-2147482024, ... ) == 0x0
 01192   456   NtClose  (-2147482028, ... ) == 0x0
 01182   456   NtQueryDefaultUILanguage  ... ) == 0x0
 01193   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 140, {status=0x0, info=1}, ) }, 1, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01195   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 140, ... 144, ) == 0x0
 01196   456   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xca0000), 0x0, 593920, ) == 0x0
 01197   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   456   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01199   456   NtQueryDefaultLocale  (1, 1234596, ... ) == 0x0
 01200   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235452, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235452, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\321\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 2284, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\321\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 456, 2284, 0}  (24, {128, 156, new_msg, 0, 1235452, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\321\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 2284, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1\214\0\0\0\377\377\377\377\0\0\0\0P\275\321\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\374\340\22\0\0\0\0\0" )  ) == 0x0
 01202   456   NtClose  (140, ... ) == 0x0
 01203   456   NtClose  (144, ... ) == 0x0
 01204   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01205   456   NtUnmapViewOfSection  (-1, 0x12e0fc, ... ) == STATUS_NOT_MAPPED_VIEW
 01206   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01207   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01209   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01210   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233136, ... ) }, 1233136, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01212   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01213   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01214   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233728, ... ) }, 1233728, ... ) == 0x0
 01215   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 144, {status=0x0, info=1}, ) }, 3, 33, ... 144, {status=0x0, info=1}, ) == 0x0
 01216   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01217   456   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01218   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == 0x0
 01222   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01223   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 152, ) == 0x0
 01224   456   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01225   456   NtClose  (148, ... ) == 0x0
 01226   456   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01227   456   NtClose  (152, ... ) == 0x0
 01228   456   NtAllocateVirtualMemory  (-1, 3293184, 0, 8192, 4096, 4, ... 3293184, 8192, ) == 0x0
 01229   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01230   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 152, ) == 0x0
 01231   456   NtQueryInformationToken  (152, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01232   456   NtClose  (152, ... ) == 0x0
 01233   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 152, ) }, ... 152, ) == 0x0
 01234   456   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   456   NtClose  (152, ... ) == 0x0
 01236   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 152, ) }, ... 152, ) == 0x0
 01237   456   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01238   456   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01239   456   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01240   456   NtQueryValueKey  (152,  (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01241   456   NtClose  (152, ... ) == 0x0
 01242   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 152, ) }, ... 152, ) == 0x0
 01243   456   NtQueryValueKey  (152,  (152, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01244   456   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01245   456   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01246   456   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01247   456   NtQueryValueKey  (152,  (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01248   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 01249   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01250   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 156, ) == 0x0
 01251   456   NtClose  (148, ... ) == 0x0
 01252   456   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xca0000), 0x0, 135168, ) == 0x0
 01253   456   NtClose  (156, ... ) == 0x0
 01254   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01255   456   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01256   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 01257   456   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 01258   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239184,  (0x80100080, {24, 0, 0x40, 0, 1239184, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01259   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 156, ... 148, ) == 0x0
 01260   456   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xca0000), {0, 0}, 135168, ) == 0x0
 01261   456   NtQueryDefaultLocale  (1, 1238992, ... ) == 0x0
 01262   456   NtQueryVirtualMemory  (-1, 0xca0000, Basic, 28, ... {BaseAddress=0xca0000,AllocationBase=0xca0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01263   456   NtQueryVirtualMemory  (-1, 0xca0000, Basic, 28, ... {BaseAddress=0xca0000,AllocationBase=0xca0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01264   456   NtReadFile  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01265   456   NtQueryInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01266   456   NtSetInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01267   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01268   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01269   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01270   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01271   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01272   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01273   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01274   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01275   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01276   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01277   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01278   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01279   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01280   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01281   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01282   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01283   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01284   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01285   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01286   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01287   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01288   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01289   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01290   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01291   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01292   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01293   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01294   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01295   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01296   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01297   456   NtReadFile  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01298   456   NtQueryInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01299   456   NtSetInformationFile  (156, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01300   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01301   456   NtReadFile  (156, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (156, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01302   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01303   456   NtClose  (148, ... ) == 0x0
 01304   456   NtClose  (156, ... ) == 0x0
 01305   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01306   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01307   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 156, ... 148, ) == 0x0
 01308   456   NtClose  (156, ... ) == 0x0
 01309   456   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xca0000), 0x0, 135168, ) == 0x0
 01310   456   NtClose  (148, ... ) == 0x0
 01311   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01312   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238032, ... ) }, 1238032, ... ) == 0x0
 01313   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01314   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 156, ) == 0x0
 01315   456   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01316   456   NtClose  (148, ... ) == 0x0
 01317   456   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01318   456   NtClose  (156, ... ) == 0x0
 01319   456   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01320   456   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01321   456   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01322   456   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01323   456   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01324   456   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01325   456   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01326   456   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01327   456   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01328   456   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01329   456   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01330   456   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01331   456   NtAllocateVirtualMemory  (-1, 1384448, 0, 20480, 4096, 4, ... 1384448, 20480, ) == 0x0
 01332   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01333   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01334   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01335   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01336   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01337   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01338   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01339   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01340   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01341   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01342   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01343   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01344   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01345   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01346   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01347   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01348   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01349   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01350   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01351   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01352   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01353   456   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01354   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236984, ... ) }, 1236984, ... ) == 0x0
 01355   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237716,  (0x80100080, {24, 0, 0x40, 0, 1237716, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01356   456   NtQueryVolumeInformationFile  (156, 1237876, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01357   456   NtQueryInformationFile  (156, 1237768, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01358   456   NtQueryInformationFile  (156, 1238060, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01359   456   NtClose  (156, ... ) == 0x0
 01360   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236476, ... ) }, 1236476, ... ) == 0x0
 01361   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237208,  (0x80100080, {24, 0, 0x40, 0, 1237208, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01362   456   NtQueryVolumeInformationFile  (156, 1237368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01363   456   NtQueryInformationFile  (156, 1237260, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01364   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 156, ... 148, ) == 0x0
 01365   456   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xca0000), {0, 0}, 135168, ) == 0x0
 01366   456   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01367   456   NtQueryVirtualMemory  (-1, 0xca0000, Basic, 28, ... {BaseAddress=0xca0000,AllocationBase=0xca0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01368   456   NtQueryVirtualMemory  (-1, 0xca0000, Basic, 28, ... {BaseAddress=0xca0000,AllocationBase=0xca0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01369   456   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01370   456   NtQueryVirtualMemory  (-1, 0xca0000, Basic, 28, ... {BaseAddress=0xca0000,AllocationBase=0xca0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01371   456   NtQueryVirtualMemory  (-1, 0xca0000, Basic, 28, ... {BaseAddress=0xca0000,AllocationBase=0xca0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01372   456   NtReadFile  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (156, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01373   456   NtQueryInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01374   456   NtSetInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01375   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01376   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01377   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01378   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01379   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01380   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01381   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01382   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01383   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01384   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01385   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01386   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01387   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01388   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01389   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01390   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01391   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01392   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01393   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01394   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01395   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01396   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01397   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01398   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01399   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01400   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01401   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01402   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01403   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01404   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01405   456   NtReadFile  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (156, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01406   456   NtQueryInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01407   456   NtSetInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01408   456   NtQueryInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01409   456   NtSetInformationFile  (156, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01410   456   NtReadFile  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (156, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01411   456   NtReadFile  (156, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (156, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01412   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01413   456   NtClose  (148, ... ) == 0x0
 01414   456   NtClose  (156, ... ) == 0x0
 01415   456   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 156, ) }, ... 156, ) == 0x0
 01416   456   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01417   456   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01418   456   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01419   456   NtQueryValueKey  (156,  (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01420   456   NtClose  (156, ... ) == 0x0
 01421   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01423   456   NtOpenProcessToken  (-1, 0x8, ... 156, ) == 0x0
 01424   456   NtQueryInformationToken  (156, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01425   456   NtClose  (156, ... ) == 0x0
 01426   456   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 01427   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 156, {status=0x0, info=0}, ) }, 7, 16, ... 156, {status=0x0, info=0}, ) == 0x0
 01428   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01429   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01430   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01431   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01432   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01433   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01434   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01435   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01436   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01437   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\3\362M3\212\22\337\250T\21\37\2334\277\12\25\366\231\350\320\372\272\367\333g\357\234\366\320^ \356\374\12O\20\3772\223\374D*\261\357\222,J2T\245I\323\344\25\7\256\216\335\270\257[\263N=`\216<<7TP\337\243\254\216\234G\246"\376", 80, ... , 0, 3,  (-2147482028, "Seed", 0, 3, "\3\362M3\212\22\337\250T\21\37\2334\277\12\25\366\231\350\320\372\272\367\333g\357\234\366\320^ \356\374\12O\20\3772\223\374D*\261\357\222,J2T\245I\323\344\25\7\256\216\335\270\257[\263N=`\216<<7TP\337\243\254\216\234G\246"\376", 80, ... \376", 80, ...
 01438   456   NtSetInformationFile  (-2147482808, -136216964, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01439   456   NtSetInformationFile  (-2147482808, -136217000, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01437   456   NtSetValueKey  ... ) == 0x0
 01440   456   NtClose  (-2147482028, ... ) == 0x0
 01428   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\203E\353E1s\215\37\313R\262~\305\341N/\15\377)\3\343\200\366W\23\273\311\305\3'\32\304\207\255L\346\36\255\12Q\376R\277\265\35E\236\302\16\3372C\330v\24F\363\5R\1\251s\12\233\207(\325\13\363\342\365<\301\265Y\206p\346\311\T\261\317\332\376\267~E\21\245\0\211jT\313 \304\276\214\247H\240\303\27.b\20\17\250m\323\277\364\33\235\350\3374 \24\2440&X\355vN\367\307\235$\2638\343i*\236\372\374\344q\306\256\247\327\326\3009B\225\231\25\213\236k<<#S'B\333\302\211\13\242\331\354\354\342D\265(\350\376\341:\373\26\220\211Z\0\330\250\334)\271\377}\357F\232+\354\336\222W\304\317\317o\6\214\20.\324\33\314\203\271\304FO6\313I_\340\3153\270\231\360\273]\301\35J{EHK\267f\377\200\2328\337CQ\346\376\264\362\305~i3Q\320J\307\263_", ) , ) == 0x0
 01441   456   NtClose  (152, ... ) == 0x0
 01442   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16S\261\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01443   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01444   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01445   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01446   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01447   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01448   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01449   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01450   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01451   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\344\374\2q<\314\327k\342\241\325~^\317P\276s\262\16\333\343\234\2744\2172\245apV>\254\272J\10q\306j\21\312\275\246\372\221bKr\366\215\257c[\35#\353?\224\221\233\24\26c@\37^Zc\277WI\34\323\25\244\357\342p\177\330\25", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\344\374\2q<\314\327k\342\241\325~^\317P\276s\262\16\333\343\234\2744\2172\245apV>\254\272J\10q\306j\21\312\275\246\372\221bKr\366\215\257c[\35#\353?\224\221\233\24\26c@\37^Zc\277WI\34\323\25\244\357\342p\177\330\25", 80, ... ) , 80, ... ) == 0x0
 01452   456   NtClose  (-2147482028, ... ) == 0x0
 01442   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\34U!\340>9\4?\302y\5\257\321fUo\325\233]\4\304J\215\234\321\5'\10f\246\V\334G\36\16\362E\304N\230^\256(Kl\360\342\23\376\230\325\31\203k$\341[o\243\253\215\244h\36\250:\263\325A'\23\205\361AF\266\6\24521\340<"l[\360wS\342\11\263;\222\325\305F\216\225\232^\222\202+\322\313\313\330\241\363\136\242;\337\31\265;\235\277b\346\253;\236C\222.nr\373\347 \233\305\304\241J5\220Oj\306C\367\13\272\354\245\316\205nq\350o\311\367\15\362A\36\241Ck#\221\15x\307-\367\321\200w\17w\245v\24P\201\4!e\6\304\20\317\310j\301\373\344\344<\3\3659\213\307+\16\341\337lI\360\202G\376\26M\370l\261\347u\240\230<\4\351"B`\274\260$q\30k\231S\230\346j\263\3100\177KONw\242<\255-n\321\316\374Y\203H", ) l[\360wS\342\11\263;\222\325\305F\216\225\232^\222\202+\322\313\313\330\241\363\136\242;\337\31\265;\235\277b\346\253;\236C\222.nr\373\347 \233\305\304\241J5\220Oj\306C\367\13\272\354\245\316\205nq\350o\311\367\15\362A\36\241Ck#\221\15x\307-\367\321\200w\17w\245v\24P\201\4!e\6\304\20\317\310j\301\373\344\344<\3\3659\213\307+\16\341\337lI\360\202G\376\26M\370l\261\347u\240\230<\4\351 ... {status=0x0, info=256}, "\34U!\340>9\4?\302y\5\257\321fUo\325\233]\4\304J\215\234\321\5'\10f\246\V\334G\36\16\362E\304N\230^\256(Kl\360\342\23\376\230\325\31\203k$\341[o\243\253\215\244h\36\250:\263\325A'\23\205\361AF\266\6\24521\340<"l[\360wS\342\11\263;\222\325\305F\216\225\232^\222\202+\322\313\313\330\241\363\136\242;\337\31\265;\235\277b\346\253;\236C\222.nr\373\347 \233\305\304\241J5\220Oj\306C\367\13\272\354\245\316\205nq\350o\311\367\15\362A\36\241Ck#\221\15x\307-\367\321\200w\17w\245v\24P\201\4!e\6\304\20\317\310j\301\373\344\344<\3\3659\213\307+\16\341\337lI\360\202G\376\26M\370l\261\347u\240\230<\4\351"B`\274\260$q\30k\231S\230\346j\263\3100\177KONw\242<\255-n\321\316\374Y\203H", ) , ) == 0x0
 01453   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16\353i\265\306\261\240p\235\33\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01454   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01455   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01456   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01457   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01458   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01459   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01460   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01461   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01462   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\265\350\336$\24\377Y\2424u,E4Eo\33i\332\266_\177D:\2Ki\374\2779c\15\261\OC\267F\2429v.dk\270\10\260t{\323\22\375\204\354/\33\7\331\362O\21N\17\177\6y\274\14\245EXe\372)\24\244\202\233\324\205J", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\265\350\336$\24\377Y\2424u,E4Eo\33i\332\266_\177D:\2Ki\374\2779c\15\261\OC\267F\2429v.dk\270\10\260t{\323\22\375\204\354/\33\7\331\362O\21N\17\177\6y\274\14\245EXe\372)\24\244\202\233\324\205J", 80, ... ) , 80, ... ) == 0x0
 01463   456   NtClose  (-2147482028, ... ) == 0x0
 01453   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "iE\266?&S\375\354\242JW\273\203\31\304\216\220\212\240+\31\367 \252V\375~f\213R\251\253\26z\333X\313\301\21\277\260\357\354\1\344H\373\277}\345\373|\270A\367\323\271\323\351\335\336\304b\35|k\303\11\11\342\303\374\20\231umO\236\364\240\222h\265?)=\4\222\211R\252\274W>\263\361\316\221u\27\201\274\377\12\210!\327\223\252\321\316\21\357\313I\224\313\206Q\332y\273\321n\20\222\30\374\360\375\25\267\27\373f\203\202v\276\207\322\4\206i7\354\\333\261I/\220\356\350\12\246q\266\223l\267:\325+)\245J\347q\11q.\304>\2365\256\360sf\215\24\371\2\367}\303u\333fJg\204\300\207\330\210\326\251\373\243\361\260DvpH\15\220t\232\355N\14", ) vpH\15\220t\232\355N\14", ) == 0x0
 01464   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16\353i\265\306\261\240p%\303\265\306\261\240p\235\33\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01465   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01466   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01467   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01468   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01469   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01470   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01471   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01472   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01473   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "x\240\374\16ZKz\375\5sb\310\205\177\266v\231\305\372\245[\236X\331\36\242s\3340\267\177\217o\30/8\327\230N]-\251W\6\323\345*\201r\316|,\374\325\37\315\0\330\23\246\10\224\220z\27,\25\312\327Q\326-F\331\27-\366\371gF", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "x\240\374\16ZKz\375\5sb\310\205\177\266v\231\305\372\245[\236X\331\36\242s\3340\267\177\217o\30/8\327\230N]-\251W\6\323\345*\201r\316|,\374\325\37\315\0\330\23\246\10\224\220z\27,\25\312\327Q\326-F\331\27-\366\371gF", 80, ... ) , 80, ... ) == 0x0
 01474   456   NtClose  (-2147482028, ... ) == 0x0
 01464   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "A\221\4\245\366\325k\2531\215\367xy\372\373/q\1\211\264\16\242\237H\177}\273 \353\363\33\250]\13\326\343\331PLI\23\325\275\357`\30!#\341\224\247AU8\346\255\215\231\346b$X5u\342=4|S[\374\217\256\11h@A\376\5\205\341e\315^\374t\x\307\377\367\302\31Ji\0,\233Q\207|\270+y\372\224\300\246l\22\7\253\326\365\311\210l1\254;\3450\275\306V\310^*\255{%\265\346\252\22\313\247Da\247\234\212\207\376\224\366\257\266y;\342\264\347\364Tj|.A\351\302aP\2155\306\206\332A\370\255\370\261\217\257\343\37403w\277\266:9=\254\2329\305\211\20462\17\24n\245\2029\340\233\276\236\374\350\315\300\M\261S\11*>\30t\212\202\26\352\276l\17>.\316s4\35\243po\212`\i0\3432\212\363\4\271s\10\333\372\227;kB\n\360", ) , ) == 0x0
 01475   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16\353i\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p\235\33\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01476   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01477   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01478   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01479   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01480   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01481   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01482   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01483   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01484   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\276\276S\223i\245\6\277\327\357\233\332\301\204\321\11\14\263\225^\375\217y`_\373y\331\227j\274F=\256\251<\37\342,\23\345\3325\17n\257\311g\345\355r(\272P\241\0\3b\233(\266\316\330\334\15\265\240z\315FQ_\224\341*y\217\264\21M", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\276\276S\223i\245\6\277\327\357\233\332\301\204\321\11\14\263\225^\375\217y`_\373y\331\227j\274F=\256\251<\37\342,\23\345\3325\17n\257\311g\345\355r(\272P\241\0\3b\233(\266\316\330\334\15\265\240z\315FQ_\224\341*y\217\264\21M", 80, ... ) , 80, ... ) == 0x0
 01485   456   NtClose  (-2147482028, ... ) == 0x0
 01475   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\277\14\37\305\316$ST\231\10\373\323To\317uE\266\20\244=\207^P\23y!\354\241Q\300\271\13T4\35\302\332;\4\325\33\273\275^\214\342C\331\6\372\353'\21\307\373\0\221\375\357Uk\375\316\377\260\26\333f\20\13\370?J.\314!.\340J]A\222\14\307I4\252\272\325\224\270w\15\271Sp\367na\7\262\20\275f\304\226ym\261\2232fv'\217\232\0\15(~\266\12B\233\250>\242W\367\2706\345\214\223)\21B\226\220\311\330\314\251\14\13\261Xpj\245~\23p\270\213\23\11"AG\243?\14\324l\221XA\344H[\361\301\25A\210\360\207N\321\6\352\207\341`\301\210U\316\24\213o\211y\344\246\5\264+\252D>\212\17\12y\4G\34L?\344\330\375\312^\302\353A.\310Y\231\215\274\246\237PN\15\255\254\370\14G\37\247KY\27S\332\265q2N\347\246D&\16\2471\5", ) AG\243?\14\324l\221XA\344H[\361\301\25A\210\360\207N\321\6\352\207\341`\301\210U\316\24\213o\211y\344\246\5\264+\252D>\212\17\12y\4G\34L?\344\330\375\312^\302\353A.\310Y\231\215\274\246\237PN\15\255\254\370\14G\37\247KY\27S\332\265q2N\347\246D&\16\2471\5", ) == 0x0
 01486   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16\353i\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p\235\33\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01487   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01488   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01489   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01490   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01491   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01492   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01493   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01494   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01495   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "V\344\313\342\342E\3527\255\2\34\241\277\276\202\255I\344\343\334\313h`\334i\242\3\206n\7\357$K{7}}\272\17\363\303ZsO}8\274(\300\276Y\346\31\357P\22\210\352\245\356G0\302\25\4\211\217\36\361\323:\265K=X\206H\217\245\210", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "V\344\313\342\342E\3527\255\2\34\241\277\276\202\255I\344\343\334\313h`\334i\242\3\206n\7\357$K{7}}\272\17\363\303ZsO}8\274(\300\276Y\346\31\357P\22\210\352\245\356G0\302\25\4\211\217\36\361\323:\265K=X\206H\217\245\210", 80, ... ) , 80, ... ) == 0x0
 01496   456   NtClose  (-2147482028, ... ) == 0x0
 01486   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\366D\225\243q\261$\237\14\37,\3422\300\321\203>~\247\320]\31\214\246b\35C\273\324\213\26\237\305\350\253\243\351\370\231\32\305-\362U\222 \200+N4\263\253\15\304\341s\346T\356z\211W\242=\350\11)\100\302\3\346\376\255\212\23T\13\21\302\3055p\331V\37\244~\10\234\250\247\341\247[\202\26\320\210\316\357\257\30%\331\16\225myN\230id\2{\16\225Wj\311j\333\t\31\227Cc\0\31\3551P\376\224\365\333\346\315m\343\372\232\363\33{\7\16\367r<3\3745V\365\361l\305\330\321\25519\262\333\242\211"\300\346\344\372\210m\325\21M\2705\303_\214\337W8n\12%\275}\230\244\3062\270\211\256\216\357\25e\306s\24b"hy\336s?\7\30=\304X\226\31\31\325tab\31l%e?\313]\360L\206\323\34\230\203\3\220\364\14\264\177Kg\4h\17\2\336\326\327\272\306S", ) \300\346\344\372\210m\325\21M\2705\303_\214\337W8n\12%\275}\230\244\3062\270\211\256\216\357\25e\306s\24b ... {status=0x0, info=256}, "\366D\225\243q\261$\237\14\37,\3422\300\321\203>~\247\320]\31\214\246b\35C\273\324\213\26\237\305\350\253\243\351\370\231\32\305-\362U\222 \200+N4\263\253\15\304\341s\346T\356z\211W\242=\350\11)\100\302\3\346\376\255\212\23T\13\21\302\3055p\331V\37\244~\10\234\250\247\341\247[\202\26\320\210\316\357\257\30%\331\16\225myN\230id\2{\16\225Wj\311j\333\t\31\227Cc\0\31\3551P\376\224\365\333\346\315m\343\372\232\363\33{\7\16\367r<3\3745V\365\361l\305\330\321\25519\262\333\242\211"\300\346\344\372\210m\325\21M\2705\303_\214\337W8n\12%\275}\230\244\3062\270\211\256\216\357\25e\306s\24b"hy\336s?\7\30=\304X\226\31\31\325tab\31l%e?\313]\360L\206\323\34\230\203\3\220\364\14\264\177Kg\4h\17\2\336\326\327\272\306S", ) , ) == 0x0
 01497   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16\353i\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p\235\33\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01498   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01499   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01500   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01501   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01502   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01503   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01504   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01505   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01506   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\247k\343\272\362\35\13\275\37N\372mM*\312D_\263\10\225\376W!z\336\261\277\233c\E\217T\11\353\25\361*\270\35\346\304@\212\263e\275]\20\2710gP\315\316\363\345p\207\3\233\303\223\325{\20\304\314\216\231\233d\204&y#=\340\220~", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\247k\343\272\362\35\13\275\37N\372mM*\312D_\263\10\225\376W!z\336\261\277\233c\E\217T\11\353\25\361*\270\35\346\304@\212\263e\275]\20\2710gP\315\316\363\345p\207\3\233\303\223\325{\20\304\314\216\231\233d\204&y#=\340\220~", 80, ... ) , 80, ... ) == 0x0
 01507   456   NtClose  (-2147482028, ... ) == 0x0
 01497   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "&x\211Mi\237\231&\212[\305\270d_myz\226\12\370\222\270\30g# =0\265\225\340\276a\254M\3630t\177\300\253\252\256^?\1\340\20\261\17\25\303\306\15\377K\214\324P\216S\367\346v\212\251\352\322\201\31=\311J\32>\345|v\23\277\223\265WP\363\276\232p\202\241&\241\12\232\305L\241\277\24g\212\220\375\11\224\367\272\25\177\240\333}\236\216\347\344\2\7g\267}\215=\20\270\263B\17\2522c\353B\350M\251\333eRN\256\305-\207J\345\251\346V\306\276\6{\255\334ppW\275\302\221Y\330\37zyWN\343\3410\232&\205 \231H\352:y/\2651\376\243\212\226\16\327\266\262\26A\336PE\370x\262L\310\270>\17Ev[\273}\320,\376\6\206"FH\240\275\205bJlM\235w\350\352\7\256\2\215h\276PR|\27\350\4Bu\376\33\346u\5Ug\210\230`\303\313\2376", ) FH\240\275\205bJlM\235w\350\352\7\256\2\215h\276PR|\27\350\4Bu\376\33\346u\5Ug\210\230`\303\313\2376", ) == 0x0
 01508   456   NtDeviceIoControlFile  (156, 0, 0x0, 0x0, 0x390008,  (156, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\6{p\310;\233\16\353i\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p%\303\265\306\261\240p\235\33\1770\215A\210E\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01509   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01510   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01511   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01512   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01513   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01514   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01515   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01516   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 01517   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\2\33\346\15y\2m>\245l#\333d\332\232\35\6\224\271\271\234)\242\263D\352\3066K\343\35[\6\233,\253:\362Pis\316g8eT\266P\322%\263\330c6\340\322 \252\330\15\267\21+\244k\314LB\365Nua\346\227M\0, 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\2\33\346\15y\2m>\245l#\333d\332\232\35\6\224\271\271\234)\242\263D\352\3066K\343\35[\6\233,\253:\362Pis\316g8eT\266P\322%\263\330c6\340\322 \252\330\15\267\21+\244k\314LB\365Nua\346\227M\0, 80, ... ) , 80, ... ) == 0x0
 01518   456   NtClose  (-2147482028, ... ) == 0x0
 01508   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "c\365\205\256\274\235\346\365\340\225\333\333\1\355d[\24"\321f\31\370\275W\231\2\312F-(:\236H\310\252@\204\207a\345\323C\240\311\357\21\344#\210\3505e?sw\59jg#\177\216\315r\201W\252\224A\240\377\341o\335\311!\251\213q\300\h\370\234\5\362\363\275\365'\356\302XX\14\300F\342E>\345hj\15|\263\200\330L\264$P\227ZU\2640\16\362\300\352"T\327%\312*\3\16+\4\327\2242c\331%\30\272KwB\330\21M\202V%M\266{\343(\266%\372~U\4#<\311\357\227\320\317\235\301SN\352&5T\255y\277(6\362\247\10\\264\243H\226P\344**\270B\31JN\25?\4t\204\315\356\5\347\307\360\357\261\335\17p"\5e\310\366,jr\323\202\213\12\205\273,\26V\307f\347s\1\6\256\367mt\311\366\257\362\253\4\307&\2253`0~$\357.", ) \321f\31\370\275W\231\2\312F-(:\236H\310\252@\204\207a\345\323C\240\311\357\21\344#\210\3505e?sw\59jg#\177\216\315r\201W\252\224A\240\377\341o\335\311!\251\213q\300\h\370\234\5\362\363\275\365'\356\302XX\14\300F\342E>\345hj\15|\263\200\330L\264$P\227ZU\2640\16\362\300\352 ... {status=0x0, info=256}, "c\365\205\256\274\235\346\365\340\225\333\333\1\355d[\24"\321f\31\370\275W\231\2\312F-(:\236H\310\252@\204\207a\345\323C\240\311\357\21\344#\210\3505e?sw\59jg#\177\216\315r\201W\252\224A\240\377\341o\335\311!\251\213q\300\h\370\234\5\362\363\275\365'\356\302XX\14\300F\342E>\345hj\15|\263\200\330L\264$P\227ZU\2640\16\362\300\352"T\327%\312*\3\16+\4\327\2242c\331%\30\272KwB\330\21M\202V%M\266{\343(\266%\372~U\4#<\311\357\227\320\317\235\301SN\352&5T\255y\277(6\362\247\10\\264\243H\226P\344**\270B\31JN\25?\4t\204\315\356\5\347\307\360\357\261\335\17p"\5e\310\366,jr\323\202\213\12\205\273,\26V\307f\347s\1\6\256\367mt\311\366\257\362\253\4\307&\2253`0~$\357.", ) \5e\310\366,jr\323\202\213\12\205\273,\26V\307f\347s\1\6\256\367mt\311\366\257\362\253\4\307&\2253`0~$\357.", ) == 0x0
 01519   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 152, {status=0x0, info=1}, ) }, 3, 33, ... 152, {status=0x0, info=1}, ) == 0x0
 01520   456   NtQueryVolumeInformationFile  (152, 1238964, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01521   456   NtClose  (12, ... ) == 0x0
 01522   456   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238184,  (0x80100080, {24, 0, 0x40, 0, 1238184, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01524   456   NtQueryInformationFile  (12, 1239120, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01525   456   NtQueryInformationFile  (12, 1239092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01526   456   NtQueryInformationFile  (12, 1239044, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01527   456   NtAllocateVirtualMemory  (-1, 1409024, 0, 8192, 4096, 4, ... 1409024, 8192, ) == 0x0
 01528   456   NtQueryInformationFile  (12, 1406296, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01529   456   NtQueryInformationFile  (12, 1237588, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01530   456   NtQueryInformationFile  (12, 1237432, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01531   456   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237440,  (0x40110080, {24, 0, 0x40, 0, 1237440, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01532   456   NtClose  (-2147482028, ... ) == 0x0
 01531   456   NtCreateFile  ... 148, {status=0x0, info=2}, ) == 0x0
 01533   456   NtQueryVolumeInformationFile  (148, 1236812, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01534   456   NtQueryInformationFile  (148, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01535   456   NtQueryVolumeInformationFile  (12, 1236812, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01536   456   NtQueryVolumeInformationFile  (12, 1236496, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01537   456   NtSetInformationFile  (148, 1236600, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01538   456   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 160, ) == 0x0
 01539   456   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 114688, ) == 0x0
 01540   456   NtClose  (160, ... ) == 0x0
 01541   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\0\200\2\0\0p\1\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0`\1\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01542   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\3434`B\246\215.\211n]\214\366\\263\26\242\357\213JK\230\301nq\357ov\270.\26v\274\362\11L5\372\21S>\335\370\\304<\334\240\373$\260yD'\220\237\212\30\213\216\246\222\253G\271\32X\356\214\261Y\362Kih\365op\305\314\13@\3130\11\207%\222\211\277\303+\16j\322\333\342\255/\10\362\213\206\3H\310+\24b=\2606\366\352Pj\4\344S]c\251\270\266\245$\257\14\313s\37\270\355\364\202\34 \15:\207w>\346\261\315"\301\274\333\253\321\333\240]>C\222x\243]\275l\311\333b1b\253\177\267&\202X\210N\6\251\1=A4\200\252,P4\211tt]j\326\374\377^\256\362i* `\310%\372YGo\253G\220\367br\304\35\375iD\5y\334\374^\327a\300\264A\216\2675\25nl\376=\270\347\316\222\220\356^qV8\220\25\242<\257?\2022\346&x\220)\367\212\325\247-\262\27\315\203\16\320\25e8\364\271\233\270\242\360f\204\234'\305\303P\312\34\300\244\276\331.{\203*\3\220\217"N\221\337\10\302\320~zh\345\3026\32'\30\322\262\247\2749\324\253\260%b\214\213\22\241\15N\2066\177z{t\344\375\240E\343;^\271\373G\213\237C\304\337\201\215\242\20EP\351\5iL-m\274t\315\26\3031\213H\361\1[\17\245T92\254y\225\236`l\116t\245S\243\325\230_\366\341\223k\211\355\206w\234\371\372=\271\253\262\21\244\237\231e\223\363\204y\376\347\363\216[\305pON1D\273\301=\337\247\364)\322\223\254[{\301\14o\6\365\33\3-\351&W8\335\315\250\11\377\6A<\313\31Mw\327lY*# \245^q\265\377\256E\240\323U\31O\207@-z\273o\302\277\321\324[\362\335\357G\245", 53248, 0x0, 0, ... {status=0x0, info=53248}, ) \301\274\333\253\321\333\240]>C\222x\243]\275l\311\333b1b\253\177\267&\202X\210N\6\251\1=A4\200\252,P4\211tt]j\326\374\377^\256\362i* `\310%\372YGo\253G\220\367br\304\35\375iD\5y\334\374^\327a\300\264A\216\2675\25nl\376=\270\347\316\222\220\356^qV8\220\25\242<\257?\2022\346&x\220)\367\212\325\247-\262\27\315\203\16\320\25e8\364\271\233\270\242\360f\204\234'\305\303P\312\34\300\244\276\331.{\203*\3\220\217 (148, 0, 0, 0, "\3434`B\246\215.\211n]\214\366\\263\26\242\357\213JK\230\301nq\357ov\270.\26v\274\362\11L5\372\21S>\335\370\\304<\334\240\373$\260yD'\220\237\212\30\213\216\246\222\253G\271\32X\356\214\261Y\362Kih\365op\305\314\13@\3130\11\207%\222\211\277\303+\16j\322\333\342\255/\10\362\213\206\3H\310+\24b=\2606\366\352Pj\4\344S]c\251\270\266\245$\257\14\313s\37\270\355\364\202\34 \15:\207w>\346\261\315"\301\274\333\253\321\333\240]>C\222x\243]\275l\311\333b1b\253\177\267&\202X\210N\6\251\1=A4\200\252,P4\211tt]j\326\374\377^\256\362i* `\310%\372YGo\253G\220\367br\304\35\375iD\5y\334\374^\327a\300\264A\216\2675\25nl\376=\270\347\316\222\220\356^qV8\220\25\242<\257?\2022\346&x\220)\367\212\325\247-\262\27\315\203\16\320\25e8\364\271\233\270\242\360f\204\234'\305\303P\312\34\300\244\276\331.{\203*\3\220\217"N\221\337\10\302\320~zh\345\3026\32'\30\322\262\247\2749\324\253\260%b\214\213\22\241\15N\2066\177z{t\344\375\240E\343;^\271\373G\213\237C\304\337\201\215\242\20EP\351\5iL-m\274t\315\26\3031\213H\361\1[\17\245T92\254y\225\236`l\116t\245S\243\325\230_\366\341\223k\211\355\206w\234\371\372=\271\253\262\21\244\237\231e\223\363\204y\376\347\363\216[\305pON1D\273\301=\337\247\364)\322\223\254[{\301\14o\6\365\33\3-\351&W8\335\315\250\11\377\6A<\313\31Mw\327lY*# \245^q\265\377\256E\240\323U\31O\207@-z\273o\302\277\321\324[\362\335\357G\245", 53248, 0x0, 0, ... {status=0x0, info=53248}, ) , 53248, 0x0, 0, ... {status=0x0, info=53248}, ) == 0x0
 01543   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01544   456   NtSetInformationFile  (148, 1239044, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01545   456   NtClose  (12, ... ) == 0x0
 01546   456   NtClose  (148, ... ) == 0x0
 01547   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 7, 2113568, ... 148, {status=0x0, info=1}, ) }, 7, 2113568, ... 148, {status=0x0, info=1}, ) == 0x0
 01548   456   NtSetInformationFile  (148, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01549   456   NtClose  (148, ... ) == 0x0
 01550   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 7, 2113568, ... 148, {status=0x0, info=1}, ) }, 7, 2113568, ... 148, {status=0x0, info=1}, ) == 0x0
 01551   456   NtSetInformationFile  (148, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01552   456   NtClose  (148, ... ) == 0x0
 01553   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238948,  (0x80100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01554   456   NtQueryInformationFile  (148, 1239000, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01555   456   NtClose  (148, ... ) == 0x0
 01556   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238948,  (0x40100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01557   456   NtSetInformationFile  (148, 1239000, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01558   456   NtClose  (148, ... ) == 0x0
 01559   456   NtOpenFile  (0x10080, {24, 152, 0x40, 0, 0,  (0x10080, {24, 152, 0x40, 0, 0, "kdaney.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   456   NtCreateFile  (0x40100080, {24, 152, 0x40, 0, 1239196,  (0x40100080, {24, 152, 0x40, 0, 1239196, "kdaney.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 148, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 148, {status=0x0, info=2}, ) == 0x0
 01561   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del kdaney.bat\15\12", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01562   456   NtClose  (148, ... ) == 0x0
 01563   456   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232536, ... ) }, 1232536, ... ) == 0x0
 01565   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01566   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 12, ) == 0x0
 01567   456   NtClose  (148, ... ) == 0x0
 01568   456   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xca0000), 0x0, 262144, ) == 0x0
 01569   456   NtClose  (12, ... ) == 0x0
 01570   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01571   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01572   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01573   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01574   456   NtAllocateVirtualMemory  (-1, 1417216, 0, 16384, 4096, 4, ... 1417216, 16384, ) == 0x0
 01575   456   NtUserRegisterClassExWOW  (1234620, 1234700, 1234684, 1234716, 0, 384, 0, ... ) == 0x810dc038
 01576   456   NtUserGetAtomName  (49208, 1233384, ... ) == 0x15
 01577   456   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01578   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230908, ... ) }, 1230908, ... ) == 0x0
 01579   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01580   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 148, ) == 0x0
 01581   456   NtClose  (12, ... ) == 0x0
 01582   456   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xca0000), 0x0, 204800, ) == 0x0
 01583   456   NtClose  (148, ... ) == 0x0
 01584   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01585   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231224, ... ) }, 1231224, ... ) == 0x0
 01586   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01587   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 12, ) == 0x0
 01588   456   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01589   456   NtClose  (148, ... ) == 0x0
 01590   456   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01591   456   NtClose  (12, ... ) == 0x0
 01592   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01593   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01594   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01595   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01596   456   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01597   456   NtClose  (12, ... ) == 0x0
 01598   456   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01599   456   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01600   456   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 148, ) }, ... 148, ) == 0x0
 01601   456   NtQueryValueKey  (148,  (148, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   456   NtClose  (148, ... ) == 0x0
 01603   456   NtClose  (12, ... ) == 0x0
 01604   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01605   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01606   456   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01607   456   NtClose  (12, ... ) == 0x0
 01608   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01609   456   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 148, ) }, ... 148, ) == 0x0
 01610   456   NtQueryValueKey  (148,  (148, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   456   NtClose  (148, ... ) == 0x0
 01612   456   NtClose  (12, ... ) == 0x0
 01613   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == 0x0
 01616   456   NtUserGetProcessWindowStation  (... ) == 0x28
 01617   456   NtUserGetObjectInformation  (40, 2, 0, 0, 1233020, ... ) == 0x0
 01618   456   NtUserGetObjectInformation  (40, 2, 1371408, 16, 1233020, ... ) == 0x1
 01619   456   NtUserGetGUIThreadInfo  (456, 1232976, ... ) == 0x1
 01620   456   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01621   456   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 456, 2286, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 456, 2286, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 456, 2286, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01622   456   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 456, 2287, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 456, 2287, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 456, 2287, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01623   456   NtUserCallNoParam  (29, ...
 01624   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230268, ... ) }, 1230268, ... ) == 0x0
 01623   456   NtUserCallNoParam  ... ) == 0x0
 01625   456   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01626   456   NtGdiHfontCreate  (1232348, 356, 0, 0, 1380472, ... ) == 0xb0a0311
 01627   456   NtGdiHfontCreate  (1232348, 356, 0, 0, 1380464, ... ) == 0x90a0344
 01628   456   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 456, 2288, 0} "\0\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 456, 2288, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 456, 2288, 0} "\0\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01629   456   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xca0000), {0, 0}, 331776, ) == 0x0
 01630   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01631   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01632   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01633   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01634   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01635   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01636   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01637   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01638   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01639   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01640   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01641   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01642   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01643   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01644   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01645   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01646   456   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01647   456   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1810033b
 01648   456   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01649   456   NtUserCallNoParam  (29, ...
 01650   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 01649   456   NtUserCallNoParam  ... ) == 0x0
 01651   456   NtUserCallNoParam  (29, ...
 01652   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229708, ... ) }, 1229708, ... ) == 0x0
 01651   456   NtUserCallNoParam  ... ) == 0x0
 01653   456   NtUserMessageCall  (0x100e6, WM_NCCREATE, 0x0, 0x12d194, 0, 670, 0, ... ) == 0x1
 01654   456   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x0, 0x12d1bc, 0, 670, 0, ... ) == 0x0
 01655   456   NtUserSetProp  (65766, 43288, -1, ... ) == 0x1
 01577   456   NtUserCreateWindowEx  ... ) == 0x100e6
 01656   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 160, ) }, ... 160, ) == 0x0
 01657   456   NtQueryValueKey  (160,  (160, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01659   456   NtQueryValueKey  (164,  (164, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01660   456   NtClose  (164, ... ) == 0x0
 01661   456   NtClose  (160, ... ) == 0x0
 01662   456   NtAllocateVirtualMemory  (-1, 1433600, 0, 24576, 4096, 4, ... 1433600, 24576, ) == 0x0
 01663   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01664   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01665   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 160, ) }, ... 160, ) == 0x0
 01666   456   NtQueryValueKey  (160,  (160, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01667   456   NtClose  (160, ... ) == 0x0
 01668   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01670   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01671   456   NtQuerySystemTime  (... {1975808904, 29884051}, ) == 0x0
 01672   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01673   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01675   456   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01676   456   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01677   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01678   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01679   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 180, ) }, ... 180, ) == 0x0
 01680   456   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "ActiveComputerName"}, ... 184, ) }, ... 184, ) == 0x0
 01681   456   NtQueryValueKey  (184,  (184, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (184, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (184, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01682   456   NtClose  (184, ... ) == 0x0
 01683   456   NtClose  (180, ... ) == 0x0
 01684   456   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 180, ) == 0x0
 01685   456   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 184, ) == 0x0
 01686   456   NtDuplicateObject  (-1, 180, -1, 0x0, 0, 2, ... 188, ) == 0x0
 01687   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01688   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01689   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01690   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01691   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233148,  (0xc0100080, {24, 0, 0x40, 0, 1233148, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01692   456   NtSetInformationFile  (196, 1233204, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01693   456   NtSetInformationFile  (196, 1233196, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01694   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01695   456   NtWriteFile  (196, 173, 0, 0,  (196, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01696   456   NtReadFile  (196, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01697   456   NtFsControlFile  (196, 173, 0x0, 0x0, 0x11c017,  (196, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (196, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01698   456   NtClose  (192, ... ) == 0x0
 01699   456   NtClose  (196, ... ) == 0x0
 01700   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233192, ... ) }, 1233192, ... ) == 0x0
 01701   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01702   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01703   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "kdaney.bat"}, 1233012, ... ) }, 1233012, ... ) == 0x0
 01704   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01705   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01706   456   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329880, 0,  (0x1f0003, {24, 52, 0x80, 1329880, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 196, ) }, 0, 2147483647, ... 196, ) == STATUS_OBJECT_NAME_EXISTS
 01707   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01708   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01709   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01711   456   NtQueryValueKey  (192,  (192, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   456   NtClose  (192, ... ) == 0x0
 01713   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01714   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01715   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01716   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01717   456   NtQueryValueKey  (192,  (192, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01718   456   NtClose  (192, ... ) == 0x0
 01719   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01720   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01721   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01722   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01723   456   NtQueryValueKey  (192,  (192, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01724   456   NtClose  (192, ... ) == 0x0
 01725   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01726   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01727   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01728   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 192, ) }, ... 192, ) == 0x0
 01729   456   NtQueryValueKey  (192,  (192, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   456   NtClose  (192, ... ) == 0x0
 01731   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 192, ) }, ... 192, ) == 0x0
 01732   456   NtEnumerateKey  (192, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (192, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01733   456   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 200, ) }, ... 200, ) == 0x0
 01734   456   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   456   NtClose  (200, ... ) == 0x0
 01736   456   NtEnumerateKey  (192, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (192, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01737   456   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 200, ) }, ... 200, ) == 0x0
 01738   456   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   456   NtClose  (200, ... ) == 0x0
 01740   456   NtEnumerateKey  (192, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (192, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01741   456   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 200, ) }, ... 200, ) == 0x0
 01742   456   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01743   456   NtClose  (200, ... ) == 0x0
 01744   456   NtEnumerateKey  (192, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (192, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01745   456   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 200, ) }, ... 200, ) == 0x0
 01746   456   NtQueryValueKey  (200,  (200, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   456   NtClose  (200, ... ) == 0x0
 01748   456   NtEnumerateKey  (192, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01749   456   NtClose  (192, ... ) == 0x0
 01750   456   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01751   456   NtOpenProcessToken  (-1, 0x8, ... 192, ) == 0x0
 01752   456   NtQueryInformationToken  (192, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01753   456   NtClose  (192, ... ) == 0x0
 01754   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01755   456   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 192, 2, ) }, 0, 0x0, 0, ... 192, 2, ) == 0x0
 01756   456   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01757   456   NtCreateKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "SessionInfo\0000000000009212"}, 0, 0x0, 1, ... 204, 2, ) }, 0, 0x0, 1, ... 204, 2, ) == 0x0
 01758   456   NtClose  (200, ... ) == 0x0
 01759   456   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   456   NtClose  (204, ... ) == 0x0
 01761   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01762   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01763   456   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01764   456   NtClose  (204, ... ) == 0x0
 01765   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 204, ) }, ... 204, ) == 0x0
 01766   456   NtSetInformationObject  (206, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01767   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01768   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01769   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 200, ) }, ... 200, ) == 0x0
 01770   456   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01771   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01772   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01773   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01774   456   NtClose  (208, ... ) == 0x0
 01775   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   456   NtQueryValueKey  (202,  (202, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   456   NtClose  (202, ... ) == 0x0
 01778   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01779   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 200, ) }, ... 200, ) == 0x0
 01781   456   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01782   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01783   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01784   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01785   456   NtClose  (208, ... ) == 0x0
 01786   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   456   NtQueryValueKey  (202,  (202, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   456   NtClose  (202, ... ) == 0x0
 01789   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01790   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 200, ) }, ... 200, ) == 0x0
 01792   456   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01793   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01794   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01795   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   456   NtClose  (208, ... ) == 0x0
 01797   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   456   NtQueryValueKey  (202,  (202, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01799   456   NtClose  (202, ... ) == 0x0
 01800   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01802   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01804   456   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01805   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01806   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01807   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01808   456   NtClose  (208, ... ) == 0x0
 01809   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   456   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01811   456   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01812   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01813   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01814   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01815   456   NtClose  (208, ... ) == 0x0
 01816   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   456   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   456   NtClose  (202, ... ) == 0x0
 01819   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 01820   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 01821   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 200, ) }, ... 200, ) == 0x0
 01823   456   NtQueryValueKey  (200,  (200, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01824   456   NtClose  (200, ... ) == 0x0
 01825   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 200, ) }, ... 200, ) == 0x0
 01826   456   NtQueryValueKey  (200,  (200, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   456   NtClose  (200, ... ) == 0x0
 01828   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01829   456   NtQueryValueKey  (200, " (200, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (200, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01830   456   NtClose  (200, ... ) == 0x0
 01831   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01832   456   NtQueryVolumeInformationFile  (200, 1233332, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01833   456   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 208, ) }, ... 208, ) == 0x0
 01834   456   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 01835   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 212, ) }, ... 212, ) == 0x0
 01836   456   NtMapViewOfSection  (212, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01837   456   NtQueryInformationFile  (200, 1233296, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01838   456   NtQueryInformationFile  (200, 1233336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01839   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01840   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01841   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01842   456   NtClose  (216, ... ) == 0x0
 01843   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844   456   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 01845   456   NtClose  (200, ... ) == 0x0
 01846   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 200, ) }, ... 200, ) == 0x0
 01847   456   NtQueryValueKey  (200,  (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01848   456   NtClose  (200, ... ) == 0x0
 01849   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == 0x0
 01853   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01854   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 216, ) == 0x0
 01855   456   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01856   456   NtClose  (200, ... ) == 0x0
 01857   456   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01858   456   NtClose  (216, ... ) == 0x0
 01859   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01860   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == 0x0
 01863   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01864   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 200, ) == 0x0
 01865   456   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01866   456   NtClose  (216, ... ) == 0x0
 01867   456   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01868   456   NtClose  (200, ... ) == 0x0
 01869   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 200, ) }, ... 200, ) == 0x0
 01870   456   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01871   456   NtClose  (200, ... ) == 0x0
 01872   456   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01874   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 200, ) }, ... 200, ) == 0x0
 01875   456   NtQueryValueKey  (200,  (200, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   456   NtQueryValueKey  (200,  (200, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   456   NtClose  (200, ... ) == 0x0
 01878   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231112, ... ) }, 1231112, ... ) == 0x0
 01879   456   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   456   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01881   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 200, ) }, ... 200, ) == 0x0
 01882   456   NtQueryValueKey  (200,  (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01883   456   NtClose  (200, ... ) == 0x0
 01884   456   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ... 1458176, 4096, ) == 0x0
 01885   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 200, ) }, ... 200, ) == 0x0
 01886   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01887   456   NtNotifyChangeKey  (200, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01888   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 220, ) }, ... 220, ) == 0x0
 01889   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01890   456   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01891   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01892   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 232, ) }, ... 232, ) == 0x0
 01893   456   NtSetInformationObject  (232, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01894   456   NtNotifyChangeKey  (232, 228, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01895   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 236, ) }, ... 236, ) == 0x0
 01896   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01897   456   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01898   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01899   456   NtNotifyChangeKey  (232, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01900   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01901   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01902   456   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01903   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01904   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01905   456   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01906   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01907   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01908   456   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01909   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 272, ) }, ... 272, ) == 0x0
 01910   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01911   456   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01912   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 280, ) }, ... 280, ) == 0x0
 01913   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01914   456   NtNotifyChangeKey  (280, 284, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01915   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 288, ) == 0x0
 01916   456   NtNotifyChangeKey  (232, 288, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01917   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 292, ) }, ... 292, ) == 0x0
 01918   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 01919   456   NtNotifyChangeKey  (292, 296, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01920   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 300, ) }, ... 300, ) == 0x0
 01921   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01922   456   NtNotifyChangeKey  (300, 304, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01923   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 308, ) }, ... 308, ) == 0x0
 01924   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01925   456   NtNotifyChangeKey  (308, 312, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01926   456   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01927   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 316, ) }, ... 316, ) == 0x0
 01928   456   NtQueryValueKey  (316,  (316, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (316, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01929   456   NtClose  (316, ... ) == 0x0
 01930   456   NtAllocateVirtualMemory  (-1, 3301376, 0, 4096, 4096, 4, ... 3301376, 4096, ) == 0x0
 01931   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01932   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01933   456   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 316, ) }, ... 316, ) == 0x0
 01934   456   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3f0000), {0, 0}, 24576, ) == 0x0
 01935   456   NtAllocateVirtualMemory  (-1, 3305472, 0, 8192, 4096, 4, ... 3305472, 8192, ) == 0x0
 01936   456   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01937   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 320, ) }, ... 320, ) == 0x0
 01938   456   NtQueryValueKey  (320,  (320, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (320, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01939   456   NtClose  (320, ... ) == 0x0
 01940   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01941   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01942   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 13631488, 65536, ) == 0x0
 01943   456   NtAllocateVirtualMemory  (-1, 13631488, 0, 4096, 4096, 4, ... 13631488, 4096, ) == 0x0
 01944   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01945   456   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ... 1462272, 4096, ) == 0x0
 01946   456   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01947   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01948   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01949   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01950   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01951   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01952   456   NtClose  (324, ... ) == 0x0
 01953   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01954   456   NtOpenKey  (0x1, {24, 322, 0x40, 0, 0,  (0x1, {24, 322, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955   456   NtClose  (322, ... ) == 0x0
 01956   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01957   456   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01958   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 01959   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01960   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01961   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01962   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01963   456   NtClose  (324, ... ) == 0x0
 01964   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01965   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServer32"}, ... 324, ) }, ... 324, ) == 0x0
 01966   456   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01967   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01968   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01969   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01970   456   NtClose  (328, ... ) == 0x0
 01971   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   456   NtQueryValueKey  (326,  (326, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   456   NtClose  (326, ... ) == 0x0
 01974   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01975   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01976   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01977   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01978   456   NtClose  (324, ... ) == 0x0
 01979   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01982   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01983   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01984   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01985   456   NtClose  (324, ... ) == 0x0
 01986   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01987   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01988   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01989   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01990   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01991   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01992   456   NtClose  (324, ... ) == 0x0
 01993   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServer32"}, ... 324, ) }, ... 324, ) == 0x0
 01995   456   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01996   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01997   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01998   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01999   456   NtClose  (328, ... ) == 0x0
 02000   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02001   456   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02002   456   NtClose  (326, ... ) == 0x0
 02003   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02004   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02005   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02006   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02007   456   NtClose  (324, ... ) == 0x0
 02008   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02011   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02012   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02013   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02014   456   NtClose  (324, ... ) == 0x0
 02015   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02017   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02018   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02019   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02020   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02021   456   NtClose  (324, ... ) == 0x0
 02022   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02025   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02026   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02027   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02028   456   NtClose  (324, ... ) == 0x0
 02029   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02032   456   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 02034   456   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02035   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02036   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02037   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02038   456   NtClose  (328, ... ) == 0x0
 02039   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   456   NtQueryValueKey  (326,  (326, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02041   456   NtClose  (326, ... ) == 0x0
 02042   456   NtClose  (322, ... ) == 0x0
 02043   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 320, ) == 0x0
 02044   456   NtQueryInformationProcess  (320, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02045   456   NtClose  (320, ... ) == 0x0
 02046   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02047   456   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 02049   456   NtClose  (322, ... ) == 0x0
 02050   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 02051   456   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 02053   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02054   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02055   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02056   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02057   456   NtClose  (324, ... ) == 0x0
 02058   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   456   NtOpenKey  (0x2000000, {24, 322, 0x40, 0, 0,  (0x2000000, {24, 322, 0x40, 0, 0, "InprocServer32"}, ... 324, ) }, ... 324, ) == 0x0
 02060   456   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02061   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02062   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02063   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02064   456   NtClose  (328, ... ) == 0x0
 02065   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   456   NtQueryValueKey  (326,  (326, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (326, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02067   456   NtClose  (326, ... ) == 0x0
 02068   456   NtClose  (322, ... ) == 0x0
 02069   456   NtAllocateVirtualMemory  (-1, 1466368, 0, 8192, 4096, 4, ... 1466368, 8192, ) == 0x0
 02070   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02071   456   NtOpenKey  (0x20019, {24, 206, 0x40, 0, 0,  (0x20019, {24, 206, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 320, ) }, ... 320, ) == 0x0
 02073   456   NtQueryKey  (322, Name, 384, ... {Name= (322, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02074   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02075   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02076   456   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02077   456   NtClose  (324, ... ) == 0x0
 02078   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02079   456   NtOpenKey  (0x1, {24, 322, 0x40, 0, 0,  (0x1, {24, 322, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   456   NtClose  (322, ... ) == 0x0
 02081   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227504, ... ) }, 1227504, ... ) == 0x0
 02082   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02083   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 02084   456   NtClose  (320, ... ) == 0x0
 02085   456   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd10000), 0x0, 1339392, ) == 0x0
 02086   456   NtClose  (324, ... ) == 0x0
 02087   456   NtUnmapViewOfSection  (-1, 0xd10000, ... ) == 0x0
 02088   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 02089   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02090   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 320, ) == 0x0
 02091   456   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02092   456   NtClose  (324, ... ) == 0x0
 02093   456   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 02094   456   NtClose  (320, ... ) == 0x0
 02095   456   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02096   456   NtQueryDefaultUILanguage  (1226184, ...
 02097   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02098   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 02099   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02100   456   NtClose  (-2147482028, ... ) == 0x0
 02101   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 02102   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 02104   456   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   456   NtClose  (-2147482024, ... ) == 0x0
 02106   456   NtClose  (-2147482028, ... ) == 0x0
 02096   456   NtQueryDefaultUILanguage  ... ) == 0x0
 02107   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02108   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 320, {status=0x0, info=1}, ) }, 1, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02109   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 320, ... 324, ) == 0x0
 02110   456   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd10000), 0x0, 1339392, ) == 0x0
 02111   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   456   NtQueryDefaultLocale  (1, 1224220, ... ) == 0x0
 02113   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\334\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 2289, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\334\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 456, 2289, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\334\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 456, 2289, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1@\1\0\0\377\377\377\377\0\0\0\0\10\340\334\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ) == 0x0
 02115   456   NtClose  (320, ... ) == 0x0
 02116   456   NtClose  (324, ... ) == 0x0
 02117   456   NtUnmapViewOfSection  (-1, 0xd10000, ... ) == 0x0
 02118   456   NtUnmapViewOfSection  (-1, 0x12b874, ... ) == STATUS_NOT_MAPPED_VIEW
 02119   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02120   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02122   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02123   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222760, ... ) }, 1222760, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02125   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02126   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02127   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223352, ... ) }, 1223352, ... ) == 0x0
 02128   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 324, {status=0x0, info=1}, ) }, 3, 33, ... 324, {status=0x0, info=1}, ) == 0x0
 02129   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02130   456   NtUserFindExistingCursorIcon  (1227304, 1227320, 1227888, ... ) == 0x10011
 02131   456   NtUserRegisterClassExWOW  (1227756, 1227836, 1227820, 1227852, 0, 384, 0, ... ) == 0x810d0000
 02132   456   NtUserGetClassInfo  (1905590272, 1227920, 1227872, 1227948, 0, ... ) == 0xc05f
 02133   456   NtGdiCreateHalftonePalette  (0, ... ) == 0x2080347
 02134   456   NtGdiDoPalette  (34079559, 0, 256, 1227012, 2, 0, ... ) == 0x100
 02135   456   NtGdiDeleteObjectApp  (34079559, ... ) == 0x1
 02136   456   NtGdiCreateCompatibleDC  (0, ... ) == 0x3010347
 02137   456   NtGdiCreatePaletteInternal  (1227008, 256, ... ) == 0x3080346
 02138   456   NtGdiDeleteObjectApp  (50398023, ... ) == 0x1
 02139   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 02140   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 320, ) }, ... 320, ) == 0x0
 02142   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 02143   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02144   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02145   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02146   456   NtClose  (328, ... ) == 0x0
 02147   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   456   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02149   456   NtClose  (322, ... ) == 0x0
 02150   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02151   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02152   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 02153   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02154   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02155   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02156   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02157   456   NtClose  (328, ... ) == 0x0
 02158   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   456   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02160   456   NtClose  (322, ... ) == 0x0
 02161   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02162   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02163   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 02164   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02165   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02166   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02167   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02168   456   NtClose  (328, ... ) == 0x0
 02169   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   456   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02171   456   NtClose  (322, ... ) == 0x0
 02172   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02173   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02174   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 02175   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02176   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02177   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02178   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02179   456   NtClose  (328, ... ) == 0x0
 02180   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02181   456   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02182   456   NtClose  (322, ... ) == 0x0
 02183   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02184   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 320, ) }, ... 320, ) == 0x0
 02186   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02187   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02188   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02189   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02190   456   NtClose  (328, ... ) == 0x0
 02191   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   456   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02193   456   NtClose  (322, ... ) == 0x0
 02194   456   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 02195   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   456   NtAllocateVirtualMemory  (-1, 1478656, 0, 12288, 4096, 4, ... 1478656, 12288, ) == 0x0
 02197   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02198   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 02200   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02201   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02202   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02203   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02204   456   NtClose  (328, ... ) == 0x0
 02205   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   456   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   456   NtClose  (322, ... ) == 0x0
 02208   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02209   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 02211   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02212   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02213   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02214   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02215   456   NtClose  (328, ... ) == 0x0
 02216   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   456   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   456   NtClose  (322, ... ) == 0x0
 02219   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02220   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 02222   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02223   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02224   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02225   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02226   456   NtClose  (328, ... ) == 0x0
 02227   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   456   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   456   NtClose  (322, ... ) == 0x0
 02230   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02231   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 320, ) }, ... 320, ) == 0x0
 02233   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02234   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02235   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 02236   456   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02237   456   NtClose  (328, ... ) == 0x0
 02238   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   456   NtQueryValueKey  (322,  (322, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   456   NtClose  (322, ... ) == 0x0
 02241   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 320, ) }, ... 320, ) == 0x0
 02242   456   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02243   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02244   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 328, ) }, ... 328, ) == 0x0
 02246   456   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02247   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02248   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 02249   456   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02250   456   NtClose  (332, ... ) == 0x0
 02251   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   456   NtQueryValueKey  (330, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (330, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02253   456   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02254   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02255   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 02256   456   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02257   456   NtClose  (332, ... ) == 0x0
 02258   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02259   456   NtQueryValueKey  (330,  (330, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   456   NtClose  (330, ... ) == 0x0
 02261   456   NtEnumerateValueKey  (320, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02262   456   NtClose  (320, ... ) == 0x0
 02263   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02264   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02265   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 02266   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02267   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02268   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 02269   456   NtQueryValueKey  (320,  (320, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (320, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (320, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02270   456   NtClose  (320, ... ) == 0x0
 02271   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02272   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02273   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 1233492, ... ) }, 1233492, ... ) == 0x0
 02274   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02275   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02276   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 02277   456   NtQueryValueKey  (320,  (320, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02278   456   NtQueryValueKey  (320,  (320, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (320, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02279   456   NtClose  (320, ... ) == 0x0
 02280   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234316,  (0x80100080, {24, 0, 0x40, 0, 1234316, "\??\u:\work\kdaney.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 02281   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 328, ) }, ... 328, ) == 0x0
 02282   456   NtQuerySymbolicLinkObject  (328, ...  (328, ... "\Device\WinDfs\U:0000000000009212", 66, ) , 66, ) == 0x0
 02283   456   NtClose  (328, ... ) == 0x0
 02284   456   NtQueryInformationFile  (320, 1232760, 528, Name, ... {status=0x0, info=72}, ) == 0x0
 02285   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02286   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02287   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\kdaney.bat"}, 1231440, ... ) }, 1231440, ... ) == 0x0
 02288   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 328, {status=0x0, info=1}, ) }, 3, 16417, ... 328, {status=0x0, info=1}, ) == 0x0
 02289   456   NtQueryDirectoryFile  (328, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (328, 0, 0, 0, 1230800, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02290   456   NtClose  (328, ... ) == 0x0
 02291   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 328, {status=0x0, info=1}, ) }, 3, 16417, ... 328, {status=0x0, info=1}, ) == 0x0
 02292   456   NtQueryDirectoryFile  (328, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (328, 0, 0, 0, 1230800, 616, BothDirectory, 1, "kdaney.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02293   456   NtClose  (328, ... ) == 0x0
 02294   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02295   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02296   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1232172, ... ) }, 1232172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "WINTRUST.dll"}, 1232172, ... ) }, 1232172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02299   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1232172, ... ) }, 1232172, ... ) == 0x0
 02300   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02301   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 332, ) == 0x0
 02302   456   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02303   456   NtClose  (328, ... ) == 0x0
 02304   456   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 02305   456   NtClose  (332, ... ) == 0x0
 02306   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 332, ) }, ... 332, ) == 0x0
 02307   456   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 02308   456   NtClose  (332, ... ) == 0x0
 02309   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02310   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13697024, 262144, ) == 0x0
 02311   456   NtAllocateVirtualMemory  (-1, 13697024, 0, 4096, 4096, 4, ... 13697024, 4096, ) == 0x0
 02312   456   NtAllocateVirtualMemory  (-1, 13701120, 0, 8192, 4096, 4, ... 13701120, 8192, ) == 0x0
 02313   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02314   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13959168, 1048576, ) == 0x0
 02315   456   NtAllocateVirtualMemory  (-1, 13959168, 0, 1048576, 4096, 4, ... 13959168, 1048576, ) == 0x0
 02316   456   NtCreateMutant  (0x1f0001, 0x0, 0, ... 332, ) == 0x0
 02317   456   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 328, ) == 0x0
 02318   456   NtCreateMutant  (0x1f0001, 0x0, 0, ... 336, ) == 0x0
 02319   456   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 340, ) == 0x0
 02320   456   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 344, ) == 0x0
 02321   456   NtSetEvent  (344, ... 0x0, ) == 0x0
 02322   456   NtSetInformationFile  (320, 1234200, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02323   456   NtReadFile  (320, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (320, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02324   456   NtWaitForSingleObject  (332, 0, 0x0, ... ) == 0x0
 02325   456   NtClearEvent  (328, ... ) == 0x0
 02326   456   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 02327   456   NtWaitForSingleObject  (332, 0, 0x0, ... ) == 0x0
 02328   456   NtSetEvent  (328, ... 0x0, ) == 0x0
 02329   456   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 02330   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02331   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02332   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02333   456   NtClose  (348, ... ) == 0x0
 02334   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02335   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02336   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02337   456   NtClose  (348, ... ) == 0x0
 02338   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02339   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02340   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02341   456   NtClose  (348, ... ) == 0x0
 02342   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02343   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02344   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02345   456   NtClose  (348, ... ) == 0x0
 02346   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02347   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02348   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02349   456   NtClose  (348, ... ) == 0x0
 02350   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02351   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02352   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02353   456   NtClose  (348, ... ) == 0x0
 02354   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 348, ) }, ... 348, ) == 0x0
 02356   456   NtQueryValueKey  (348,  (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02357   456   NtQueryValueKey  (348,  (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02358   456   NtClose  (348, ... ) == 0x0
 02359   456   NtWaitForMultipleObjects  (2, (332, 328, ), 0, 0, 0x0, ... ) == 0x0
 02360   456   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 02361   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02362   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02363   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02364   456   NtClose  (348, ... ) == 0x0
 02365   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02366   456   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02367   456   NtClose  (348, ... ) == 0x0
 02368   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 348, ) }, ... 348, ) == 0x0
 02369   456   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02370   456   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02371   456   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02372   456   NtQueryValueKey  (348,  (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02373   456   NtClose  (348, ... ) == 0x0
 02374   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 348, ) }, ... 348, ) == 0x0
 02375   456   NtQueryValueKey  (348,  (348, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02376   456   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02377   456   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02378   456   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02379   456   NtQueryValueKey  (348,  (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02380   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231488, ... ) }, 1231488, ... ) == 0x0
 02381   456   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 352, ) }, ... 352, ) == 0x0
 02382   456   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02383   456   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02384   456   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02385   456   NtQueryValueKey  (352,  (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02386   456   NtClose  (352, ... ) == 0x0
 02387   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02388   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02389   456   NtOpenProcessToken  (-1, 0x8, ... 352, ) == 0x0
 02390   456   NtQueryInformationToken  (352, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02391   456   NtClose  (352, ... ) == 0x0
 02392   456   NtClose  (348, ... ) == 0x0
 02393   456   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02394   456   NtOpenProcessToken  (-1, 0x8, ... 348, ) == 0x0
 02395   456   NtQueryInformationToken  (348, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02396   456   NtClose  (348, ... ) == 0x0
 02397   456   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02398   456   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 02399   456   NtClose  (348, ... ) == 0x0
 02400   456   NtQueryValueKey  (352,  (352, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02401   456   NtClose  (352, ... ) == 0x0
 02402   456   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02403   456   NtOpenProcessToken  (-1, 0x8, ... 352, ) == 0x0
 02404   456   NtQueryInformationToken  (352, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02405   456   NtClose  (352, ... ) == 0x0
 02406   456   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02407   456   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 348, ) }, ... 348, ) == 0x0
 02408   456   NtClose  (352, ... ) == 0x0
 02409   456   NtQueryValueKey  (348,  (348, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02410   456   NtClose  (348, ... ) == 0x0
 02411   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02412   456   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02413   456   NtOpenProcessToken  (-1, 0x8, ... 348, ) == 0x0
 02414   456   NtQueryInformationToken  (348, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02415   456   NtClose  (348, ... ) == 0x0
 02416   456   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02417   456   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418   456   NtClose  (348, ... ) == 0x0
 02419   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02420   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 320, ... 348, ) == 0x0
 02421   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe50000), {0, 0}, 4096, ) == 0x0
 02422   456   NtClose  (348, ... ) == 0x0
 02423   456   NtQueryInformationFile  (320, 1233704, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02424   456   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 02425   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 348, ) }, ... 348, ) == 0x0
 02426   456   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 0"}, ... 352, ) }, ... 352, ) == 0x0
 02427   456   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 356, ) }, ... 356, ) == 0x0
 02428   456   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02429   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 360, ) }, ... 360, ) == 0x0
 02430   456   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02431   456   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02432   456   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02433   456   NtClose  (360, ... ) == 0x0
 02434   456   NtEnumerateKey  (356, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02435   456   NtClose  (356, ... ) == 0x0
 02436   456   NtClose  (352, ... ) == 0x0
 02437   456   NtClose  (348, ... ) == 0x0
 02438   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 348, ) }, ... 348, ) == 0x0
 02439   456   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 0"}, ... 352, ) }, ... 352, ) == 0x0
 02440   456   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 356, ) }, ... 356, ) == 0x0
 02441   456   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02442   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 360, ) }, ... 360, ) == 0x0
 02443   456   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02444   456   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02445   456   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02446   456   NtClose  (360, ... ) == 0x0
 02447   456   NtEnumerateKey  (356, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (356, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02448   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 360, ) }, ... 360, ) == 0x0
 02449   456   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02450   456   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02451   456   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02452   456   NtClose  (360, ... ) == 0x0
 02453   456   NtEnumerateKey  (356, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (356, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02454   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 360, ) }, ... 360, ) == 0x0
 02455   456   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02456   456   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02457   456   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02458   456   NtClose  (360, ... ) == 0x0
 02459   456   NtEnumerateKey  (356, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (356, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02460   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 360, ) }, ... 360, ) == 0x0
 02461   456   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02462   456   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02463   456   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02464   456   NtClose  (360, ... ) == 0x0
 02465   456   NtEnumerateKey  (356, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02466   456   NtClose  (356, ... ) == 0x0
 02467   456   NtClose  (352, ... ) == 0x0
 02468   456   NtClose  (348, ... ) == 0x0
 02469   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 348, ) }, ... 348, ) == 0x0
 02470   456   NtEnumerateKey  (348, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (348, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02471   456   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 0"}, ... 352, ) }, ... 352, ) == 0x0
 02472   456   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 356, ) }, ... 356, ) == 0x0
 02473   456   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02474   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 360, ) }, ... 360, ) == 0x0
 02475   456   NtQueryKey  (360, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02476   456   NtEnumerateValueKey  (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (360, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02477   456   NtEnumerateValueKey  (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (360, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02478   456   NtClose  (360, ... ) == 0x0
 02479   456   NtEnumerateKey  (356, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02480   456   NtClose  (356, ... ) == 0x0
 02481   456   NtClose  (352, ... ) == 0x0
 02482   456   NtEnumerateKey  (348, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (348, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02483   456   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "EncodingType 1"}, ... 352, ) }, ... 352, ) == 0x0
 02484   456   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02485   456   NtClose  (352, ... ) == 0x0
 02486   456   NtEnumerateKey  (348, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02487   456   NtClose  (348, ... ) == 0x0
 02488   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 02489   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02490   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 348, ... 352, ) == 0x0
 02491   456   NtClose  (348, ... ) == 0x0
 02492   456   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe50000), 0x0, 16384, ) == 0x0
 02493   456   NtClose  (352, ... ) == 0x0
 02494   456   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 02495   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 02496   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02497   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 348, ) == 0x0
 02498   456   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02499   456   NtClose  (352, ... ) == 0x0
 02500   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02501   456   NtClose  (348, ... ) == 0x0
 02502   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230808, ... ) }, 1230808, ... ) == 0x0
 02503   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02504   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15138816, 1048576, ) == 0x0
 02505   456   NtAllocateVirtualMemory  (-1, 16179200, 0, 8192, 4096, 4, ... 16179200, 8192, ) == 0x0
 02506   456   NtProtectVirtualMemory  (-1, (0xf6e000), 4096, 260, ... (0xf6e000), 4096, 4, ) == 0x0
 02507   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1232756, 1233472, 1, ... 352, {440, 1648}, ) == 0x0
 02508   456   NtQueryInformationThread  (352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=440,Tid=1648,}, 0x0, ) == 0x0
 02509   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0`\1\0\0\270\1\0\0p\6\0\0" ... {28, 56, reply, 0, 440, 456, 2290, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0`\1\0\0\270\1\0\0p\6\0\0" )  ... {28, 56, reply, 0, 440, 456, 2290, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0`\1\0\0\270\1\0\0p\6\0\0" ... {28, 56, reply, 0, 440, 456, 2290, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0`\1\0\0\270\1\0\0p\6\0\0" )  ) == 0x0
 02510   456   NtResumeThread  (352, ... 1, ) == 0x0
 02511   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 356, ) }, ... 356, ) == 0x0
 02512   456   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02513   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "EncodingType 0"}, ... }, ...
 02514  1648   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02515  1648   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02516  1648   NtTestAlert  (... ) == 0x0
 02517  1648   NtContinue  (16186672, 1, ...
 02518  1648   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02519  1648   NtWaitForMultipleObjects  (1, (348, ), 1, 0, {-150000000, -1}, ...
 02513   456   NtOpenKey  ... 360, ) == 0x0
 02520   456   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 364, ) }, ... 364, ) == 0x0
 02521   456   NtEnumerateKey  (364, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (364, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02522   456   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 368, ) }, ... 368, ) == 0x0
 02523   456   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02524   456   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02525   456   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02526   456   NtClose  (368, ... ) == 0x0
 02527   456   NtEnumerateKey  (364, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (364, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02528   456   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 368, ) }, ... 368, ) == 0x0
 02529   456   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02530   456   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02531   456   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02532   456   NtClose  (368, ... ) == 0x0
 02533   456   NtEnumerateKey  (364, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (364, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02534   456   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 368, ) }, ... 368, ) == 0x0
 02535   456   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02536   456   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02537   456   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02538   456   NtClose  (368, ... ) == 0x0
 02539   456   NtEnumerateKey  (364, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (364, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02540   456   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 368, ) }, ... 368, ) == 0x0
 02541   456   NtQueryKey  (368, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02542   456   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02543   456   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02544   456   NtClose  (368, ... ) == 0x0
 02545   456   NtEnumerateKey  (364, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02546   456   NtClose  (364, ... ) == 0x0
 02547   456   NtClose  (360, ... ) == 0x0
 02548   456   NtEnumerateKey  (356, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (356, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02549   456   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "EncodingType 1"}, ... 360, ) }, ... 360, ) == 0x0
 02550   456   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02551   456   NtClose  (360, ... ) == 0x0
 02552   456   NtEnumerateKey  (356, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02553   456   NtClose  (356, ... ) == 0x0
 02554   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02555   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02556   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02557   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == 0x0
 02558   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 02559   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 360, ) == 0x0
 02560   456   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02561   456   NtClose  (356, ... ) == 0x0
 02562   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02563   456   NtClose  (360, ... ) == 0x0
 02564   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02565   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 02566   456   NtAllocateVirtualMemory  (-1, 15007744, 0, 4096, 4096, 4, ... 15007744, 4096, ) == 0x0
 02567   456   NtAllocateVirtualMemory  (-1, 15011840, 0, 8192, 4096, 4, ... 15011840, 8192, ) == 0x0
 02568   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231128, ... ) }, 1231128, ... ) == 0x0
 02569   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02570   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 356, ) == 0x0
 02571   456   NtClose  (360, ... ) == 0x0
 02572   456   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf70000), 0x0, 262144, ) == 0x0
 02573   456   NtClose  (356, ... ) == 0x0
 02574   456   NtUnmapViewOfSection  (-1, 0xf70000, ... ) == 0x0
 02575   456   NtAllocateLocallyUniqueId  (... {104990, 0}, ) == 0x0
 02576   456   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02577   456   NtOpenProcessToken  (-1, 0x20008, ... 356, ) == 0x0
 02578   456   NtQueryInformationToken  (356, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02579   456   NtClose  (356, ... ) == 0x0
 02580   456   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232448, 0,  (0xf0007, {24, 52, 0x80, 1232448, 0, "DfSharedHeap19A1E"}, {4194304, 0}, 4, 67108864, 0, ... 356, ) }, {4194304, 0}, 4, 67108864, 0, ... 356, ) == 0x0
 02581   456   NtMapViewOfSection  (356, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xf70000), {0, 0}, 4194304, ) == 0x0
 02582   456   NtAllocateVirtualMemory  (-1, 16187392, 0, 16376, 4096, 4, ... 16187392, 16384, ) == 0x0
 02583   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229964,  (0x80100080, {24, 0, 0x40, 0, 1229964, "\??\UNC\missouri\binaries\work\kdaney.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 360, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 360, {status=0x0, info=1}, ) == 0x0
 02584   456   NtReadFile  (360, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=122},  (360, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=122}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del kdaney.bat\15\12", ) , ) == 0x0
 02585   456   NtClose  (360, ... ) == 0x0
 02586   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 02587   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02588   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 364, ) == 0x0
 02589   456   NtClose  (360, ... ) == 0x0
 02590   456   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1370000), 0x0, 69632, ) == 0x0
 02591   456   NtClose  (364, ... ) == 0x0
 02592   456   NtUnmapViewOfSection  (-1, 0x1370000, ... ) == 0x0
 02593   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 02594   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02595   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 02596   456   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02597   456   NtClose  (364, ... ) == 0x0
 02598   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02599   456   NtClose  (360, ... ) == 0x0
 02600   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 360, ) }, ... 360, ) == 0x0
 02601   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02602   456   NtClose  (360, ... ) == 0x0
 02603   456   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02604   456   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02605   456   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02606   456   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02607   456   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02608   456   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02609   456   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02610   456   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02611   456   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02612   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02613   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02614   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02615   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02616   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02617   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02618   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02619   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02620   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02621   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02622   456   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02623   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02624   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02625   456   NtOpenProcessToken  (-1, 0x8, ... 360, ) == 0x0
 02626   456   NtQueryInformationToken  (360, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02627   456   NtClose  (360, ... ) == 0x0
 02628   456   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02629   456   NtReleaseMutant  (16, ...
 02630   456   NtContinue  (-136216440, 0, ...
 02629   456   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02631   456   NtQueryDefaultLocale  (1, 1230228, ... ) == 0x0
 02632   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02633   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02634   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02636   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02637   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02638   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02639   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02640   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02641   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02642   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02643   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02644   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02645   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02646   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02647   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02648   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02649   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02650   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02651   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02652   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02653   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02654   456   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02655   456   NtReleaseMutant  (16, ...
 02656   456   NtContinue  (-136216440, 0, ...
 02655   456   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02657   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02658   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02659   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02660   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02661   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02662   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02663   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02664   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02665   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02666   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02667   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02668   456   NtClose  (320, ... ) == 0x0
 02669   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 02670   456   NtQueryValueKey  (320,  (320, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02671   456   NtClose  (320, ... ) == 0x0
 02672   456   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02673   456   NtOpenProcessToken  (-1, 0x2000a, ... 320, ) == 0x0
 02674   456   NtQueryInformationToken  (320, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02675   456   NtQueryInformationToken  (320, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02676   456   NtClose  (320, ... ) == 0x0
 02677   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 02679   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 02680   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02681   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 320, ) }, ... 320, ) == 0x0
 02682   456   NtQueryValueKey  (320,  (320, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02683   456   NtClose  (320, ... ) == 0x0
 02684   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 02685   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 02686   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02687   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 320, ) }, ... 320, ) == 0x0
 02688   456   NtQueryValueKey  (320,  (320, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02689   456   NtClose  (320, ... ) == 0x0
 02690   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02691   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02692   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 320, ) }, ... 320, ) == 0x0
 02693   456   NtQueryKey  (322, Name, 392, ... {Name= (322, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02694   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02695   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02696   456   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02697   456   NtClose  (360, ... ) == 0x0
 02698   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02699   456   NtQueryValueKey  (322, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (322, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02700   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230836, ... ) }, 1230836, ... ) == 0x0
 02701   456   NtClose  (322, ... ) == 0x0
 02702   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02703   456   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 320, {status=0x0, info=1}, ) }, 3, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02704   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 360, ) }, ... 360, ) == 0x0
 02705   456   NtQuerySymbolicLinkObject  (360, ...  (360, ... "\Device\WinDfs\U:0000000000009212", 66, ) , 66, ) == 0x0
 02706   456   NtClose  (360, ... ) == 0x0
 02707   456   NtQueryVolumeInformationFile  (320, 1234188, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02708   456   NtClose  (320, ... ) == 0x0
 02709   456   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02710   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 320, ) }, ... 320, ) == 0x0
 02711   456   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 360, ) }, ... 360, ) == 0x0
 02712   456   NtQueryValueKey  (360,  (360, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02713   456   NtQueryValueKey  (360,  (360, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02714   456   NtClose  (360, ... ) == 0x0
 02715   456   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 360, ) }, ... 360, ) == 0x0
 02716   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02717   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02718   456   NtQueryValueKey  (360,  (360, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02719   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02720   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02721   456   NtClose  (360, ... ) == 0x0
 02722   456   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 360, ) }, ... 360, ) == 0x0
 02723   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02724   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02725   456   NtQueryValueKey  (360,  (360, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02726   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02727   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02728   456   NtClose  (360, ... ) == 0x0
 02729   456   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 360, ) }, ... 360, ) == 0x0
 02730   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02731   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02732   456   NtQueryValueKey  (360,  (360, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02733   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02734   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02735   456   NtClose  (360, ... ) == 0x0
 02736   456   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 360, ) }, ... 360, ) == 0x0
 02737   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02738   456   NtQueryValueKey  (360,  (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02739   456   NtQueryValueKey  (360,  (360, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02741   456   NtQueryValueKey  (360,  (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (360, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02742   456   NtClose  (360, ... ) == 0x0
 02743   456   NtClose  (320, ... ) == 0x0
 02744   456   NtQueryDefaultLocale  (1, 1233740, ... ) == 0x0
 02745   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 02746   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02747   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 360, ) == 0x0
 02748   456   NtClose  (320, ... ) == 0x0
 02749   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1370000), 0x0, 12288, ) == 0x0
 02750   456   NtClose  (360, ... ) == 0x0
 02751   456   NtUnmapViewOfSection  (-1, 0x1370000, ... ) == 0x0
 02752   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 02753   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02754   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 320, ) == 0x0
 02755   456   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02756   456   NtClose  (360, ... ) == 0x0
 02757   456   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02758   456   NtClose  (320, ... ) == 0x0
 02759   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02760   456   NtQueryValueKey  (320,  (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02761   456   NtClose  (320, ... ) == 0x0
 02762   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 02763   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02764   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 360, ) == 0x0
 02765   456   NtClose  (320, ... ) == 0x0
 02766   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1370000), 0x0, 40960, ) == 0x0
 02767   456   NtClose  (360, ... ) == 0x0
 02768   456   NtUnmapViewOfSection  (-1, 0x1370000, ... ) == 0x0
 02769   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 02770   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02771   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 320, ) == 0x0
 02772   456   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02773   456   NtClose  (360, ... ) == 0x0
 02774   456   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02775   456   NtClose  (320, ... ) == 0x0
 02776   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02777   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 02778   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02779   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 360, ) == 0x0
 02780   456   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02781   456   NtClose  (320, ... ) == 0x0
 02782   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02783   456   NtClose  (360, ... ) == 0x0
 02784   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 02786   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02787   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 320, ) == 0x0
 02788   456   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02789   456   NtClose  (360, ... ) == 0x0
 02790   456   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02791   456   NtClose  (320, ... ) == 0x0
 02792   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02793   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 02794   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02795   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 360, ) == 0x0
 02796   456   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02797   456   NtClose  (320, ... ) == 0x0
 02798   456   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02799   456   NtClose  (360, ... ) == 0x0
 02800   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02801   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 02802   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02803   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 320, ) == 0x0
 02804   456   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02805   456   NtClose  (360, ... ) == 0x0
 02806   456   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02807   456   NtClose  (320, ... ) == 0x0
 02808   456   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 320, ) }, ... 320, ) == 0x0
 02809   456   NtQueryValueKey  (320,  (320, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   456   NtAllocateVirtualMemory  (-1, 3313664, 0, 4096, 4096, 4, ... 3313664, 4096, ) == 0x0
 02811   456   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 360, ) == 0x0
 02812   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 02813   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02814   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 368, ) == 0x0
 02815   456   NtClose  (364, ... ) == 0x0
 02816   456   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1370000), 0x0, 24576, ) == 0x0
 02817   456   NtClose  (368, ... ) == 0x0
 02818   456   NtUnmapViewOfSection  (-1, 0x1370000, ... ) == 0x0
 02819   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 02820   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02821   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 364, ) == 0x0
 02822   456   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02823   456   NtClose  (368, ... ) == 0x0
 02824   456   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02825   456   NtClose  (364, ... ) == 0x0
 02826   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 364, ) }, ... 364, ) == 0x0
 02827   456   NtQueryValueKey  (364,  (364, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02828   456   NtClose  (364, ... ) == 0x0
 02829   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02830   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02831   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02832   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02833   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == 0x0
 02834   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02835   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 368, ) == 0x0
 02836   456   NtClose  (364, ... ) == 0x0
 02837   456   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1370000), 0x0, 122880, ) == 0x0
 02838   456   NtClose  (368, ... ) == 0x0
 02839   456   NtUnmapViewOfSection  (-1, 0x1370000, ... ) == 0x0
 02840   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02841   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02842   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02843   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02844   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == 0x0
 02845   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02846   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 364, ) == 0x0
 02847   456   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02848   456   NtClose  (368, ... ) == 0x0
 02849   456   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1370000), 0x0, 131072, ) == STATUS_IMAGE_NOT_AT_BASE
 02850   456   NtProtectVirtualMemory  (-1, (0x1371000), 81920, 4, ... (0x1371000), 81920, 32, ) == 0x0
 02851   456   NtProtectVirtualMemory  (-1, (0x1385000), 12288, 4, ... (0x1385000), 12288, 2, ) == 0x0
 02852   456   NtProtectVirtualMemory  (-1, (0x138e000), 8192, 4, ... (0x138e000), 8192, 2, ) == 0x0
 02853   456   NtMapViewOfSection  (364, -1, (0x1370000), 0, 0, 0x0, 131072, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 02854   456   NtProtectVirtualMemory  (-1, (0x1371000), 81920, 16, ... (0x1371000), 81920, 4, ) == 0x0
 02855   456   NtProtectVirtualMemory  (-1, (0x1385000), 12288, 2, ... (0x1385000), 12288, 4, ) == 0x0
 02856   456   NtProtectVirtualMemory  (-1, (0x138e000), 8192, 2, ... (0x138e000), 8192, 8, ) == 0x0
 02857   456   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 02858   456   NtClose  (364, ... ) == 0x0
 02859   456   NtProtectVirtualMemory  (-1, (0x1385000), 416, 4, ... (0x1385000), 4096, 2, ) == 0x0
 02860   456   NtProtectVirtualMemory  (-1, (0x1385000), 4096, 2, ... (0x1385000), 4096, 4, ) == 0x0
 02861   456   NtFlushInstructionCache  (-1, 20467712, 416, ... ) == 0x0
 02862   456   NtProtectVirtualMemory  (-1, (0x1385000), 416, 4, ... (0x1385000), 4096, 2, ) == 0x0
 02863   456   NtProtectVirtualMemory  (-1, (0x1385000), 4096, 2, ... (0x1385000), 4096, 4, ) == 0x0
 02864   456   NtFlushInstructionCache  (-1, 20467712, 416, ... ) == 0x0
 02865   456   NtProtectVirtualMemory  (-1, (0x1385000), 416, 4, ... (0x1385000), 4096, 2, ) == 0x0
 02866   456   NtProtectVirtualMemory  (-1, (0x1385000), 4096, 2, ... (0x1385000), 4096, 4, ) == 0x0
 02867   456   NtFlushInstructionCache  (-1, 20467712, 416, ... ) == 0x0
 02868   456   NtProtectVirtualMemory  (-1, (0x1385000), 416, 4, ... (0x1385000), 4096, 2, ) == 0x0
 02869   456   NtProtectVirtualMemory  (-1, (0x1385000), 4096, 2, ... (0x1385000), 4096, 4, ) == 0x0
 02870   456   NtFlushInstructionCache  (-1, 20467712, 416, ... ) == 0x0
 02871   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02872   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 20512768, 65536, ) == 0x0
 02873   456   NtAllocateVirtualMemory  (-1, 20512768, 0, 4096, 4096, 4, ... 20512768, 4096, ) == 0x0
 02874   456   NtAllocateVirtualMemory  (-1, 20516864, 0, 8192, 4096, 4, ... 20516864, 8192, ) == 0x0
 02875   456   NtAllocateVirtualMemory  (-1, 20525056, 0, 4096, 4096, 4, ... 20525056, 4096, ) == 0x0
 02876   456   NtQueryPerformanceCounter  (... {205261295, 0}, {3579545, 0}, ) == 0x0
 02877   456   NtRaiseException  (1231552, 1230812, 1, ...
 02878   456   NtContinue  (1229608, 0, ...
 02879   456   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 364, ) }, ... 364, ) == 0x0
 02880   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02881   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02882   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02883   456   NtRaiseException  (1221528, 1220788, 1, ...
 02884   456   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02885   456   NtContinue  (1219584, 0, ...
 02886   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02887   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02888   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02889   456   NtRaiseException  (1223288, 1222548, 1, ...
 02890   456   NtContinue  (1221344, 0, ...
 02891   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02892   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02893   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02894   456   NtRaiseException  (1223292, 1222552, 1, ...
 02895   456   NtContinue  (1221348, 0, ...
 02896   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02897   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02899   456   NtRaiseException  (1223288, 1222548, 1, ...
 02900   456   NtContinue  (1221344, 0, ...
 02901   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02902   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02903   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02904   456   NtRaiseException  (1223292, 1222552, 1, ...
 02905   456   NtContinue  (1221348, 0, ...
 02906   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02907   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02908   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02909   456   NtRaiseException  (1223288, 1222548, 1, ...
 02910   456   NtContinue  (1221344, 0, ...
 02911   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02912   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02913   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02914   456   NtRaiseException  (1223292, 1222552, 1, ...
 02915   456   NtContinue  (1221348, 0, ...
 02916   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02917   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02918   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02919   456   NtRaiseException  (1223288, 1222548, 1, ...
 02920   456   NtContinue  (1221344, 0, ...
 02921   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02922   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02923   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02924   456   NtRaiseException  (1223292, 1222552, 1, ...
 02925   456   NtContinue  (1221348, 0, ...
 02926   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02927   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02928   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02929   456   NtRaiseException  (1223288, 1222548, 1, ...
 02930   456   NtContinue  (1221344, 0, ...
 02931   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02932   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02933   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02934   456   NtRaiseException  (1223292, 1222552, 1, ...
 02935   456   NtContinue  (1221348, 0, ...
 02936   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02937   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02938   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02939   456   NtRaiseException  (1223288, 1222548, 1, ...
 02940   456   NtContinue  (1221344, 0, ...
 02941   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02942   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02943   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02944   456   NtRaiseException  (1223292, 1222552, 1, ...
 02945   456   NtContinue  (1221348, 0, ...
 02946   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02947   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02948   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02949   456   NtRaiseException  (1223288, 1222548, 1, ...
 02950   456   NtContinue  (1221344, 0, ...
 02951   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02952   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02953   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02954   456   NtRaiseException  (1223292, 1222552, 1, ...
 02955   456   NtContinue  (1221348, 0, ...
 02956   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02957   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02958   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02959   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 02960   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 368, ) == 0x0
 02961   456   NtQueryInformationProcess  (368, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02962   456   NtClose  (368, ... ) == 0x0
 02963   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 02964   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02965   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 368, ) == 0x0
 02966   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02967   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02968   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 02969   456   NtSetInformationFile  (372, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02970   456   NtSetInformationFile  (372, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02971   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02972   456   NtWriteFile  (372, 173, 0, 0,  (372, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02973   456   NtReadFile  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20I\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02974   456   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20I\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20I\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02975   456   NtClose  (368, ... ) == 0x0
 02976   456   NtClose  (372, ... ) == 0x0
 02977   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02978   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 02979   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02980   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02981   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 368, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 368, {status=0x0, info=1}, ) == 0x0
 02982   456   NtSetInformationFile  (368, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02983   456   NtSetInformationFile  (368, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02984   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02985   456   NtWriteFile  (368, 173, 0, 0,  (368, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02986   456   NtReadFile  (368, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (368, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20J\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02987   456   NtFsControlFile  (368, 173, 0x0, 0x0, 0x11c017,  (368, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20J\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (368, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20J\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02988   456   NtClose  (372, ... ) == 0x0
 02989   456   NtClose  (368, ... ) == 0x0
 02990   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 02991   456   NtQueryKey  (368, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02992   456   NtQuerySecurityObject  (368, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02993   456   NtQuerySecurityObject  (368, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02994   456   NtQueryValueKey  (368,  (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02995   456   NtClose  (368, ... ) == 0x0
 02996   456   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 368, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 368, {status=0x0, info=1}, ) == 0x0
 02997   456   NtFsControlFile  (368, 0, 0x0, 0x0, 0x600bc,  (368, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (368, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02998   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02999   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 03000   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03001   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03002   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232208,  (0xc0100080, {24, 0, 0x40, 0, 1232208, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 03003   456   NtSetInformationFile  (376, 1232264, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03004   456   NtSetInformationFile  (376, 1232256, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03005   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03006   456   NtWriteFile  (376, 173, 0, 0,  (376, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03007   456   NtReadFile  (376, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03008   456   NtFsControlFile  (376, 173, 0x0, 0x0, 0x11c017,  (376, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (376, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03009   456   NtClose  (372, ... ) == 0x0
 03010   456   NtClose  (376, ... ) == 0x0
 03011   456   NtWaitForSingleObject  (360, 0, {-70000000, -1}, ... ) == 0x0
 03012   456   NtReleaseSemaphore  (360, 1, ... 0x0, ) == 0x0
 03013   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03014   456   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 03015   456   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 03016   456   NtClose  (376, ... ) == 0x0
 03017   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03018   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03019   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03020   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03021   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232244,  (0xc0100080, {24, 0, 0x40, 0, 1232244, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 03022   456   NtSetInformationFile  (372, 1232300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03023   456   NtSetInformationFile  (372, 1232292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03024   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03025   456   NtWriteFile  (372, 173, 0, 0,  (372, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03026   456   NtReadFile  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (372, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\373\33\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03027   456   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\373\33\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\373\33\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03028   456   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\332\202P\262\206j\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\332\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\332\202P\262\206j\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\332\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03029   456   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\333\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\333\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\333\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\333\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03030   456   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\332\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\332\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03031   456   NtFsControlFile  (372, 173, 0x0, 0x0, 0x11c017,  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\333\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (372, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\333\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03032   456   NtClose  (376, ... ) == 0x0
 03033   456   NtClose  (372, ... ) == 0x0
 03034   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03035   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03036   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03037   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03038   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == 0x0
 03039   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 372, ) }, ... 372, ) == 0x0
 03040   456   NtQueryValueKey  (372,  (372, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 03041   456   NtClose  (372, ... ) == 0x0
 03042   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 372, ) }, ... 372, ) == 0x0
 03043   456   NtQueryValueKey  (372,  (372, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 03044   456   NtClose  (372, ... ) == 0x0
 03045   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 372, ) }, ... 372, ) == 0x0
 03046   456   NtQueryValueKey  (372,  (372, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03047   456   NtClose  (372, ... ) == 0x0
 03048   456   NtRaiseException  (1222212, 1221472, 1, ...
 03049   456   NtContinue  (1220268, 0, ...
 03050   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03051   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03052   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03053   456   NtRaiseException  (1222208, 1221468, 1, ...
 03054   456   NtContinue  (1220264, 0, ...
 03055   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03056   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03057   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03058   456   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232876, 0,  (0x1f0001, {24, 52, 0x80, 1232876, 0, "HGFSMUTEX"}, 1, ... 372, ) }, 1, ... 372, ) == 0x0
 03059   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03060   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1229896, ... ) }, 1229896, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03061   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "shfolder.dll"}, 1229896, ... ) }, 1229896, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03062   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1229896, ... ) }, 1229896, ... ) == 0x0
 03063   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 376, {status=0x0, info=1}, ) }, 5, 96, ... 376, {status=0x0, info=1}, ) == 0x0
 03064   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 376, ... 380, ) == 0x0
 03065   456   NtQuerySection  (380, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03066   456   NtClose  (376, ... ) == 0x0
 03067   456   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 03068   456   NtClose  (380, ... ) == 0x0
 03069   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03070   456   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329880, 0,  (0x1f0003, {24, 52, 0x80, 1329880, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 380, ) }, 0, 2147483647, ... 380, ) == STATUS_OBJECT_NAME_EXISTS
 03071   456   NtReleaseSemaphore  (380, 1, ... 0, ) == 0x0
 03072   456   NtWaitForSingleObject  (380, 0, {0, 0}, ... ) == 0x0
 03073   456   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03074   456   NtQueryValueKey  (376,  (376, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 03075   456   NtClose  (376, ... ) == 0x0
 03076   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1230428, ... ) }, 1230428, ... ) == 0x0
 03077   456   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03078   456   NtSetValueKey  (376,  (376, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (376, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 03079   456   NtClose  (376, ... ) == 0x0
 03080   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 03081   456   NtQueryDirectoryFile  (376, 0, 0, 0, 1230568, 616, BothDirectory, 1,  (376, 0, 0, 0, 1230568, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 03082   456   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 03083   456   NtRaiseException  (1221848, 1221108, 1, ...
 03084   456   NtContinue  (1219904, 0, ...
 03085   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03086   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03087   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03088   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232876, 1232452,  (0xc0100080, {24, 0, 0x40, 1232876, 1232452, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 03089   456   NtRaiseException  (1221848, 1221108, 1, ...
 03090   456   NtContinue  (1219904, 0, ...
 03091   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03092   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03093   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03094   456   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232876, 0,  (0xf0007, {24, 52, 0x80, 1232876, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 384, ... 388, ) }, {27876, 0}, 4, 134217728, 384, ... 388, ) == 0x0
 03095   456   NtMapViewOfSection  (388, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x13a0000), {0, 0}, 28672, ) == 0x0
 03096   456   NtReleaseMutant  (372, ... 0x0, ) == 0x0
 03097   456   NtRaiseException  (1223264, 1222524, 1, ...
 03098   456   NtContinue  (1221320, 0, ...
 03099   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03100   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03101   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03102   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233920, 1233508,  (0xc0100080, {24, 0, 0x40, 1233920, 1233508, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 392, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 392, {status=0x0, info=0}, ) == 0x0
 03103   456   NtDeviceIoControlFile  (392, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (392, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 03104   456   NtClose  (392, ... ) == 0x0
 03105   456   NtRaiseException  (1223244, 1222504, 1, ...
 03106   456   NtContinue  (1221300, 0, ...
 03107   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03108   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03109   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03110   456   NtRaiseException  (1223264, 1222524, 1, ...
 03111   456   NtContinue  (1221320, 0, ...
 03112   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03113   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03114   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03115   456   NtAllocateVirtualMemory  (-1, 1490944, 0, 20480, 4096, 4, ... 1490944, 20480, ) == 0x0
 03116   456   NtAllocateVirtualMemory  (-1, 1511424, 0, 20480, 4096, 4, ... 1511424, 20480, ) == 0x0
 03117   456   NtWaitForSingleObject  (360, 0, {-70000000, -1}, ... ) == 0x0
 03118   456   NtReleaseSemaphore  (360, 1, ... 0x0, ) == 0x0
 03119   456   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 392, ) }, ... 392, ) == 0x0
 03120   456   NtWaitForSingleObject  (392, 0, {-1800000000, -1}, ... ) == 0x0
 03121   456   NtClose  (392, ... ) == 0x0
 03122   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03123   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 03124   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03125   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03126   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232184,  (0xc0100080, {24, 0, 0x40, 0, 1232184, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 03127   456   NtSetInformationFile  (396, 1232240, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03128   456   NtSetInformationFile  (396, 1232232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03129   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03130   456   NtWriteFile  (396, 173, 0, 0,  (396, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03131   456   NtReadFile  (396, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374\33\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03132   456   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374\33\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374\33\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03133   456   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\334\202P\262\206j\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\334\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\334\202P\262\206j\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\334\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03134   456   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\335\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\335\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\335\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\335\202P\262\206j\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03135   456   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\334\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\334\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03136   456   NtFsControlFile  (396, 173, 0x0, 0x0, 0x11c017,  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\335\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (396, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\335\202P\262\206j\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03137   456   NtClose  (392, ... ) == 0x0
 03138   456   NtClose  (396, ... ) == 0x0
 03139   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03140   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 03141   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03142   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03143   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232276,  (0xc0100080, {24, 0, 0x40, 0, 1232276, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 03144   456   NtSetInformationFile  (392, 1232332, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03145   456   NtSetInformationFile  (392, 1232324, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03146   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03147   456   NtWriteFile  (392, 173, 0, 0,  (392, 173, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03148   456   NtReadFile  (392, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (392, 173, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20y \0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03149   456   NtFsControlFile  (392, 173, 0x0, 0x0, 0x11c017,  (392, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20y \0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (392, 173, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20y \0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03150   456   NtClose  (396, ... ) == 0x0
 03151   456   NtClose  (392, ... ) == 0x0
 03152   456   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 392, 2, ) }, 0, 0x0, 0, ... 392, 2, ) == 0x0
 03153   456   NtSetValueKey  (392,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03154   456   NtClose  (392, ... ) == 0x0
 03155   456   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 392, ) }, ... 392, ) == 0x0
 03156   456   NtQueryValueKey  (392,  (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03157   456   NtClose  (392, ... ) == 0x0
 03158   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03160   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03163   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03164   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166   456   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 392, 2, ) }, 0, 0x0, 0, ... 392, 2, ) == 0x0
 03167   456   NtSetValueKey  (392,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (392, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03168   456   NtClose  (392, ... ) == 0x0
 03169   456   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 392, ) }, ... 392, ) == 0x0
 03170   456   NtQueryValueKey  (392,  (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03171   456   NtClose  (392, ... ) == 0x0
 03172   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03174   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03177   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03178   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03180   456   NtWaitForSingleObject  (360, 0, {-70000000, -1}, ... ) == 0x0
 03181   456   NtReleaseSemaphore  (360, 1, ... 0x0, ) == 0x0
 03182   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03183   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03184   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03185   456   NtClose  (392, ... ) == 0x0
 03186   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 03187   456   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Network"}, ... 396, ) }, ... 396, ) == 0x0
 03188   456   NtClose  (392, ... ) == 0x0
 03189   456   NtQueryKey  (396, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (396, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03190   456   NtQuerySecurityObject  (396, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03191   456   NtQuerySecurityObject  (396, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03192   456   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03193   456   NtEnumerateKey  (396, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (396, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03194   456   NtOpenKey  (0x2001f, {24, 396, 0x40, 0, 0,  (0x2001f, {24, 396, 0x40, 0, 0, "f"}, ... 392, ) }, ... 392, ) == 0x0
 03195   456   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03196   456   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03197   456   NtQueryValueKey  (392,  (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03198   456   NtQueryValueKey  (392,  (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03199   456   NtQueryValueKey  (392,  (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03200   456   NtQueryValueKey  (392,  (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03201   456   NtQueryValueKey  (392,  (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03202   456   NtClose  (392, ... ) == 0x0
 03203   456   NtEnumerateKey  (396, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (396, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03204   456   NtOpenKey  (0x2001f, {24, 396, 0x40, 0, 0,  (0x2001f, {24, 396, 0x40, 0, 0, "u"}, ... 392, ) }, ... 392, ) == 0x0
 03205   456   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03206   456   NtQueryValueKey  (392,  (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03207   456   NtQueryValueKey  (392,  (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03208   456   NtQueryValueKey  (392,  (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03209   456   NtQueryValueKey  (392,  (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03210   456   NtQueryValueKey  (392,  (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03211   456   NtQueryValueKey  (392,  (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03212   456   NtClose  (392, ... ) == 0x0
 03213   456   NtClose  (396, ... ) == 0x0
 03214   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03215   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03216   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03217   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03218   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03219   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03220   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 396, ) }, ... 396, ) == 0x0
 03221   456   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03222   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03223   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03224   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03225   456   NtClose  (392, ... ) == 0x0
 03226   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03227   456   NtEnumerateKey  (398, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (398, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03228   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03229   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03230   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 392, ) }, ... 392, ) == 0x0
 03231   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03232   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03233   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03234   456   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03235   456   NtClose  (400, ... ) == 0x0
 03236   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03237   456   NtQueryValueKey  (394,  (394, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (394, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03238   456   NtClose  (394, ... ) == 0x0
 03239   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03240   456   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 392, {status=0x0, info=1}, ) }, 3, 96, ... 392, {status=0x0, info=1}, ) == 0x0
 03241   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 400, ) }, ... 400, ) == 0x0
 03242   456   NtQuerySymbolicLinkObject  (400, ...  (400, ... "\Device\WinDfs\U:0000000000009212", 66, ) , 66, ) == 0x0
 03243   456   NtClose  (400, ... ) == 0x0
 03244   456   NtQueryVolumeInformationFile  (392, 1233596, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03245   456   NtClose  (392, ... ) == 0x0
 03246   456   NtEnumerateKey  (398, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03247   456   NtClose  (398, ... ) == 0x0
 03248   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 03249   456   NtQueryDirectoryFile  (396, 0, 0, 0, 1232384, 616, BothDirectory, 1,  (396, 0, 0, 0, 1232384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03250   456   NtClose  (396, ... ) == 0x0
 03251   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03252   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03253   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 396, ) }, ... 396, ) == 0x0
 03254   456   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03255   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03256   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03257   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03258   456   NtClose  (392, ... ) == 0x0
 03259   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03260   456   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03261   456   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03262   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03263   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03264   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03265   456   NtClose  (392, ... ) == 0x0
 03266   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03267   456   NtOpenKey  (0x2000000, {24, 398, 0x40, 0, 0, ""}, ... 392, ) == 0x0
 03268   456   NtClose  (398, ... ) == 0x0
 03269   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03270   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03271   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03272   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03273   456   NtQueryValueKey  (396,  (396, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03274   456   NtClose  (396, ... ) == 0x0
 03275   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03276   456   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0, ""}, ... 396, ) == 0x0
 03277   456   NtQueryValueKey  (396,  (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03278   456   NtQueryValueKey  (396,  (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (396, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03279   456   NtClose  (396, ... ) == 0x0
 03280   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03281   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03282   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03283   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03284   456   NtQueryValueKey  (396,  (396, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03285   456   NtClose  (396, ... ) == 0x0
 03286   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03287   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03288   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03289   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03290   456   NtQueryValueKey  (396,  (396, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03291   456   NtClose  (396, ... ) == 0x0
 03292   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03293   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03294   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03295   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03296   456   NtQueryValueKey  (396,  (396, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03297   456   NtClose  (396, ... ) == 0x0
 03298   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03299   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03300   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03302   456   NtQueryValueKey  (396,  (396, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   456   NtClose  (396, ... ) == 0x0
 03304   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03305   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03306   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03307   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03308   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03309   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03310   456   NtQueryValueKey  (396,  (396, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03311   456   NtClose  (396, ... ) == 0x0
 03312   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03313   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03314   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03315   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03316   456   NtQueryValueKey  (396,  (396, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03317   456   NtClose  (396, ... ) == 0x0
 03318   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03319   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03320   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03321   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 396, ) }, ... 396, ) == 0x0
 03322   456   NtQueryValueKey  (396,  (396, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03323   456   NtClose  (396, ... ) == 0x0
 03324   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03325   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03326   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03327   456   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "Advanced"}, ... 396, ) }, ... 396, ) == 0x0
 03328   456   NtQueryValueKey  (396,  (396, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03329   456   NtQueryValueKey  (396,  (396, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03330   456   NtQueryValueKey  (396,  (396, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03331   456   NtQueryValueKey  (396,  (396, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03332   456   NtQueryValueKey  (396,  (396, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03333   456   NtQueryValueKey  (396,  (396, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03334   456   NtQueryValueKey  (396,  (396, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03335   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03336   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03337   456   NtQueryValueKey  (396,  (396, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03338   456   NtQueryValueKey  (396,  (396, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03339   456   NtQueryValueKey  (396,  (396, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340   456   NtQueryValueKey  (396,  (396, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03341   456   NtQueryValueKey  (396,  (396, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03342   456   NtClose  (396, ... ) == 0x0
 03343   456   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329880, 0,  (0x1f0003, {24, 52, 0x80, 1329880, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 396, ) }, 0, 2147483647, ... 396, ) == STATUS_OBJECT_NAME_EXISTS
 03344   456   NtReleaseSemaphore  (396, 1, ... 0, ) == 0x0
 03345   456   NtWaitForSingleObject  (396, 0, {0, 0}, ... ) == 0x0
 03346   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03347   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03348   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03349   456   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03350   456   NtClose  (400, ... ) == 0x0
 03351   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03352   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03353   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03354   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03355   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03356   456   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03357   456   NtClose  (400, ... ) == 0x0
 03358   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03359   456   NtQueryValueKey  (394,  (394, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03360   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03361   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03362   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03363   456   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03364   456   NtClose  (400, ... ) == 0x0
 03365   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03366   456   NtQueryValueKey  (394,  (394, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03367   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03368   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03369   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 03370   456   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03371   456   NtClose  (400, ... ) == 0x0
 03372   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03373   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03374   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03375   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03376   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 400, ) }, ... 400, ) == 0x0
 03377   456   NtQueryKey  (402, Name, 384, ... {Name= (402, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03378   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03379   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03380   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03381   456   NtClose  (404, ... ) == 0x0
 03382   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03383   456   NtOpenKey  (0x1, {24, 402, 0x40, 0, 0,  (0x1, {24, 402, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03384   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03385   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03386   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03387   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03388   456   NtClose  (404, ... ) == 0x0
 03389   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03390   456   NtQueryValueKey  (394,  (394, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03391   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03392   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03393   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03394   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03395   456   NtClose  (404, ... ) == 0x0
 03396   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03397   456   NtQueryValueKey  (394,  (394, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (394, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03398   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03399   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03400   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03401   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03402   456   NtClose  (404, ... ) == 0x0
 03403   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03404   456   NtQueryValueKey  (394,  (394, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03405   456   NtClose  (394, ... ) == 0x0
 03406   456   NtClose  (402, ... ) == 0x0
 03407   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 400, {status=0x0, info=1}, ) }, 3, 16417, ... 400, {status=0x0, info=1}, ) == 0x0
 03408   456   NtQueryDirectoryFile  (400, 0, 0, 0, 1232308, 616, BothDirectory, 1,  (400, 0, 0, 0, 1232308, 616, BothDirectory, 1, "kdaney.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03409   456   NtClose  (400, ... ) == 0x0
 03410   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03411   456   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "FileExts"}, ... 400, ) }, ... 400, ) == 0x0
 03412   456   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03413   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03414   456   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03415   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03416   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03417   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 392, ) }, ... 392, ) == 0x0
 03418   456   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03419   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03420   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03421   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03422   456   NtClose  (404, ... ) == 0x0
 03423   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   456   NtQueryValueKey  (394, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (394, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03425   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03426   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03427   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 404, ) }, ... 404, ) == 0x0
 03428   456   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03429   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03430   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03431   456   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03432   456   NtClose  (408, ... ) == 0x0
 03433   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03434   456   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03435   456   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03436   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03437   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03438   456   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03439   456   NtClose  (408, ... ) == 0x0
 03440   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03441   456   NtOpenKey  (0x2000000, {24, 406, 0x40, 0, 0, ""}, ... 408, ) == 0x0
 03442   456   NtClose  (406, ... ) == 0x0
 03443   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03444   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03445   456   NtReleaseSemaphore  (396, 1, ... 0, ) == 0x0
 03446   456   NtWaitForSingleObject  (396, 0, {0, 0}, ... ) == 0x0
 03447   456   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03448   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03449   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03450   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03451   456   NtClose  (404, ... ) == 0x0
 03452   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03453   456   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03454   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03455   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03456   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03457   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03458   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03459   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 404, ) }, ... 404, ) == 0x0
 03460   456   NtQueryKey  (406, Name, 392, ... {Name= (406, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03461   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03462   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03463   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03464   456   NtClose  (412, ... ) == 0x0
 03465   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03466   456   NtQueryValueKey  (406,  (406, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03467   456   NtClose  (406, ... ) == 0x0
 03468   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03469   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03470   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03471   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03472   456   NtClose  (404, ... ) == 0x0
 03473   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474   456   NtQueryValueKey  (410,  (410, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03475   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03476   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03477   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03478   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03479   456   NtClose  (404, ... ) == 0x0
 03480   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03481   456   NtQueryValueKey  (410,  (410, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03482   456   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03483   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03484   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03485   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03486   456   NtClose  (404, ... ) == 0x0
 03487   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488   456   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03489   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03490   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 404, ) }, ... 404, ) == 0x0
 03492   456   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03493   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03494   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03495   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03496   456   NtClose  (412, ... ) == 0x0
 03497   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03498   456   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03499   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03500   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03501   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03502   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03503   456   NtClose  (412, ... ) == 0x0
 03504   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03505   456   NtQueryValueKey  (410,  (410, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03507   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03508   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03509   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03510   456   NtClose  (412, ... ) == 0x0
 03511   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03512   456   NtQueryValueKey  (410,  (410, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03513   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03514   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03515   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03516   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03517   456   NtClose  (412, ... ) == 0x0
 03518   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03519   456   NtQueryValueKey  (410,  (410, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03520   456   NtClose  (394, ... ) == 0x0
 03521   456   NtClose  (410, ... ) == 0x0
 03522   456   NtClose  (406, ... ) == 0x0
 03523   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03524   456   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03526   456   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03527   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03528   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03529   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 404, ) }, ... 404, ) == 0x0
 03530   456   NtQueryKey  (406, Name, 392, ... {Name= (406, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03531   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03532   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03533   456   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03534   456   NtClose  (408, ... ) == 0x0
 03535   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03536   456   NtQueryValueKey  (406, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (406, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03537   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03538   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03539   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 408, ) }, ... 408, ) == 0x0
 03540   456   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03541   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03542   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03543   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03544   456   NtClose  (392, ... ) == 0x0
 03545   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03546   456   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03547   456   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03548   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03549   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03550   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03551   456   NtClose  (392, ... ) == 0x0
 03552   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553   456   NtOpenKey  (0x2000000, {24, 410, 0x40, 0, 0, ""}, ... 392, ) == 0x0
 03554   456   NtClose  (410, ... ) == 0x0
 03555   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03556   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03557   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03558   456   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03559   456   NtClose  (408, ... ) == 0x0
 03560   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03561   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03562   456   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03563   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03564   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03565   456   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03566   456   NtClose  (408, ... ) == 0x0
 03567   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03568   456   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03569   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03570   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03571   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03572   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03573   456   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03574   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 408, ) }, ... 408, ) == 0x0
 03575   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03576   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03577   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03578   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03579   456   NtClose  (412, ... ) == 0x0
 03580   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03581   456   NtQueryValueKey  (410,  (410, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582   456   NtClose  (410, ... ) == 0x0
 03583   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03584   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03585   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 408, ) }, ... 408, ) == 0x0
 03586   456   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03587   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03588   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03589   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03590   456   NtClose  (412, ... ) == 0x0
 03591   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03592   456   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03593   456   NtClose  (406, ... ) == 0x0
 03594   456   NtClose  (394, ... ) == 0x0
 03595   456   NtClose  (410, ... ) == 0x0
 03596   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03597   456   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03598   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03599   456   NtOpenKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03600   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03601   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03602   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 408, ) }, ... 408, ) == 0x0
 03603   456   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03604   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03605   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03606   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03607   456   NtClose  (392, ... ) == 0x0
 03608   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03609   456   NtQueryValueKey  (410, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (410, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03610   456   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03611   456   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03612   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 392, ) }, ... 392, ) == 0x0
 03613   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03614   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03615   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03616   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03617   456   NtClose  (404, ... ) == 0x0
 03618   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03619   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03620   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03621   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03622   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03623   456   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03624   456   NtClose  (404, ... ) == 0x0
 03625   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03626   456   NtOpenKey  (0x2000000, {24, 394, 0x40, 0, 0, ""}, ... 404, ) == 0x0
 03627   456   NtClose  (394, ... ) == 0x0
 03628   456   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03629   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03630   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 03631   456   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03632   456   NtClose  (392, ... ) == 0x0
 03633   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03634   456   NtOpenKey  (0x2000000, {24, 406, 0x40, 0, 0,  (0x2000000, {24, 406, 0x40, 0, 0, "shell\open"}, ... 392, ) }, ... 392, ) == 0x0
 03635   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03636   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03637   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03638   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03639   456   NtClose  (412, ... ) == 0x0
 03640   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03641   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03642   456   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03643   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03644   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03645   456   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03646   456   NtClose  (416, ... ) == 0x0
 03647   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03648   456   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03649   456   NtClose  (414, ... ) == 0x0
 03650   456   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03651   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03652   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03653   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03654   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03655   456   NtClose  (412, ... ) == 0x0
 03656   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03657   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03658   456   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03659   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03660   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03661   456   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03662   456   NtClose  (416, ... ) == 0x0
 03663   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03664   456   NtQueryValueKey  (414,  (414, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03665   456   NtClose  (414, ... ) == 0x0
 03666   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\kdaney.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03668   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03669   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03670   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03671   456   NtClose  (412, ... ) == 0x0
 03672   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03673   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03674   456   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03675   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03676   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03677   456   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03678   456   NtClose  (416, ... ) == 0x0
 03679   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03680   456   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03681   456   NtClose  (414, ... ) == 0x0
 03682   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03683   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03684   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03685   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03686   456   NtClose  (412, ... ) == 0x0
 03687   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03688   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03689   456   NtUserGetForegroundWindow  (... ) == 0x2005e
 03690   456   NtQueryKey  (394, Name, 384, ... {Name= (394, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03691   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03692   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03693   456   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03694   456   NtClose  (412, ... ) == 0x0
 03695   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03696   456   NtOpenKey  (0x1, {24, 394, 0x40, 0, 0,  (0x1, {24, 394, 0x40, 0, 0, "command"}, ... 412, ) }, ... 412, ) == 0x0
 03697   456   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03698   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03699   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03700   456   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03701   456   NtClose  (416, ... ) == 0x0
 03702   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03703   456   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03704   456   NtClose  (414, ... ) == 0x0
 03705   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03706   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03707   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03708   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 412, ) }, ... 412, ) == 0x0
 03709   456   NtQueryValueKey  (412,  (412, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03710   456   NtClose  (412, ... ) == 0x0
 03711   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03712   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03713   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03714   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 412, ) }, ... 412, ) == 0x0
 03715   456   NtQueryValueKey  (412,  (412, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03716   456   NtClose  (412, ... ) == 0x0
 03717   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\kdaney.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03718   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03719   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\kdaney.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03720   456   NtReleaseSemaphore  (196, 1, ... 0, ) == 0x0
 03721   456   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x0
 03722   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03723   456   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 412, ) }, ... 412, ) == 0x0
 03724   456   NtQueryValueKey  (412,  (412, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03725   456   NtClose  (412, ... ) == 0x0
 03726   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\kdaney.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03727   456   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03728   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 1228792, ... ) }, 1228792, ... ) == 0x0
 03729   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 03730   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03731   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 412, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03732   456   NtQueryVolumeInformationFile  (412, 1228792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03733   456   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03734   456   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03735   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03736   456   NtQueryInformationFile  (416, 1227380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03737   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 416, ... 420, ) == 0x0
 03738   456   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x13b0000), 0x0, 1028096, ) == 0x0
 03739   456   NtQueryInformationFile  (416, 1227476, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03740   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03741   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03742   456   NtQueryDirectoryFile  (424, 0, 0, 0, 1225040, 616, BothDirectory, 1,  (424, 0, 0, 0, 1225040, 616, BothDirectory, 1, "kdaney.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03743   456   NtClose  (424, ... ) == 0x0
 03744   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03745   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03746   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 1224428, ... ) }, 1224428, ... ) == 0x0
 03747   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03748   456   NtQueryDirectoryFile  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03749   456   NtClose  (424, ... ) == 0x0
 03750   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03751   456   NtQueryDirectoryFile  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (424, 0, 0, 0, 1223788, 616, BothDirectory, 1, "kdaney.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03752   456   NtClose  (424, ... ) == 0x0
 03753   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03754   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03755   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03756   456   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 424, {status=0x0, info=1}, ) }, 3, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 03757   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 428, ) }, ... 428, ) == 0x0
 03758   456   NtQuerySymbolicLinkObject  (428, ...  (428, ... "\Device\WinDfs\U:0000000000009212", 66, ) , 66, ) == 0x0
 03759   456   NtClose  (428, ... ) == 0x0
 03760   456   NtQueryVolumeInformationFile  (424, 1225180, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03761   456   NtClose  (424, ... ) == 0x0
 03762   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03763   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 424, ) == 0x0
 03764   456   NtQueryInformationToken  (424, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03765   456   NtClose  (424, ... ) == 0x0
 03766   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03767   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\kdaney.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03768   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03769   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03770   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\kdaney.bat"}, 1226708, ... ) }, 1226708, ... ) == 0x0
 03771   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03772   456   NtQueryDirectoryFile  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03773   456   NtClose  (424, ... ) == 0x0
 03774   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 424, {status=0x0, info=1}, ) }, 3, 16417, ... 424, {status=0x0, info=1}, ) == 0x0
 03775   456   NtQueryDirectoryFile  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (424, 0, 0, 0, 1226068, 616, BothDirectory, 1, "kdaney.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03776   456   NtClose  (424, ... ) == 0x0
 03777   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03778   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03779   456   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03780   456   NtQueryVolumeInformationFile  (412, 1227352, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03781   456   NtQueryInformationFile  (412, 1227332, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03782   456   NtQueryInformationFile  (412, 1227372, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03783   456   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03784   456   NtUnmapViewOfSection  (-1, 0x13b0000, ... ) == 0x0
 03785   456   NtClose  (420, ... ) == 0x0
 03786   456   NtClose  (416, ... ) == 0x0
 03787   456   NtClose  (412, ... ) == 0x0
 03788   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03789   456   NtQueryAttributesFile  ({24, 152, 0x40, 0, 0,  ({24, 152, 0x40, 0, 0, "cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03790   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == 0x0
 03791   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 03792   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03793   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 412, ... 416, ) == 0x0
 03794   456   NtQuerySection  (416, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03795   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03796   456   NtCreateProcessEx  (1231420, 2035711, 0, -1, 0, 416, 0, 0, 0, ... ) == 0x0
 03797   456   NtSetInformationProcess  (420, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03798   456   NtQueryInformationProcess  (420, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1684,ParentPid=440,}, 0x0, ) == 0x0
 03799   456   NtReadVirtualMemory  (420, 0x7ffdf008, 4, ...  (420, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03800   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03801   456   NtReadVirtualMemory  (420, 0x4ad00000, 4096, ...  (420, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03802   456   NtReadVirtualMemory  (420, 0x4ad3b000, 256, ...  (420, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03803   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03804   456   NtQueryInformationProcess  (420, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1684,ParentPid=440,}, 0x0, ) == 0x0
 03805   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 03806   456   NtAllocateVirtualMemory  (-1, 0, 0, 1644, 4096, 4, ... 20643840, 4096, ) == 0x0
 03807   456   NtAllocateVirtualMemory  (420, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03808   456   NtWriteVirtualMemory  (420, 0x10000,  (420, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03809   456   NtAllocateVirtualMemory  (420, 0, 0, 1644, 4096, 4, ... 131072, 4096, ) == 0x0
 03810   456   NtWriteVirtualMemory  (420, 0x20000,  (420, 0x20000, "\0\20\0\0l\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0<\0>\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\20\6\0\0\36\0 \0H\6\0\0\0\0\2\0h\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1644, ... 0x0, ) , 1644, ... 0x0, ) == 0x0
 03811   456   NtWriteVirtualMemory  (420, 0x7ffdf010,  (420, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03812   456   NtWriteVirtualMemory  (420, 0x7ffdf1e8,  (420, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03813   456   NtFreeVirtualMemory  (-1, (0x13b0000), 0, 32768, ... (0x13b0000), 4096, ) == 0x0
 03814   456   NtAllocateVirtualMemory  (420, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03815   456   NtAllocateVirtualMemory  (420, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03816   456   NtCreateThread  (0x1f03ff, 0x0, 420, 1229684, 1230404, 1, ... 424, {1684, 1688}, ) == 0x0
 03817   456   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\224\6\0\0\230\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 456, 2293, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\224\6\0\0\230\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 440, 456, 2293, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\224\6\0\0\230\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 456, 2293, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\244\1\0\0\250\1\0\0\224\6\0\0\230\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03818   456   NtResumeThread  (424, ... 1, ) == 0x0
 03819   456   NtClose  (412, ... ) == 0x0
 03820   456   NtClose  (416, ... ) == 0x0
 03821   456   NtClose  (394, ... ) == 0x0
 03822   456   NtClose  (410, ... ) == 0x0
 03823   456   NtClose  (406, ... ) == 0x0
 03824   456   NtClose  (420, ... ) == 0x0
 03825   456   NtClose  (424, ... ) == 0x0
 03826   456   NtFreeVirtualMemory  (-1, (0x15c000), 20480, 16384, ... (0x15c000), 20480, ) == 0x0
 03827   456   NtGdiDeleteObjectApp  (50856774, ... ) == 0x1
 03828   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03829   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03830   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03831   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03832   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03833   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03834   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03835   456   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 03836   456   NtUnmapViewOfSection  (-1, 0xe60000, ... ) == 0x0
 03837   456   NtClose  (324, ... ) == 0x0
 03838   456   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03839   456   NtUserDestroyWindow  (65766, ...
 03840   456   NtUserRemoveProp  (65766, 43288, ... ) == 0xffffffff
 03841   456   NtUserRemoveProp  (65766, 43282, ... ) == 0x0
 03842   456   NtUserRemoveProp  (65766, 43287, ... ) == 0x0
 03839   456   NtUserDestroyWindow  ... ) == 0x1
 03843   456   NtUserUnregisterClass  (1234864, 1998258176, 1234852, ... ) == 0x1
 03844   456   NtClose  (228, ... ) == 0x0
 03845   456   NtClose  (220, ... ) == 0x0
 03846   456   NtClose  (224, ... ) == 0x0
 03847   456   NtClose  (200, ... ) == 0x0
 03848   456   NtClose  (216, ... ) == 0x0
 03849   456   NtClose  (248, ... ) == 0x0
 03850   456   NtClose  (252, ... ) == 0x0
 03851   456   NtClose  (244, ... ) == 0x0
 03852   456   NtClose  (236, ... ) == 0x0
 03853   456   NtClose  (240, ... ) == 0x0
 03854   456   NtClose  (264, ... ) == 0x0
 03855   456   NtClose  (268, ... ) == 0x0
 03856   456   NtClose  (256, ... ) == 0x0
 03857   456   NtClose  (260, ... ) == 0x0
 03858   456   NtClose  (288, ... ) == 0x0
 03859   456   NtClose  (280, ... ) == 0x0
 03860   456   NtClose  (284, ... ) == 0x0
 03861   456   NtClose  (272, ... ) == 0x0
 03862   456   NtClose  (276, ... ) == 0x0
 03863   456   NtClose  (292, ... ) == 0x0
 03864   456   NtClose  (296, ... ) == 0x0
 03865   456   NtClose  (308, ... ) == 0x0
 03866   456   NtClose  (312, ... ) == 0x0
 03867   456   NtClose  (300, ... ) == 0x0
 03868   456   NtClose  (304, ... ) == 0x0
 03869   456   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03870   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 1235740, ... ) }, 1235740, ... ) == 0x0
 03871   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 1236432, ... ) }, 1236432, ... ) == 0x0
 03872   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 03873   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 304, ... 300, ) == 0x0
 03874   456   NtQueryVolumeInformationFile  (304, 1235740, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03875   456   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03876   456   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03877   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 03878   456   NtQueryInformationFile  (312, 1234328, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03879   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 312, ... 308, ) == 0x0
 03880   456   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x13b0000), 0x0, 1028096, ) == 0x0
 03881   456   NtQueryInformationFile  (312, 1234424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03882   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03883   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03884   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1231988, 616, BothDirectory, 1,  (296, 0, 0, 0, 1231988, 616, BothDirectory, 1, "spoolsvc.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03885   456   NtClose  (296, ... ) == 0x0
 03886   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03887   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03888   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 1231376, ... ) }, 1231376, ... ) == 0x0
 03889   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03890   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03891   456   NtClose  (296, ... ) == 0x0
 03892   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03893   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03894   456   NtClose  (296, ... ) == 0x0
 03895   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03896   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (296, 0, 0, 0, 1230736, 616, BothDirectory, 1, "spoolsvc.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03897   456   NtClose  (296, ... ) == 0x0
 03898   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03899   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03900   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03901   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03902   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 03903   456   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03904   456   NtClose  (296, ... ) == 0x0
 03905   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03906   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\spoolsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03907   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03908   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03909   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 1233656, ... ) }, 1233656, ... ) == 0x0
 03910   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03911   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03912   456   NtClose  (296, ... ) == 0x0
 03913   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03914   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03915   456   NtClose  (296, ... ) == 0x0
 03916   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 296, {status=0x0, info=1}, ) }, 3, 16417, ... 296, {status=0x0, info=1}, ) == 0x0
 03917   456   NtQueryDirectoryFile  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (296, 0, 0, 0, 1233016, 616, BothDirectory, 1, "spoolsvc.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03918   456   NtClose  (296, ... ) == 0x0
 03919   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03920   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03921   456   NtWaitForSingleObject  (208, 0, {-1000000, -1}, ... ) == 0x0
 03922   456   NtQueryVolumeInformationFile  (304, 1234300, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03923   456   NtQueryInformationFile  (304, 1234280, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03924   456   NtQueryInformationFile  (304, 1234320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03925   456   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 03926   456   NtUnmapViewOfSection  (-1, 0x13b0000, ... ) == 0x0
 03927   456   NtClose  (308, ... ) == 0x0
 03928   456   NtClose  (312, ... ) == 0x0
 03929   456   NtQuerySection  (300, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03930   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03931   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03932   456   NtOpenProcessToken  (-1, 0xa, ... 312, ) == 0x0
 03933   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 308, ) }, ... 308, ) == 0x0
 03934   456   NtQueryValueKey  (308,  (308, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03935   456   NtQueryValueKey  (308,  (308, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (308, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03936   456   NtClose  (308, ... ) == 0x0
 03937   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 308, ) }, ... 308, ) == 0x0
 03938   456   NtQuerySymbolicLinkObject  (308, ...  (308, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03939   456   NtClose  (308, ... ) == 0x0
 03940   456   NtQueryInformationFile  (304, 1234092, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 03941   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03942   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03943   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 1232772, ... ) }, 1232772, ... ) == 0x0
 03944   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03945   456   NtQueryDirectoryFile  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03946   456   NtClose  (308, ... ) == 0x0
 03947   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03948   456   NtQueryDirectoryFile  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03949   456   NtClose  (308, ... ) == 0x0
 03950   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03951   456   NtQueryDirectoryFile  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (308, 0, 0, 0, 1232132, 616, BothDirectory, 1, "spoolsvc.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03952   456   NtClose  (308, ... ) == 0x0
 03953   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03954   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03955   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 308, ) }, ... 308, ) == 0x0
 03956   456   NtQueryValueKey  (308,  (308, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03957   456   NtClose  (308, ... ) == 0x0
 03958   456   NtQueryInformationToken  (312, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03959   456   NtQueryInformationToken  (312, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03960   456   NtClose  (312, ... ) == 0x0
 03961   456   NtCreateProcessEx  (1238368, 2035711, 0, -1, 4, 300, 0, 0, 0, ... ) == 0x0
 03962   456   NtSetInformationProcess  (312, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03963   456   NtQueryInformationProcess  (312, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1692,ParentPid=440,}, 0x0, ) == 0x0
 03964   456   NtReadVirtualMemory  (312, 0x7ffdf008, 4, ...  (312, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03965   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03966   456   NtReadVirtualMemory  (312, 0x400000, 4096, ...  (312, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\0\200\2\0\0p\1\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0`\1\0", 4096, ) , 4096, ) == 0x0
 03967   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03968   456   NtQueryInformationProcess  (312, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1692,ParentPid=440,}, 0x0, ) == 0x0
 03969   456   NtAllocateVirtualMemory  (-1, 0, 0, 1672, 4096, 4, ... 15073280, 4096, ) == 0x0
 03970   456   NtAllocateVirtualMemory  (312, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03971   456   NtWriteVirtualMemory  (312, 0x10000,  (312, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03972   456   NtAllocateVirtualMemory  (312, 0, 0, 1672, 4096, 4, ... 131072, 4096, ) == 0x0
 03973   456   NtWriteVirtualMemory  (312, 0x20000,  (312, 0x20000, "\0\20\0\0\210\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0\233\0\0\0\374\0\376\0\230\4\0\0@\0B\0\230\5\0\0@\0B\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0B\0 \6\0\0\36\0 \0d\6\0\0\0\0\2\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1672, ... 0x0, ) , 1672, ... 0x0, ) == 0x0
 03974   456   NtWriteVirtualMemory  (312, 0x7ffdf010,  (312, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03975   456   NtWriteVirtualMemory  (312, 0x7ffdf1e8,  (312, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03976   456   NtFreeVirtualMemory  (-1, (0xe60000), 0, 32768, ... (0xe60000), 4096, ) == 0x0
 03977   456   NtAllocateVirtualMemory  (312, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03978   456   NtAllocateVirtualMemory  (312, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03979   456   NtProtectVirtualMemory  (312, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03980   456   NtCreateThread  (0x1f03ff, 0x0, 312, 1236632, 1237352, 1, ... 308, {1692, 1588}, ) == 0x0
 03981   456   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1502376, 1238452}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1502376, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w;\1\0\04\1\0\0\234\6\0\04\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 456, 2311, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w8\1\0\04\1\0\0\234\6\0\04\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 440, 456, 2311, 0}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1502376, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w;\1\0\04\1\0\0\234\6\0\04\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 456, 2311, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w8\1\0\04\1\0\0\234\6\0\04\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03982   456   NtResumeThread  (308, ... 1, ) == 0x0
 03983   456   NtClose  (304, ... ) == 0x0
 03984   456   NtClose  (300, ... ) == 0x0
 03985   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 300, ) == 0x0
 03986   456   NtYieldExecution  (... ) == 0x0
 03987   456   NtFreeVirtualMemory  (-1, (0x148000), 4096, 16384, ... (0x148000), 4096, ) == 0x0
 03988   456   NtClose  (96, ... ) == 0x0
 03989   456   NtClose  (92, ... ) == 0x0
 03990   456   NtYieldExecution  (... ) == 0x0
 03991   456   NtClose  (104, ... ) == 0x0
 03992   456   NtClose  (100, ... ) == 0x0
 03993   456   NtTerminateProcess  (0, 0, ...
 00960  1448   NtDelayExecution  ... ) == 0xc0
 01115  1552   NtDelayExecution  ... ) == 0xc0
 00949  1612   NtDelayExecution  ... ) == 0xc0
 02519  1648   NtWaitForMultipleObjects  ... ) == 0xc0
 03993   456   NtTerminateProcess  ... ) == 0x0
 03994   456   NtRaiseException  (1238116, 1237376, 1, ...
 03995   456   NtContinue  (1236172, 0, ...
 03996   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03997   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03998   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03999   456   NtRaiseException  (1228092, 1227352, 1, ...
 04000   456   NtContinue  (1226148, 0, ...
 04001   456   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 04002   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04003   456   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 04004   456   NtUnmapViewOfSection  (-1, 0x13a0000, ... ) == 0x0
 04005   456   NtClose  (388, ... ) == 0x0
 04006   456   NtClose  (384, ... ) == 0x0
 04007   456   NtClose  (372, ... ) == 0x0
 04008   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 04009   456   NtFreeVirtualMemory  (-1, (0x1390000), 0, 32768, ... (0x1390000), 65536, ) == 0x0
 04010   456   NtClose  (360, ... ) == 0x0
 04011   456   NtClose  (368, ... ) == 0x0
 04012   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 04013   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 04014   456   NtQueryValueKey  (368,  (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 04015   456   NtClose  (368, ... ) == 0x0
 04016   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 04017   456   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 04018   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 04019   456   NtFreeVirtualMemory  (-1, (0xd10000), 0, 32768, ... (0xd10000), 262144, ) == 0x0
 04020   456   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 04021   456   NtClose  (316, ... ) == 0x0
 04022   456   NtFreeVirtualMemory  (-1, (0xd00000), 4096, 16384, ... (0xd00000), 4096, ) == 0x0
 04023   456   NtFreeVirtualMemory  (-1, (0xd00000), 0, 32768, ... (0xd00000), 65536, ) == 0x0
 04024   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 04025   456   NtFreeVirtualMemory  (-1, (0x158000), 12288, 16384, ... (0x158000), 12288, ) == 0x0
 04026   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 04027   456   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 04028   456   NtClose  (148, ... ) == 0x0
 04029   456   NtGdiDeleteObjectApp  (403702587, ... ) == 0x1
 04030   456   NtUserGetProcessWindowStation  (... ) == 0x28
 04031   456   NtUserBuildNameList  (40, 256, 1329616, 1238756, ... ) == 0x0
 04032   456   NtUserGetProcessWindowStation  (... ) == 0x28
 04033   456   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x94
 04034   456   NtUserBuildHwndList  (148, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x200e6, 0x200ae, 0x100d6, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x2005e, 0x300e0, 0x400e2, 0x100d2, 0x100c6, 0x100c4, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 43, ) == 0x0
 04035   456   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 04036   456   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 04037   456   NtUserQueryWindow  (65756, 0, ... ) == 0x768
 04038   456   NtUserQueryWindow  (65756, 1, ... ) == 0x778
 04039   456   NtUserQueryWindow  (65706, 0, ... ) == 0x7dc
 04040   456   NtUserQueryWindow  (65706, 1, ... ) == 0x7e0
 04041   456   NtUserQueryWindow  (65704, 0, ... ) == 0x7dc
 04042   456   NtUserQueryWindow  (65704, 1, ... ) == 0x7e0
 04043   456   NtUserQueryWindow  (65702, 0, ... ) == 0x7dc
 04044   456   NtUserQueryWindow  (65702, 1, ... ) == 0x7e0
 04045   456   NtUserQueryWindow  (131168, 0, ... ) == 0x7dc
 04046   456   NtUserQueryWindow  (131168, 1, ... ) == 0x7e0
 04047   456   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 04048   456   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 04049   456   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 04050   456   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 04051   456   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 04052   456   NtUserQueryWindow  (65664, 0, ... ) == 0x768
 04053   456   NtUserQueryWindow  (65664, 1, ... ) == 0x778
 04054   456   NtUserQueryWindow  (65670, 0, ... ) == 0x768
 04055   456   NtUserQueryWindow  (65670, 1, ... ) == 0x778
 04056   456   NtUserQueryWindow  (65672, 0, ... ) == 0x768
 04057   456   NtUserQueryWindow  (65672, 1, ... ) == 0x778
 04058   456   NtUserQueryWindow  (65674, 0, ... ) == 0x768
 04059   456   NtUserQueryWindow  (65674, 1, ... ) == 0x778
 04060   456   NtUserQueryWindow  (65678, 0, ... ) == 0x768
 04061   456   NtUserQueryWindow  (65678, 1, ... ) == 0x778
 04062   456   NtUserQueryWindow  (65680, 0, ... ) == 0x768
 04063   456   NtUserQueryWindow  (65680, 1, ... ) == 0x778
 04064   456   NtUserQueryWindow  (65682, 0, ... ) == 0x768
 04065   456   NtUserQueryWindow  (65682, 1, ... ) == 0x778
 04066   456   NtUserQueryWindow  (65684, 0, ... ) == 0x768
 04067   456   NtUserQueryWindow  (65684, 1, ... ) == 0x778
 04068   456   NtUserQueryWindow  (65686, 0, ... ) == 0x768
 04069   456   NtUserQueryWindow  (65686, 1, ... ) == 0x778
 04070   456   NtUserQueryWindow  (65690, 0, ... ) == 0x768
 04071   456   NtUserQueryWindow  (65690, 1, ... ) == 0x778
 04072   456   NtUserQueryWindow  (65692, 0, ... ) == 0x768
 04073   456   NtUserQueryWindow  (65692, 1, ... ) == 0x778
 04074   456   NtUserQueryWindow  (65694, 0, ... ) == 0x768
 04075   456   NtUserQueryWindow  (65694, 1, ... ) == 0x778
 04076   456   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 04077   456   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 04078   456   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 04079   456   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 04080   456   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 04081   456   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 04082   456   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 04083   456   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 04084   456   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 04085   456   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 04086   456   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 04087   456   NtUserQueryWindow  (196670, 0, ... ) == 0x768
 04088   456   NtUserQueryWindow  (196670, 1, ... ) == 0x778
 04089   456   NtUserQueryWindow  (196674, 0, ... ) == 0x768
 04090   456   NtUserQueryWindow  (196674, 1, ... ) == 0x778
 04091   456   NtUserQueryWindow  (196672, 0, ... ) == 0x768
 04092   456   NtUserQueryWindow  (196672, 1, ... ) == 0x778
 04093   456   NtUserQueryWindow  (196676, 0, ... ) == 0x768
 04094   456   NtUserQueryWindow  (196676, 1, ... ) == 0x778
 04095   456   NtUserQueryWindow  (196678, 0, ... ) == 0x768
 04096   456   NtUserQueryWindow  (196678, 1, ... ) == 0x778
 04097   456   NtUserQueryWindow  (196680, 0, ... ) == 0x768
 04098   456   NtUserQueryWindow  (196680, 1, ... ) == 0x778
 04099   456   NtUserQueryWindow  (65642, 0, ... ) == 0x768
 04100   456   NtUserQueryWindow  (65642, 1, ... ) == 0x778
 04101   456   NtUserQueryWindow  (65646, 0, ... ) == 0x768
 04102   456   NtUserQueryWindow  (65646, 1, ... ) == 0x778
 04103   456   NtUserQueryWindow  (65650, 0, ... ) == 0x768
 04104   456   NtUserQueryWindow  (65650, 1, ... ) == 0x778
 04105   456   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 04106   456   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 04107   456   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 04108   456   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 04109   456   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 04110   456   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 04111   456   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 04112   456   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 04113   456   NtUserQueryWindow  (131302, 0, ... ) == 0x694
 04114   456   NtUserQueryWindow  (131302, 1, ... ) == 0x698
 04115   456   NtUserQueryWindow  (131246, 0, ... ) == 0x1f4
 04116   456   NtUserQueryWindow  (131246, 1, ... ) == 0x1f8
 04117   456   NtUserQueryWindow  (65750, 0, ... ) == 0x1f4
 04118   456   NtUserQueryWindow  (65750, 1, ... ) == 0x1f8
 04119   456   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 04120   456   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 04121   456   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 04122   456   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 04123   456   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 04124   456   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 04125   456   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 04126   456   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 04127   456   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 04128   456   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 04129   456   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 04130   456   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 04131   456   NtUserQueryWindow  (65714, 0, ... ) == 0x7e4
 04132   456   NtUserQueryWindow  (65714, 1, ... ) == 0x7e8
 04133   456   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 04134   456   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 04135   456   NtUserQueryWindow  (131166, 0, ... ) == 0x7f0
 04136   456   NtUserQueryWindow  (131166, 1, ... ) == 0x7f4
 04137   456   NtUserQueryWindow  (196832, 0, ... ) == 0x768
 04138   456   NtUserQueryWindow  (196832, 1, ... ) == 0x464
 04139   456   NtUserQueryWindow  (262370, 0, ... ) == 0x768
 04140   456   NtUserQueryWindow  (262370, 1, ... ) == 0x52c
 04141   456   NtUserQueryWindow  (65746, 0, ... ) == 0x768
 04142   456   NtUserQueryWindow  (65746, 1, ... ) == 0x21c
 04143   456   NtUserQueryWindow  (65734, 0, ... ) == 0x768
 04144   456   NtUserQueryWindow  (65734, 1, ... ) == 0x21c
 04145   456   NtUserBuildHwndList  (0, 65734, 1, 0, 64, ... (0x100c8, 0x100ca, 0x100cc, 0x100ce, 0x1, ), 5, ) == 0x0
 04146   456   NtUserQueryWindow  (65736, 0, ... ) == 0x768
 04147   456   NtUserQueryWindow  (65736, 1, ... ) == 0x21c
 04148   456   NtUserQueryWindow  (65738, 0, ... ) == 0x768
 04149   456   NtUserQueryWindow  (65738, 1, ... ) == 0x21c
 04150   456   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 04151   456   NtUserQueryWindow  (65740, 1, ... ) == 0x21c
 04152   456   NtUserQueryWindow  (65742, 0, ... ) == 0x768
 04153   456   NtUserQueryWindow  (65742, 1, ... ) == 0x21c
 04154   456   NtUserQueryWindow  (65732, 0, ... ) == 0x768
 04155   456   NtUserQueryWindow  (65732, 1, ... ) == 0x778
 04156   456   NtUserQueryWindow  (65708, 0, ... ) == 0x7dc
 04157   456   NtUserQueryWindow  (65708, 1, ... ) == 0x7e0
 04158   456   NtUserQueryWindow  (131170, 0, ... ) == 0x7d4
 04159   456   NtUserQueryWindow  (131170, 1, ... ) == 0x7d8
 04160   456   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 04161   456   NtUserQueryWindow  (65644, 1, ... ) == 0x798
 04162   456   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 04163   456   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 04164   456   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 04165   456   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 04166   456   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 04167   456   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 04168   456   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 04169   456   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 04170   456   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 04171   456   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 04172   456   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04173   456   NtUserQueryWindow  (65656, 0, ... ) == 0x768
 04174   456   NtUserQueryWindow  (65656, 1, ... ) == 0x76c
 04175   456   NtUserQueryWindow  (65658, 0, ... ) == 0x768
 04176   456   NtUserQueryWindow  (65658, 1, ... ) == 0x76c
 04177   456   NtUserCloseDesktop  (148, ...
 04178   456   NtClose  (148, ... ) == 0x0
 04177   456   NtUserCloseDesktop  ... ) == 0x1
 04179   456   NtUserGetProcessWindowStation  (... ) == 0x28
 04180   456   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04181   456   NtUserGetProcessWindowStation  (... ) == 0x28
 04182   456   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04183   456   NtGdiDeleteObjectApp  (185205521, ... ) == 0x1
 04184   456   NtGdiDeleteObjectApp  (151651140, ... ) == 0x1
 04185   456   NtClose  (12, ... ) == 0x0
 04186   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 04187   456   NtFreeVirtualMemory  (-1, (0x152000), 16384, 16384, ... (0x152000), 16384, ) == 0x0
 04188   456   NtClose  (140, ... ) == 0x0
 04189   456   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 04190   456   NtClose  (144, ... ) == 0x0
 04191   456   NtClose  (136, ... ) == 0x0
 04192   456   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 262144, ) == 0x0
 04193   456   NtUserUnregisterClass  (1238716, 1991376896, 1238704, ... ) == 0x0
 04194   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04195   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04196   456   NtReleaseMutant  (76, ... 0x0, ) == 0x0
 04197   456   NtUserUnhookWindowsHookEx  (196667, ... ) == 0x1
 04198   456   NtTerminateThread  (80, 0, ... ) == 0x0
 04199   456   NtTerminateThread  (56, 0, ... ) == 0x0
 04200   456   NtTerminateThread  (72, 0, ... ) == 0x0
 04201   456   NtUserKillTimer  (0, 32761, ... ) == 0x1
 04202   456   NtClose  (84, ... ) == 0x0
 04203   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04204   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04205   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04206   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04207   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04208   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04209   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04210   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04211   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04212   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04213   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04214   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04215   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04216   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04217   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04218   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04219   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04220   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04221   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04222   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04223   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04224   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04225   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04226   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04227   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04228   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04229   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04230   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04231   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04232   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04233   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04234   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04235   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04236   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04237   456   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04238   456   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04239   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04240   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04241   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04242   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04243   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04244   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04245   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04246   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04247   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04248   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04249   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04250   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04251   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04252   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04253   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04254   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04255   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04256   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04257   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04258   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04259   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04260   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04261   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04262   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04263   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04264   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04265   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04266   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04267   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04268   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04269   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04270   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04271   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04272   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04273   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04274   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04275   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc017
 04276   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04277   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc019
 04278   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04279   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc018
 04280   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04281   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01a
 04282   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04283   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01c
 04284   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04285   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01e
 04286   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04287   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01b
 04288   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04289   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc068
 04290   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04291   456   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc06a
 04292   456   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04293   456   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 04294   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04295   456   NtClose  (380, ... ) == 0x0
 04296   456   NtClose  (196, ... ) == 0x0
 04297   456   NtClose  (396, ... ) == 0x0
 04298   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04299   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04300   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04301   456   NtClose  (192, ... ) == 0x0
 04302   456   NtClose  (400, ... ) == 0x0
 04303   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 04304   456   NtUnmapViewOfSection  (-1, 0xf70000, ... ) == 0x0
 04305   456   NtClose  (356, ... ) == 0x0
 04306   456   NtClose  (156, ... ) == 0x0
 04307   456   NtFreeVirtualMemory  (-1, (0x370000), 4096, 32768, ... (0x370000), 4096, ) == 0x0
 04308   456   NtClose  (320, ... ) == 0x0
 04309   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 440, 456, 2374, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 440, 456, 2374, 0}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 440, 456, 2374, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04310   456   NtTerminateProcess  (-1, 0, ...
 04311   456   NtClose  (44, ... ) == 0x0