Summary:


NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtContinue(>)  30 

NtAllocateLocallyUniqueId(>)  1 
NtGdiHfontCreate(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtQueryInformationFile(>)  30 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateSemaphore(>)  7 
NtEnumerateKey(>)  31 

NtClearEvent(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserCallNoParam(>)  7 
NtCreateEvent(>)  32 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryVirtualMemory(>)  8 
NtOpenThreadToken(>)  33 

NtDelayExecution(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtWriteVirtualMemory(>)  8 
NtReleaseMutant(>)  38 

NtDuplicateToken(>)  1 
NtSetEvent(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtUnmapViewOfSection(>)  38 

NtGdiCreateBitmap(>)  1 
NtTestAlert(>)  2 
NtUserGetWindowDC(>)  10 
NtQueryInformationProcess(>)  39 

NtGdiCreateHalftonePalette(>)  1 
NtUserCloseDesktop(>)  2 
NtSetValueKey(>)  11 
NtProtectVirtualMemory(>)  40 

NtGdiCreatePaletteInternal(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserCallOneParam(>)  11 
NtQueryDefaultLocale(>)  42 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserDestroyWindow(>)  2 
NtUserSystemParametersInfo(>)  11 
NtUserUnregisterClass(>)  47 

NtGdiDoPalette(>)  1 
NtUserGetObjectInformation(>)  2 
NtWriteFile(>)  11 
NtUserFindExistingCursorIcon(>)  49 

NtGdiInit(>)  1 
NtUserMessageCall(>)  2 
NtOpenProcessToken(>)  14 
NtCreateSection(>)  56 

NtGdiQueryFontAssocInfo(>)  1 
NtCreateThread(>)  3 
NtRequestWaitReplyPort(>)  14 
NtUserRegisterClassExWOW(>)  65 

NtGdiSelectBitmap(>)  1 
NtDuplicateObject(>)  3 
NtNotifyChangeKey(>)  15 
NtWaitForSingleObject(>)  66 

NtOpenKeyedEvent(>)  1 
NtOpenMutant(>)  3 
NtQueryVolumeInformationFile(>)  15 
NtOpenSection(>)  74 

NtQueryFullAttributesFile(>)  1 
NtOpenProcess(>)  3 
NtCreateKey(>)  17 
NtReadFile(>)  77 

NtQueryInformationThread(>)  1 
NtResumeThread(>)  3 
NtDeviceIoControlFile(>)  17 
NtMapViewOfSection(>)  80 

NtQueryObject(>)  1 
NtTerminateProcess(>)  3 
NtFsControlFile(>)  17 
NtOpenFile(>)  88 

NtQueryPerformanceCounter(>)  1 
NtUserOpenDesktop(>)  3 
NtFlushInstructionCache(>)  19 
NtQuerySystemInformation(>)  89 

NtQuerySystemTime(>)  1 
NtUserRemoveProp(>)  3 
NtUserRegisterWindowMessage(>)  19 
NtUserGetClassInfo(>)  91 

NtSecureConnectPort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryDirectoryFile(>)  20 
NtAllocateVirtualMemory(>)  94 

NtUserBuildNameList(>)  1 
NtCreateMutant(>)  4 
NtSetInformationProcess(>)  21 
NtOpenProcessTokenEx(>)  110 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtEnumerateValueKey(>)  23 
NtOpenThreadTokenEx(>)  110 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtFreeVirtualMemory(>)  23 
NtQueryInformationToken(>)  126 

NtUserGetForegroundWindow(>)  1 
NtQuerySecurityObject(>)  4 
NtQueryDebugFilterState(>)  24 
NtQueryKey(>)  129 

NtUserGetGUIThreadInfo(>)  1 
NtGdiGetStockObject(>)  5 
NtRaiseException(>)  25 
NtUserQueryWindow(>)  134 

NtUserGetThreadDesktop(>)  1 
NtReadVirtualMemory(>)  5 
NtSetInformationFile(>)  25 
NtQueryAttributesFile(>)  147 

NtUserSetProp(>)  1 
NtSetInformationObject(>)  5 
NtCreateFile(>)  27 
NtQueryValueKey(>)  223 

NtAccessCheck(>)  2 
NtUserBuildHwndList(>)  5 
NtSetInformationThread(>)  27 
NtOpenKey(>)  476 

NtCreateIoCompletion(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQuerySection(>)  28 
NtClose(>)  570 

NtCreateProcessEx(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtReleaseSemaphore(>)  28 

Trace:
 00001   412   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   412   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   412   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   412   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   412   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   412   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   412   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   412   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   412   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   412   NtClose  (12, ... ) == 0x0
 00014   412   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   412   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   412   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   412   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   412   NtClose  (16, ... ) == 0x0
 00021   412   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   412   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   412   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18284544}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18284544}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   412   NtClose  (16, ... ) == 0x0
 00026   412   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   412   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   412   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   412   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" ... {28, 56, reply, 0, 408, 412, 1540, 0} "\0\333\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" )  ... {28, 56, reply, 0, 408, 412, 1540, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" ... {28, 56, reply, 0, 408, 412, 1540, 0} "\0\333\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" )  ) == 0x0
 00032   412   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   412   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   412   NtClose  (16, ... ) == 0x0
 00036   412   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   412   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   412   NtClose  (28, ... ) == 0x0
 00041   412   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   412   NtClose  (28, ... ) == 0x0
 00045   412   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   412   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   412   NtClose  (28, ... ) == 0x0
 00049   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   412   NtClose  (28, ... ) == 0x0
 00052   412   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" ... {28, 56, reply, 0, 408, 412, 1543, 0} "\270@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" )  ... {28, 56, reply, 0, 408, 412, 1543, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" ... {28, 56, reply, 0, 408, 412, 1543, 0} "\270@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" )  ) == 0x0
 00056   412   NtProtectVirtualMemory  (-1, (0x93d000), 4096, 4, ... (0x93d000), 4096, 128, ) == 0x0
 00057   412   NtProtectVirtualMemory  (-1, (0x93d000), 4096, 128, ... (0x93d000), 4096, 4, ) == 0x0
 00058   412   NtFlushInstructionCache  (-1, 9687040, 4096, ... ) == 0x0
 00059   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00060   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   412   NtClose  (28, ... ) == 0x0
 00062   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   412   NtClose  (28, ... ) == 0x0
 00065   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   412   NtClose  (28, ... ) == 0x0
 00068   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   412   NtClose  (28, ... ) == 0x0
 00071   412   NtProtectVirtualMemory  (-1, (0x93d000), 4096, 4, ... (0x93d000), 4096, 64, ) == 0x0
 00072   412   NtProtectVirtualMemory  (-1, (0x93d000), 4096, 64, ... (0x93d000), 4096, 4, ) == 0x0
 00073   412   NtFlushInstructionCache  (-1, 9687040, 4096, ... ) == 0x0
 00074   412   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   412   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   412   NtClose  (28, ... ) == 0x0
 00077   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   412   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   412   NtClose  (28, ... ) == 0x0
 00080   412   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   412   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   412   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   412   NtClose  (28, ... ) == 0x0
 00085   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   412   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   412   NtClose  (28, ... ) == 0x0
 00088   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   412   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\27\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\27\1$\1\0\0" ... {28, 56, reply, 0, 408, 412, 1566, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\27\1$\1\0\0" )  ... {28, 56, reply, 0, 408, 412, 1566, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\27\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\27\1$\1\0\0" ... {28, 56, reply, 0, 408, 412, 1566, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\27\1$\1\0\0" )  ) == 0x0
 00093   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   412   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x940000), 0x0, 1060864, ) == 0x0
 00095   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   412   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   412   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   412   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   412   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   412   NtClose  (-2147482020, ... ) == 0x0
 00101   412   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   412   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   412   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   412   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   412   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   412   NtClose  (-2147482020, ... ) == 0x0
 00107   412   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   412   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   412   NtClose  (-2147482020, ... ) == 0x0
 00110   412   NtQueryDefaultLocale  (0, -136312308, ... ) == 0x0
 00111   412   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   412   NtUserCallNoParam  (24, ... ) == 0x0
 00113   412   NtGdiCreateCompatibleDC  (0, ...
 00114   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   412   NtGdiCreateCompatibleDC  ... ) == 0xc010479
 00115   412   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   412   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   412   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x805047c
 00118   412   NtGdiCreateSolidBrush  (0, 0, ...
 00119   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13959168, 4096, ) == 0x0
 00118   412   NtGdiCreateSolidBrush  ... ) == 0x610047d
 00120   412   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   412   NtGdiCreateCompatibleDC  (0, ... ) == 0x601047e
 00122   412   NtGdiSelectBitmap  (100729982, 134546556, ... ) == 0x185000f
 00123   412   NtUserGetThreadDesktop  (412, 0, ... ) == 0x2c
 00124   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   412   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   412   NtClose  (52, ... ) == 0x0
 00127   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00129   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00131   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00133   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00135   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00137   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00139   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00141   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00143   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00145   412   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00146   412   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00147   412   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00148   412   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ...
 00149   412   NtAllocateVirtualMemory  (-1, 10924032, 0, 4096, 4096, 32, ... 10924032, 4096, ) == 0x0
 00148   412   NtUserRegisterClassExWOW  ... ) == 0x810cc024
 00150   412   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00151   412   NtCallbackReturn  (0, 0, 0, ...
 00152   412   NtGdiInit  (... ) == 0x1
 00153   412   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   412   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   412   NtTestAlert  (... ) == 0x0
 00156   412   NtContinue  (1244464, 1, ...
 00157   412   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x93d0cc,}, 4, ... ) == 0x0
 00158   412   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 14024704, 8192, ) == 0x0
 00159   412   NtAllocateVirtualMemory  (-1, 0, 0, 3072, 4096, 64, ... 14090240, 4096, ) == 0x0
 00160   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00161   412   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14155776, 4096, ) == 0x0
 00162   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00163   412   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14221312, 4096, ) == 0x0
 00164   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00165   412   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14286848, 4096, ) == 0x0
 00166   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00167   412   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 64, ... 14352384, 4096, ) == 0x0
 00168   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00169   412   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 14417920, 8192, ) == 0x0
 00170   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00171   412   NtAllocateVirtualMemory  (-1, 0, 0, 92125, 4096, 64, ... 14483456, 94208, ) == 0x0
 00172   412   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00173   412   NtContinue  (1242868, 0, ...
 00174   412   NtAllocateVirtualMemory  (-1, 0, 0, 4238336, 4096, 64, ... 14614528, 4239360, ) == 0x0
 00175   412   NtAllocateVirtualMemory  (-1, 1327104, 0, 81920, 4096, 4, ... 1327104, 81920, ) == 0x0
 00176   412   NtFreeVirtualMemory  (-1, (0x144000), 81920, 16384, ... (0x144000), 81920, ) == 0x0
 00177   412   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00178   412   NtAllocateVirtualMemory  (-1, 1331200, 0, 20480, 4096, 4, ... 1331200, 20480, ) == 0x0
 00179   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00180   412   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   412   NtClose  (52, ... ) == 0x0
 00182   412   NtAllocateVirtualMemory  (-1, 1351680, 0, 73728, 4096, 4, ... 1351680, 73728, ) == 0x0
 00183   412   NtFreeVirtualMemory  (-1, (0x144000), 98304, 16384, ... (0x144000), 98304, ) == 0x0
 00184   412   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00185   412   NtAllocateVirtualMemory  (-1, 1331200, 0, 20480, 4096, 4, ... 1331200, 20480, ) == 0x0
 00186   412   NtAllocateVirtualMemory  (-1, 1351680, 0, 65536, 4096, 4, ... 1351680, 65536, ) == 0x0
 00187   412   NtFreeVirtualMemory  (-1, (0x144000), 90112, 16384, ... (0x144000), 90112, ) == 0x0
 00188   412   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00189   412   NtAllocateVirtualMemory  (-1, 1331200, 0, 16384, 4096, 4, ... 1331200, 16384, ) == 0x0
 00190   412   NtAllocateVirtualMemory  (-1, 1347584, 0, 57344, 4096, 4, ... 1347584, 57344, ) == 0x0
 00191   412   NtFreeVirtualMemory  (-1, (0x144000), 77824, 16384, ... (0x144000), 77824, ) == 0x0
 00192   412   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00193   412   NtAllocateVirtualMemory  (-1, 1331200, 0, 16384, 4096, 4, ... 1331200, 16384, ) == 0x0
 00194   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00195   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00196   412   NtClose  (52, ... ) == 0x0
 00197   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 18874368, 65536, ) == 0x0
 00199   412   NtAllocateVirtualMemory  (-1, 18874368, 0, 4096, 4096, 4, ... 18874368, 4096, ) == 0x0
 00200   412   NtAllocateVirtualMemory  (-1, 18878464, 0, 8192, 4096, 4, ... 18878464, 8192, ) == 0x0
 00201   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00202   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1210000), 0x0, 12288, ) == 0x0
 00203   412   NtClose  (52, ... ) == 0x0
 00204   412   NtAllocateVirtualMemory  (-1, 18886656, 0, 4096, 4096, 4, ... 18886656, 4096, ) == 0x0
 00205   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241996, ... ) }, 1241996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241996, ... ) }, 1241996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241996, ... ) }, 1241996, ... ) == 0x0
 00209   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00210   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00211   412   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00212   412   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00213   412   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00214   412   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00216   412   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00217   412   NtClose  (64, ... ) == 0x0
 00218   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00219   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00220   412   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00221   412   NtClose  (64, ... ) == 0x0
 00222   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00223   412   NtClose  (60, ... ) == 0x0
 00224   412   NtClose  (52, ... ) == 0x0
 00225   412   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00226   412   NtClose  (56, ... ) == 0x0
 00227   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241192, ... ) }, 1241192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241192, ... ) }, 1241192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241192, ... ) }, 1241192, ... ) == 0x0
 00231   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00232   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00233   412   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00234   412   NtClose  (56, ... ) == 0x0
 00235   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00236   412   NtClose  (52, ... ) == 0x0
 00237   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00238   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00239   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00240   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00241   412   NtClose  (52, ... ) == 0x0
 00242   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00243   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00244   412   NtClose  (52, ... ) == 0x0
 00245   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00247   412   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00248   412   NtClose  (52, ... ) == 0x0
 00249   412   NtQueryDefaultUILanguage  (1240352, ...
 00250   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00251   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00252   412   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00253   412   NtClose  (-2147482020, ... ) == 0x0
 00254   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00255   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00256   412   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00257   412   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   412   NtClose  (-2147482032, ... ) == 0x0
 00259   412   NtClose  (-2147482020, ... ) == 0x0
 00249   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00260   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   412   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00262   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00263   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00264   412   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1220000), 0x0, 8323072, ) == 0x0
 00265   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   412   NtQueryDefaultUILanguage  (2013024600, ...
 00267   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00268   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00269   412   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00270   412   NtClose  (-2147482020, ... ) == 0x0
 00271   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00272   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   412   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00274   412   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   412   NtClose  (-2147482032, ... ) == 0x0
 00276   412   NtClose  (-2147482020, ... ) == 0x0
 00266   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00277   412   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00278   412   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00279   412   NtQueryDefaultLocale  (1, 1238388, ... ) == 0x0
 00280   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   412   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239244, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239244, 1, 96, 0} "\210\6\27\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1583, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 412, 1583, 0}  (24, {128, 156, new_msg, 0, 1239244, 1, 96, 0} "\210\6\27\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1583, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\14\0\0\0\377\377\377\377\0\0\0\0\20\311Y\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\314\357\22\0\0\0\0\0" )  ) == 0x0
 00282   412   NtClose  (52, ... ) == 0x0
 00283   412   NtClose  (56, ... ) == 0x0
 00284   412   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00285   412   NtUnmapViewOfSection  (-1, 0x12efcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00286   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00287   412   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00289   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00290   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237472, ... ) }, 1237472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00292   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00293   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00294   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238064, ... ) }, 1238064, ... ) == 0x0
 00295   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00296   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00298   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00299   412   NtClose  (52, ... ) == 0x0
 00300   412   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1220000), 0x0, 921600, ) == 0x0
 00301   412   NtClose  (60, ... ) == 0x0
 00302   412   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00303   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00305   412   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00306   412   NtClose  (60, ... ) == 0x0
 00307   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00308   412   NtClose  (52, ... ) == 0x0
 00309   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00310   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00311   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00312   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00313   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00314   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00315   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00316   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00317   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00318   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00319   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00320   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00321   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00322   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00323   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00324   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00325   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00326   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00327   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00328   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00329   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00330   412   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239248, ... ) , 42, 1239248, ... ) == 0x0
 00331   412   NtQueryDefaultUILanguage  (1237964, ...
 00332   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00333   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00334   412   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00335   412   NtClose  (-2147482020, ... ) == 0x0
 00336   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00337   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   412   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00339   412   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   412   NtClose  (-2147482032, ... ) == 0x0
 00341   412   NtClose  (-2147482020, ... ) == 0x0
 00331   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00342   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236816, ... ) }, 1236816, ... ) == 0x0
 00344   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00345   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00346   412   NtClose  (52, ... ) == 0x0
 00347   412   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1220000), 0x0, 4096, ) == 0x0
 00348   412   NtClose  (60, ... ) == 0x0
 00349   412   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00350   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236456, ... ) }, 1236456, ... ) == 0x0
 00351   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237156,  (0x80100080, {24, 0, 0x40, 0, 1237156, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00352   412   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00353   412   NtClose  (60, ... ) == 0x0
 00354   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1220000), {0, 0}, 4096, ) == 0x0
 00355   412   NtClose  (52, ... ) == 0x0
 00356   412   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00357   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00358   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00359   412   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1220000), 0x0, 4096, ) == 0x0
 00360   412   NtQueryInformationFile  (52, 1236776, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00361   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   412   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236856, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236856, 1, 96, 0} "\210\6\27\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\27\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\27\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1584, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\27\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\27\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 412, 1584, 0}  (24, {128, 156, new_msg, 0, 1236856, 1, 96, 0} "\210\6\27\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\27\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\27\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1584, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\27\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\27\1\0\0\0\0\0\0\0\0x\346\22\0\0\0\0\0" )  ) == 0x0
 00363   412   NtClose  (52, ... ) == 0x0
 00364   412   NtClose  (60, ... ) == 0x0
 00365   412   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 00366   412   NtUnmapViewOfSection  (-1, 0x12e678, ... ) == STATUS_NOT_MAPPED_VIEW
 00367   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00368   412   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00369   412   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00370   412   NtUserGetDC  (0, ... ) == 0x1010050
 00371   412   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00372   412   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00373   412   NtUserSystemParametersInfo  (66, 12, 1239268, 0, ... ) == 0x1
 00374   412   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00375   412   NtAccessCheck  (1329520, 60, 0x1, 1238672, 1238616, 56, 1238700, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00376   412   NtClose  (60, ... ) == 0x0
 00377   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00378   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00379   412   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00380   412   NtClose  (60, ... ) == 0x0
 00381   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00382   412   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00383   412   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00384   412   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   412   NtClose  (52, ... ) == 0x0
 00386   412   NtUserSystemParametersInfo  (41, 500, 1238768, 0, ... ) == 0x1
 00387   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00388   412   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00390   412   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   412   NtClose  (64, ... ) == 0x0
 00392   412   NtClose  (52, ... ) == 0x0
 00393   412   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00394   412   NtUserSystemParametersInfo  (4130, 0, 1239292, 0, ... ) == 0x1
 00395   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00396   412   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00397   412   NtClose  (52, ... ) == 0x0
 00398   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00399   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc03b
 00400   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc03d
 00401   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00402   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc03f
 00403   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00404   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc041
 00405   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00406   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc043
 00407   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc045
 00408   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00409   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc047
 00410   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00411   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc049
 00412   412   NtUserGetClassInfo  (1905590272, 1239188, 1239140, 1239216, 0, ... ) == 0xc049
 00413   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00414   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc04b
 00415   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00416   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc04d
 00417   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00418   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc04f
 00419   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc051
 00420   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00421   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc053
 00422   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00423   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc055
 00424   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc057
 00425   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00426   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc059
 00427   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10013
 00428   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc05b
 00429   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00430   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc05d
 00431   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00432   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc05f
 00433   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00434   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc017
 00435   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00436   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc019
 00437   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10013
 00438   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc018
 00439   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00440   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc01a
 00441   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00442   412   NtUserRegisterClassExWOW  (1239024, 1239104, 1239088, 1239120, 0, 384, 0, ... ) == 0x810cc01c
 00443   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00444   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ... ) == 0x810cc01e
 00445   412   NtUserFindExistingCursorIcon  (1238572, 1238588, 1239156, ... ) == 0x10011
 00446   412   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810cc01b
 00447   412   NtUserFindExistingCursorIcon  (1238568, 1238584, 1239152, ... ) == 0x10011
 00448   412   NtUserRegisterClassExWOW  (1239080, 1239160, 1239144, 1239176, 0, 384, 0, ... ) == 0x810cc068
 00449   412   NtUserFindExistingCursorIcon  (1238576, 1238592, 1239160, ... ) == 0x10011
 00450   412   NtUserRegisterClassExWOW  (1239028, 1239108, 1239092, 1239124, 0, 384, 0, ...
 00451   412   NtAllocateVirtualMemory  (-1, 10928128, 0, 4096, 4096, 32, ... 10928128, 4096, ) == 0x0
 00450   412   NtUserRegisterClassExWOW  ... ) == 0x810cc06a
 00452   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00453   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00454   412   NtClose  (52, ... ) == 0x0
 00455   412   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {408, 0}, ... 52, ) == 0x0
 00456   412   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00457   412   NtClose  (52, ... ) == 0x0
 00458   412   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00459   412   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00460   412   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00461   412   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00462   412   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463   412   NtClose  (52, ... ) == 0x0
 00464   412   NtUserSystemParametersInfo  (41, 500, 1239928, 0, ... ) == 0x1
 00465   412   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00466   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00467   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00468   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc03b
 00469   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00470   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc03d
 00471   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00472   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00473   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc03f
 00474   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00475   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00476   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc041
 00477   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00478   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00479   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc043
 00480   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00481   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc045
 00482   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00483   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00484   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc047
 00485   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00486   412   NtUserFindExistingCursorIcon  (1239716, 1239732, 1240300, ... ) == 0x10011
 00487   412   NtUserRegisterClassExWOW  (1240168, 1240248, 1240232, 1240264, 0, 384, 0, ... ) == 0x810cc049
 00488   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00489   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00490   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc04b
 00491   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00492   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00493   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc04d
 00494   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00495   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00496   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc04f
 00497   412   NtUserGetClassInfo  (1999896576, 1240340, 1240292, 1240368, 0, ... ) == 0x0
 00498   412   NtUserRegisterClassExWOW  (1240176, 1240256, 1240240, 1240272, 0, 384, 0, ... ) == 0x810cc051
 00499   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00500   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00501   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc053
 00502   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00503   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00504   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc055
 00505   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc057
 00506   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00507   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00508   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc059
 00509   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00510   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10013
 00511   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc05b
 00512   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00513   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00514   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc05d
 00515   412   NtUserGetClassInfo  (1999896576, 1240336, 1240288, 1240364, 0, ... ) == 0x0
 00516   412   NtUserFindExistingCursorIcon  (1239720, 1239736, 1240304, ... ) == 0x10011
 00517   412   NtUserRegisterClassExWOW  (1240172, 1240252, 1240236, 1240268, 0, 384, 0, ... ) == 0x810cc05f
 00518   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc03b
 00519   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc03d
 00520   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc03f
 00521   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc041
 00522   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc043
 00523   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc045
 00524   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc047
 00525   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc049
 00526   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc04b
 00527   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc04d
 00528   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc04f
 00529   412   NtUserGetClassInfo  (1999896576, 1242092, 1242044, 1242120, 0, ... ) == 0xc051
 00530   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc053
 00531   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc055
 00532   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc059
 00533   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc05b
 00534   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc05d
 00535   412   NtUserGetClassInfo  (1999896576, 1242088, 1242040, 1242116, 0, ... ) == 0xc05f
 00536   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00537   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00538   412   NtClose  (52, ... ) == 0x0
 00539   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00540   412   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00541   412   NtClose  (52, ... ) == 0x0
 00542   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00543   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00544   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00545   412   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00546   412   NtClose  (52, ... ) == 0x0
 00547   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00548   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00549   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00550   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00551   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00552   412   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553   412   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   412   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   412   NtClose  (52, ... ) == 0x0
 00556   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00557   412   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   412   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   412   NtClose  (52, ... ) == 0x0
 00560   412   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00561   412   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   412   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00563   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   412   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00567   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00568   412   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00569   412   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 00570   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1237128, ... ) }, 1237128, ... ) == 0x0
 00574   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00575   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00576   412   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00577   412   NtClose  (68, ... ) == 0x0
 00578   412   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00579   412   NtClose  (72, ... ) == 0x0
 00580   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00581   412   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00582   412   NtClose  (72, ... ) == 0x0
 00583   412   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 72, ) == 0x0
 00584   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00585   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 76, ) }, ... 76, ) == 0x0
 00586   412   NtNotifyChangeKey  (76, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00587   412   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00588   412   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00589   412   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00590   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1237128, ... ) }, 1237128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1237128, ... ) }, 1237128, ... ) == 0x0
 00594   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00595   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00596   412   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00597   412   NtClose  (88, ... ) == 0x0
 00598   412   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00599   412   NtClose  (92, ... ) == 0x0
 00600   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1236324, ... ) }, 1236324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1236324, ... ) }, 1236324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1236324, ... ) }, 1236324, ... ) == 0x0
 00604   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00605   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00606   412   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00607   412   NtClose  (92, ... ) == 0x0
 00608   412   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00609   412   NtClose  (88, ... ) == 0x0
 00610   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00611   412   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19136512, 262144, ) == 0x0
 00612   412   NtAllocateVirtualMemory  (-1, 19136512, 0, 4096, 4096, 4, ... 19136512, 4096, ) == 0x0
 00613   412   NtAllocateVirtualMemory  (-1, 19140608, 0, 8192, 4096, 4, ... 19140608, 8192, ) == 0x0
 00614   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00615   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00616   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00617   412   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00618   412   NtClose  (88, ... ) == 0x0
 00619   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00620   412   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00621   412   NtClose  (88, ... ) == 0x0
 00622   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00623   412   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00624   412   NtClose  (88, ... ) == 0x0
 00625   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   412   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1237260, 0,  (0x1f0003, {24, 52, 0x80, 1237260, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00627   412   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 00628   412   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00629   412   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00630   412   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00631   412   NtQueryDefaultUILanguage  (1235496, ...
 00632   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00633   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00634   412   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00635   412   NtClose  (-2147482020, ... ) == 0x0
 00636   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00637   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   412   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00639   412   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00640   412   NtClose  (-2147482032, ... ) == 0x0
 00641   412   NtClose  (-2147482020, ... ) == 0x0
 00631   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00642   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00644   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00645   412   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1280000), 0x0, 593920, ) == 0x0
 00646   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647   412   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00648   412   NtQueryDefaultLocale  (1, 1233532, ... ) == 0x0
 00649   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   412   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234388, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234388, 1, 96, 0} "\210\6\27\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1588, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 412, 1588, 0}  (24, {128, 156, new_msg, 0, 1234388, 1, 96, 0} "\210\6\27\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1588, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1`\0\0\0\377\377\377\377\0\0\0\0P\275/\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0\324\334\22\0\0\0\0\0" )  ) == 0x0
 00651   412   NtClose  (96, ... ) == 0x0
 00652   412   NtClose  (100, ... ) == 0x0
 00653   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00654   412   NtUnmapViewOfSection  (-1, 0x12dcd4, ... ) == STATUS_NOT_MAPPED_VIEW
 00655   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   412   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00658   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00659   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1232072, ... ) }, 1232072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00660   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00661   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00662   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00663   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1232664, ... ) }, 1232664, ... ) == 0x0
 00664   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00665   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00666   412   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00667   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1237148, ... ) }, 1237148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1237148, ... ) }, 1237148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1237148, ... ) }, 1237148, ... ) == 0x0
 00671   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00672   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00673   412   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00674   412   NtClose  (104, ... ) == 0x0
 00675   412   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00676   412   NtClose  (108, ... ) == 0x0
 00677   412   NtAllocateVirtualMemory  (-1, 18890752, 0, 8192, 4096, 4, ... 18890752, 8192, ) == 0x0
 00678   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00680   412   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   412   NtClose  (108, ... ) == 0x0
 00682   412   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00683   412   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00684   412   NtClose  (108, ... ) == 0x0
 00685   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 108, ) }, ... 108, ) == 0x0
 00686   412   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00687   412   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00688   412   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00689   412   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00690   412   NtClose  (108, ... ) == 0x0
 00691   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 108, ) }, ... 108, ) == 0x0
 00692   412   NtQueryValueKey  (108,  (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00693   412   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00694   412   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00695   412   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00696   412   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00697   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236708, ... ) }, 1236708, ... ) == 0x0
 00698   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00699   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00700   412   NtClose  (104, ... ) == 0x0
 00701   412   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 135168, ) == 0x0
 00702   412   NtClose  (112, ... ) == 0x0
 00703   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00704   412   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00705   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237596, ... ) }, 1237596, ... ) == 0x0
 00706   412   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238264, ... ) }, 1238264, ... ) == 0x0
 00707   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238120,  (0x80100080, {24, 0, 0x40, 0, 1238120, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00708   412   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00709   412   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 135168, ) == 0x0
 00710   412   NtQueryDefaultLocale  (1, 1237928, ... ) == 0x0
 00711   412   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00712   412   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00713   412   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00714   412   NtQueryInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00715   412   NtSetInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00716   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00717   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00718   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00719   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00720   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00721   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00722   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00723   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00724   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00725   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00726   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00727   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00728   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00729   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00730   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00731   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00732   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00733   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00734   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00735   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00736   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00737   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00738   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00739   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00740   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00741   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00742   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00743   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00744   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00745   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00746   412   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00747   412   NtQueryInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00748   412   NtSetInformationFile  (112, 1238172, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00749   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 00750   412   NtReadFile  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 00751   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00752   412   NtClose  (104, ... ) == 0x0
 00753   412   NtClose  (112, ... ) == 0x0
 00754   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236652, ... ) }, 1236652, ... ) == 0x0
 00755   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00756   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 104, ) == 0x0
 00757   412   NtClose  (112, ... ) == 0x0
 00758   412   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 135168, ) == 0x0
 00759   412   NtClose  (104, ... ) == 0x0
 00760   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00761   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236968, ... ) }, 1236968, ... ) == 0x0
 00762   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00763   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 112, ) == 0x0
 00764   412   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00765   412   NtClose  (104, ... ) == 0x0
 00766   412   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 00767   412   NtClose  (112, ... ) == 0x0
 00768   412   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00769   412   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00770   412   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00771   412   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00772   412   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00773   412   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00774   412   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00775   412   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00776   412   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00777   412   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00778   412   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00779   412   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00780   412   NtAllocateVirtualMemory  (-1, 1359872, 0, 20480, 4096, 4, ... 1359872, 20480, ) == 0x0
 00781   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00782   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00783   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00784   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00785   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00786   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00787   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00788   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00789   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00790   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00791   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00792   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00793   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00794   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00795   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00796   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00797   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00798   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00799   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00800   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00801   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00802   412   NtQueryDefaultLocale  (1, 1235820, ... ) == 0x0
 00803   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235920, ... ) }, 1235920, ... ) == 0x0
 00804   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236652,  (0x80100080, {24, 0, 0x40, 0, 1236652, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00805   412   NtQueryVolumeInformationFile  (112, 1236812, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00806   412   NtQueryInformationFile  (112, 1236704, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00807   412   NtQueryInformationFile  (112, 1236996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00808   412   NtClose  (112, ... ) == 0x0
 00809   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235412, ... ) }, 1235412, ... ) == 0x0
 00810   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236144,  (0x80100080, {24, 0, 0x40, 0, 1236144, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00811   412   NtQueryVolumeInformationFile  (112, 1236304, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00812   412   NtQueryInformationFile  (112, 1236196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00813   412   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00814   412   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 135168, ) == 0x0
 00815   412   NtQueryDefaultLocale  (1, 1236284, ... ) == 0x0
 00816   412   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00817   412   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00818   412   NtQueryDefaultLocale  (1, 1236284, ... ) == 0x0
 00819   412   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00820   412   NtQueryVirtualMemory  (-1, 0x1280000, Basic, 28, ... {BaseAddress=0x1280000,AllocationBase=0x1280000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00821   412   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00822   412   NtQueryInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00823   412   NtSetInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00824   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00825   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00826   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00827   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00828   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00829   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00830   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00831   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00832   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00833   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00834   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00835   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00836   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00837   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00838   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00839   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00840   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00841   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00842   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00843   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00844   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00845   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00846   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00847   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00848   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00849   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00850   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00851   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00852   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00853   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00854   412   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00855   412   NtQueryInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00856   412   NtSetInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00857   412   NtQueryInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00858   412   NtSetInformationFile  (112, 1236532, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00859   412   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 00860   412   NtReadFile  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 00861   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00862   412   NtClose  (104, ... ) == 0x0
 00863   412   NtClose  (112, ... ) == 0x0
 00864   412   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 112, ) }, ... 112, ) == 0x0
 00865   412   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00866   412   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00867   412   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00868   412   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 00869   412   NtClose  (112, ... ) == 0x0
 00870   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   412   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00872   412   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 00873   412   NtQueryInformationToken  (112, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 00874   412   NtClose  (112, ... ) == 0x0
 00875   412   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 00876   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 112, {status=0x0, info=0}, ) }, 7, 16, ... 112, {status=0x0, info=0}, ) == 0x0
 00877   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00878   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00879   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00880   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00881   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00882   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00883   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00884   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00885   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00886   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\17\343=-\231\230]\302\272\243\207\374mW7\260f\262\332\226Z\356\35\260H3\252G)\0_\340\331K"}\25\261\231\251\221U\33\226\310\275\202\341Q\366|b3!\335lh4\366G\257\4\177\202F\223\214\346\336^\356\204o3\313\322PA\345\25", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\17\343=-\231\230]\302\272\243\207\374mW7\260f\262\332\226Z\356\35\260H3\252G)\0_\340\331K"}\25\261\231\251\221U\33\226\310\275\202\341Q\366|b3!\335lh4\366G\257\4\177\202F\223\214\346\336^\356\204o3\313\322PA\345\25", 80, ... ) }\25\261\231\251\221U\33\226\310\275\202\341Q\366|b3!\335lh4\366G\257\4\177\202F\223\214\346\336^\356\204o3\313\322PA\345\25", 80, ... ) == 0x0
 00887   412   NtClose  (-2147482020, ... ) == 0x0
 00877   412   NtDeviceIoControlFile  ... {status=0x0, info=256}, " ... {status=0x0, info=256}, ""\336\304j\362\22\25(\206~\2448\347\253\220S!\\31\277\356\25\2527\201\360\352>\34\235\351\325.\321\203\360\310&\344H+\276\332\372\323, ) , ) == 0x0
 00888   412   NtClose  (108, ... ) == 0x0
 00889   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\21\310\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00890   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00891   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00892   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00893   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00894   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00895   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00896   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00897   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00898   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\3718\235\256QM\336K\276\326zq2!\203I~\366n\210w\200\266\367\244m\276\203\325\250\226O>,\236\326\343\276\257\345\203\316\36\267\22i\217U\305\202 \216\6\357\333\12s\210\17n\362>\10\331'\376\177?\357\326\372\271\24x\\16\242`\257\203", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\3718\235\256QM\336K\276\326zq2!\203I~\366n\210w\200\266\367\244m\276\203\325\250\226O>,\236\326\343\276\257\345\203\316\36\267\22i\217U\305\202 \216\6\357\333\12s\210\17n\362>\10\331'\376\177?\357\326\372\271\24x\\16\242`\257\203", 80, ... ) , 80, ... ) == 0x0
 00899   412   NtClose  (-2147482020, ... ) == 0x0
 00889   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "F\236\204p\36\15\307\360\340\204\337\315\10B\353\313\250\371\340\304\364\332D@\271e\313y\169%\373\230{\216\372s\242\212\324\250\6\17G}\225r\33\305\227\220T\333%'\347\360\247\247\2019\331T\240|R\5\227\34[\5oD\0\3149\200\201W~5\277\3'\205\363\200\326\320\263h\211\266{,hF'\252\355Z\2449Z\337\377$\17\331\205\34\200=\355\223\11\2437\316\332Ut\255a\12\223\16\356\306r|Vs\302 \0LH+\317\230\203:\306\373\204\32\315\7\3U\225?{hl\306y\244x\22\225\306,\312/\354n|\312I}T\255\375g\210\256@\315\367\31\233\36\302\254q\0\212\245\24\376\177E\277\200X\244\34mP\310\242\240/\245\260bk\255\305\15\26m\224Fp|\265\275\37\37\3\233\13\375B6G\303GI\2350we\360\261+W=<\245\233\254\222\360\305>\14\324\24\372vf\323", ) , ) == 0x0
 00900   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00901   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00902   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00903   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00904   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00905   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00906   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00907   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00908   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00909   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\177\337\340(\363\361$+\267\302\35\345d \224\216\333E\21;X\327\252\321>\335\356\356A\245\377\5\2329\204!}\211v\227\3641\5\374\3\320\347Y\12-\242^\224\332\2525\10\364]\306N\302uU^}H\30\355\201/\217\247\320#r\30\356 G", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\177\337\340(\363\361$+\267\302\35\345d \224\216\333E\21;X\327\252\321>\335\356\356A\245\377\5\2329\204!}\211v\227\3641\5\374\3\320\347Y\12-\242^\224\332\2525\10\364]\306N\302uU^}H\30\355\201/\217\247\320#r\30\356 G", 80, ... ) , 80, ... ) == 0x0
 00910   412   NtClose  (-2147482020, ... ) == 0x0
 00900   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\336\34\33^}\247\7~\332h\203Sjd\156L\326`\10\22\236s9\317\302\321\200\211\374\23\206Y\302\230)\377\212\356\12F\321\371v\320L\335\325\347H\272\3770\203\2138 ;\246\1\311\16\307p\270\213a\353\2601\252\15aPRg\226\24\323b\300\350\237\243\30\337H\230S\232\202[\302F\35mu\16N\277`\300-t\242\306\227i\272vCJ\250G\3\250\226\212N\242\341i\37R\241^Cg+\372\220Z\377"\302\347\26\335\313\214\333\233\2734Y\320\276\13\374\251\3674=\336\\265EP\353o\245\215R\200T\37p\2}\7\220\24D\12\235\375{\313m\36\314\253eu x\2326L\3441\241\354V\212\337\216&\36\372q\22\262\243k\313\333\242Z\177\33\232\15\0~=M\377\\342S^\334\222qO/j $\343V\262e\202WVr\224\362\376\334+|k\323\202l\361l\351\223\326\26(\223", ) \302\347\26\335\313\214\333\233\2734Y\320\276\13\374\251\3674=\336\\265EP\353o\245\215R\200T\37p\2}\7\220\24D\12\235\375{\313m\36\314\253eu x\2326L\3441\241\354V\212\337\216&\36\372q\22\262\243k\313\333\242Z\177\33\232\15\0~=M\377\\342S^\334\222qO/j $\343V\262e\202WVr\224\362\376\334+|k\323\202l\361l\351\223\326\26(\223", ) == 0x0
 00911   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00912   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00913   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00914   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00915   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00916   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00917   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00918   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00919   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00920   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, ",\370\203\332\312\205\374\333\313YZC\271\361\2446(\34\35\26\220\262C\311\12`b\250F\377\327\360\260\4\342%E\2\324\36~>P\313T\2s\264\356\15d4\252\302N\23\317\355\15_[\231\376\260x\247\311$\26\315W8\301\275\\3102\224\", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, ",\370\203\332\312\205\374\333\313YZC\271\361\2446(\34\35\26\220\262C\311\12`b\250F\377\327\360\260\4\342%E\2\324\36~>P\313T\2s\264\356\15d4\252\302N\23\317\355\15_[\231\376\260x\247\311$\26\315W8\301\275\\3102\224\", 80, ... ) , 80, ... ) == 0x0
 00921   412   NtClose  (-2147482020, ... ) == 0x0
 00911   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "J\346\310\177eA\271\23\224\223\279\367\335\16y8\27\327\312A~L+\223-`\271^\300\230`\262\270\353\206\300\203QrED\346Y/\2045\312\27\5\322\27\326\322=\234B\265\351R\303\361\316lE\323B\32X\253\327}\177\217#\367P\2453\231S^\255o\236\310\177\343\252\216\321\13\3S\3310~\221\236\357\224\2340\250\371\360u\261\175=\1\222\343@\237\\341\325\324\10\2014c\0\244K\37Q\c}\313\241\346\343i\351\357\375*\27\246\215\264[:"\204\362\322\344\207\375\4\362W\344\33\325\346/O\\345\300\327p\241gG\2015\327\37l\276\373q\323Ja\222l-ArNr\243\266\6\306s\366\30\210\346d0xKa\337Yn?\210\33}\310n1\261\300_\374ge\364_;B\11\333f\324\6\355\210\304'*\371\33\371\35l?\33\22*\361\25\275"\15\234U\13\325#"\35\34", ) \204\362\322\344\207\375\4\362W\344\33\325\346/O\\345\300\327p\241gG\2015\327\37l\276\373q\323Ja\222l-ArNr\243\266\6\306s\366\30\210\346d0xKa\337Yn?\210\33}\310n1\261\300_\374ge\364_;B\11\333f\324\6\355\210\304'*\371\33\371\35l?\33\22*\361\25\275 ... {status=0x0, info=256}, "J\346\310\177eA\271\23\224\223\279\367\335\16y8\27\327\312A~L+\223-`\271^\300\230`\262\270\353\206\300\203QrED\346Y/\2045\312\27\5\322\27\326\322=\234B\265\351R\303\361\316lE\323B\32X\253\327}\177\217#\367P\2453\231S^\255o\236\310\177\343\252\216\321\13\3S\3310~\221\236\357\224\2340\250\371\360u\261\175=\1\222\343@\237\\341\325\324\10\2014c\0\244K\37Q\c}\313\241\346\343i\351\357\375*\27\246\215\264[:"\204\362\322\344\207\375\4\362W\344\33\325\346/O\\345\300\327p\241gG\2015\327\37l\276\373q\323Ja\222l-ArNr\243\266\6\306s\366\30\210\346d0xKa\337Yn?\210\33}\310n1\261\300_\374ge\364_;B\11\333f\324\6\355\210\304'*\371\33\371\35l?\33\22*\361\25\275"\15\234U\13\325#"\35\34", ) \35\34", ) == 0x0
 00922   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00923   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00924   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00925   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00926   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00927   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00928   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00929   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00930   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00931   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "a\243\303\24`mG\34f\3447\260\376+=[x\206sy?\225\27\244\355f\243\374x\336BgpT\254/\210r\275\27\242\314Z\5$\245\224\350\340\265\216{5xd\6ln(E\275n\321\5z\11\271n\251\200\216\274\331\270\256\0%i1\223", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "a\243\303\24`mG\34f\3447\260\376+=[x\206sy?\225\27\244\355f\243\374x\336BgpT\254/\210r\275\27\242\314Z\5$\245\224\350\340\265\216{5xd\6ln(E\275n\321\5z\11\271n\251\200\216\274\331\270\256\0%i1\223", 80, ... ) , 80, ... ) == 0x0
 00932   412   NtClose  (-2147482020, ... ) == 0x0
 00922   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\202\206h\207\366r\267\21H\275\260\0k>\374vC\357P\257#\267\362\255\357j\241\31\254r3\227U\2033\347\34+\234\257]\35,\262>z\15\356Y\206>\33\225s\202\267p\7Nr\347\240\256\261x"\331p\302\3510\355\35\266\3/\370D\332k\243\232ecs\241\247\327\360\304\210\334+\342\327\260\257\317\223g\373\30\255\375\245'T\232\341x\255x\333\372\365n\250X\203\210\245\337\261\352\345.\305CJ)3pS\311\331G\206s\275v\271\207\2f\323:Q~4b'K \370^"\337\6\15T?`\346 \246\236\360\242)\24\223\267\8|\27/Sq\\253\336\36\236\353$4%C\31[DW\5\361\325\301\333\305kZ\366\243\26\335iM\312\216~\333\344\223\337\247\270\17BH\4@\204\312=-\313\3345c\31S\225cv\327\321Z\211x\177\202\33\27\325F?\271\266\334\315]\264/R\252\23", ) \331p\302\3510\355\35\266\3/\370D\332k\243\232ecs\241\247\327\360\304\210\334+\342\327\260\257\317\223g\373\30\255\375\245'T\232\341x\255x\333\372\365n\250X\203\210\245\337\261\352\345.\305CJ)3pS\311\331G\206s\275v\271\207\2f\323:Q~4b'K \370^ ... {status=0x0, info=256}, "\202\206h\207\366r\267\21H\275\260\0k>\374vC\357P\257#\267\362\255\357j\241\31\254r3\227U\2033\347\34+\234\257]\35,\262>z\15\356Y\206>\33\225s\202\267p\7Nr\347\240\256\261x"\331p\302\3510\355\35\266\3/\370D\332k\243\232ecs\241\247\327\360\304\210\334+\342\327\260\257\317\223g\373\30\255\375\245'T\232\341x\255x\333\372\365n\250X\203\210\245\337\261\352\345.\305CJ)3pS\311\331G\206s\275v\271\207\2f\323:Q~4b'K \370^"\337\6\15T?`\346 \246\236\360\242)\24\223\267\8|\27/Sq\\253\336\36\236\353$4%C\31[DW\5\361\325\301\333\305kZ\366\243\26\335iM\312\216~\333\344\223\337\247\270\17BH\4@\204\312=-\313\3345c\31S\225cv\327\321Z\211x\177\202\33\27\325F?\271\266\334\315]\264/R\252\23", ) , ) == 0x0
 00933   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00934   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00935   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00936   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00937   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00938   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00939   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00940   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00941   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00942   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\213\341~`\275\225\327R\246J+\255\316T\247\261P(^z\344:b+Ly\370R\350\353\272N\201\300\235k\302\3623\250\320\302\257\237\302_\' \270^\213\250\303\252\361+\324\204V\311Q'\22\361/^\377\3038\302\231\357\220\237\261\243P\344", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\213\341~`\275\225\327R\246J+\255\316T\247\261P(^z\344:b+Ly\370R\350\353\272N\201\300\235k\302\3623\250\320\302\257\237\302_\' \270^\213\250\303\252\361+\324\204V\311Q'\22\361/^\377\3038\302\231\357\220\237\261\243P\344", 80, ... ) , 80, ... ) == 0x0
 00943   412   NtClose  (-2147482020, ... ) == 0x0
 00933   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\311^\376a\374+\252\2274\211>\352?|6\361U\255\315^ 'd\342m+P\216\300]a\36\234\234\225\337\300\242\200:f'w[bC\14\26E\212m\302k\16N\15R\304\204~\310c\244t\224\15\301\272\343\7*\211\17\35\374n\342a\316\242\7\0\15\274\262\1(\210\304\3035%{\242\335_\21\342P\237T\326\255m\232\345\362\271\257d\333\24\224\210\264U\375{\215\204U\235\272\251\340w\340\217`j\7\257f\344]9\251BM^\206)\262\200\215By\33\20\263(\306\2253\11\365;\330oMV\266\205\6J;\366b\335`\25\222v\255w\35\331\11\220\313\204z\200\2233\27\336\302hw\237\220\206h\23L\13"\351\250\236\214\346\213\341\22i1\6$\312\377+\33\210l\326\17\317]\13{\357m\227\333\320yP\2520\11\2351\250\236\214\346\213\341\22i1\6$\312\377+\33\210l\326\17\317]\13{\357m\227\333\320yP\2520\11\223\4\331\233V +\226<\243*h\365H\376\250\370U\360", ) == 0x0
 00944   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00945   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00946   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00947   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00948   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00949   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00950   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00951   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00952   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00953   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\222\223\271\36\3\232ky\335M\204\23\254\372\266\227\363\317\275\2646\303i1,-j\236>\372\355\4\244\200\206h\254\277&\251f\216\277/\25uA\376B\240\327 ;\245\211\33\237\263\276\375<_\355\375I\355?\266\2542\325\25\23\302(\366B\6\234t", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\222\223\271\36\3\232ky\335M\204\23\254\372\266\227\363\317\275\2646\303i1,-j\236>\372\355\4\244\200\206h\254\277&\251f\216\277/\25uA\376B\240\327 ;\245\211\33\237\263\276\375<_\355\375I\355?\266\2542\325\25\23\302(\366B\6\234t", 80, ... ) , 80, ... ) == 0x0
 00954   412   NtClose  (-2147482020, ... ) == 0x0
 00944   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\265\233\23\363Y\247\37\371\177\357\2261\311\244 `\3235\204\344\16]W\12\24\16\271\375\304\102\245q\223\11;C\250f\332\263o\315Q\344\334\206m\2\274M;\236\17b\201\235\33\217\220\253\346?\314\31P\232jPli~\365yr\362\335\23\316n\324\250R\365\270\7\7\270\263nJT\251\25>AP\347\255et\230\3663\17\343\24)3U\350\256\340n\372\307W+\206\\22\245\352\261\264\311}c\210S\361\371\11\15\211\304\230\12\17\365\356\32/e\7C.3\264\307\26\16\33\257t%\226\232\302\2720\342\30L5\307\372-\3070+\277\361\333B\177S\200\30\26\17\15\242\36*x\11k(\356\\264\330\4L\13\304\340\315\3678X\272\13\32\341\10\1\364\371\367MsEq\12D\246\213\332O\234\223j\360y\251\3015L<\255\224mF\373\215pIN\336Z\3034Z\301t\252\246\272\1\31k\360\226", ) , ) == 0x0
 00955   412   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\27\245\320\14\263\372V\270\316\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|\324\275\305\3716\217|}\273\257\313\202\17\334\347\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00956   412   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00957   412   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00958   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00959   412   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00960   412   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00961   412   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00962   412   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00963   412   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00964   412   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\1.M\207z\2\334\203\331\214\250\243\210\233\260\17\2073?H7I`i\203m\277\354\311To[\273\224G\243+H\16.I\270G\220v\356V\301G\212\32\221\14\357\355\354\6\372\276l/\4\265\357\362\304\337\205\5%CJ0\364Yt\270\216 \352", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\1.M\207z\2\334\203\331\214\250\243\210\233\260\17\2073?H7I`i\203m\277\354\311To[\273\224G\243+H\16.I\270G\220v\356V\301G\212\32\221\14\357\355\354\6\372\276l/\4\265\357\362\304\337\205\5%CJ0\364Yt\270\216 \352", 80, ... ) , 80, ... ) == 0x0
 00965   412   NtClose  (-2147482020, ... ) == 0x0
 00955   412   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\306w5\21^9\31e.\373\232z\30\260F\265\271\317\251\342\212\5\273\13\34\17\27h\265\233\256\257"\33\20\361\7\260\345v\350=Z\306:\357\22\306\33\1\217B\305\371\26(<\36\222Y\11C\16\210\12\215v\177l7I\250\360\230o#\343\255-Ne\11v\207\371*\255\321\316*\10u\12O\305^\207\6\255\302\225\277\25j'B\211\22\370\226\232\34b0\303\343_@:\361\2\21d\342\355h\227\364X9*\204mI\255n\302\367\207\315\30~V\22\233\5\367&\346\177\20\244\364\\245\14E\350K\275\271\0defPM`\345\320\15\264\5-]+\225ug\265\352D>\311\24lxr\2412\277&\232\325\277.1L\241\206\253\5\326[\1\264\356\252&\347-\246-\275\372\30ry\225\226\6\270{Z(\20\364!\3\331\237\26F \230MY\322\215\5R\37\31\376p\364\302\224\246#_D\1\215\36z", ) \33\20\361\7\260\345v\350=Z\306:\357\22\306\33\1\217B\305\371\26(<\36\222Y\11C\16\210\12\215v\177l7I\250\360\230o#\343\255-Ne\11v\207\371*\255\321\316*\10u\12O\305^\207\6\255\302\225\277\25j'B\211\22\370\226\232\34b0\303\343_@:\361\2\21d\342\355h\227\364X9*\204mI\255n\302\367\207\315\30~V\22\233\5\367&\346\177\20\244\364\\245\14E\350K\275\271\0defPM`\345\320\15\264\5-]+\225ug\265\352D>\311\24lxr\2412\277&\232\325\277.1L\241\206\253\5\326[\1\264\356\252&\347-\246-\275\372\30ry\225\226\6\270{Z(\20\364!\3\331\237\26F \230MY\322\215\5R\37\31\376p\364\302\224\246#_D\1\215\36z", ) == 0x0
 00966   412   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 00967   412   NtQueryVolumeInformationFile  (108, 1237900, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00968   412   NtClose  (12, ... ) == 0x0
 00969   412   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237120,  (0x80100080, {24, 0, 0x40, 0, 1237120, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 00971   412   NtQueryInformationFile  (12, 1238056, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00972   412   NtQueryInformationFile  (12, 1238028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00973   412   NtQueryInformationFile  (12, 1237980, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00974   412   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 00975   412   NtQueryInformationFile  (12, 1382728, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00976   412   NtQueryInformationFile  (12, 1236524, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00977   412   NtQueryInformationFile  (12, 1236368, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00978   412   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1236376,  (0x40110080, {24, 0, 0x40, 0, 1236376, "\??\C:\WINDOWS\System32\algs.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00979   412   NtClose  (-2147482020, ... ) == 0x0
 00978   412   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00980   412   NtQueryVolumeInformationFile  (104, 1235748, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00981   412   NtQueryInformationFile  (104, 1235708, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00982   412   NtQueryVolumeInformationFile  (12, 1235748, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00983   412   NtQueryVolumeInformationFile  (12, 1235432, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00984   412   NtSetInformationFile  (104, 1235536, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00985   412   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 116, ) == 0x0
 00986   412   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 143360, ) == 0x0
 00987   412   NtClose  (116, ... ) == 0x0
 00988   412   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0PE\0\0L\1\12\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\314\320S\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\340S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\0(\222;\0\0\0\0\0\0\0\0\0\320S\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.CODE\0\0\0\0`\1\0\0\20\0\077\1\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00989   412   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "\273\354\206\26\274^d\35K\344`/\306\351K\1\224\311\0\363\344\374\333\246\362\35yC_!#"f3ji\31BEJ\211di\253\346\351q$-^\2569Gb\200@\273\262Y\252X<\14\332\21\357U}u\245\321\220\14 \310#"\273\216\334\253\1\21\5O\35\6|Ub\206\345\334\242\232;m'\270\210G\351\323\220\33g\372\206\267\212\214\232\270\376\266\304^\302\200\274|\364\337\216j\14V\212A\245Eu\330\377[\362\262\2j\334\273\311\265PL\267Q\312d\316*\337\363rp\232|\301oJ\230\272\225\357\313O\24\233ri\20-\350\314\376\333m1Y[c\310sD,N>\200\377\256\363\226K\263 x\224\262\245\360\211\307\14Qn|(u\226\360\273\256\242\3030\265"V\37e\32\262\212}\361HZ\22\345?\275\303\340u\323\375\326\227\325B\1suvv\332\307\220@8#\260C\352\275\246\220<\26\13R\256[\2569\316]\26\351Z\356\353\207,\314\302\324y%\346pV\303\357\241\36\346\262R*\203J\252 \33\1JY\20\252\5!\375o3u\241\2739C\315\20\324\366"\352=B\221\301\321r\245ReIU\220<\322\357G\226\346\307\270\304q*\236P\26\255\320o\23\2\5^\275\273[H\326\231\244KK\333\321\32\13\337\25\313\342V\335P\17\1h:M\36-\21\343R8\215aC\350\210\342\217\243\357\303\222N?D[O`\357O\265\215\243!\241\206\16`\264\273o\21\11\16\374\235u\15\274\5O\217\372\2102~\263\264\6\27\3516\370\263\223\375\177\21\317\226\240\342\4\24\352\323\356\362\205[v\3211:\270!bj\247Mgz\15\200d\262\25+\340\4\2472\343\315o\215\367M\267\212.\314\15d\254\330\324(]{\227\10\26\33\362Tjf\370\364", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) f3ji\31BEJ\211di\253\346\351q$-^\2569Gb\200@\273\262Y\252X<\14\332\21\357U}u\245\321\220\14 \310# (104, 0, 0, 0, "\273\354\206\26\274^d\35K\344`/\306\351K\1\224\311\0\363\344\374\333\246\362\35yC_!#"f3ji\31BEJ\211di\253\346\351q$-^\2569Gb\200@\273\262Y\252X<\14\332\21\357U}u\245\321\220\14 \310#"\273\216\334\253\1\21\5O\35\6|Ub\206\345\334\242\232;m'\270\210G\351\323\220\33g\372\206\267\212\214\232\270\376\266\304^\302\200\274|\364\337\216j\14V\212A\245Eu\330\377[\362\262\2j\334\273\311\265PL\267Q\312d\316*\337\363rp\232|\301oJ\230\272\225\357\313O\24\233ri\20-\350\314\376\333m1Y[c\310sD,N>\200\377\256\363\226K\263 x\224\262\245\360\211\307\14Qn|(u\226\360\273\256\242\3030\265"V\37e\32\262\212}\361HZ\22\345?\275\303\340u\323\375\326\227\325B\1suvv\332\307\220@8#\260C\352\275\246\220<\26\13R\256[\2569\316]\26\351Z\356\353\207,\314\302\324y%\346pV\303\357\241\36\346\262R*\203J\252 \33\1JY\20\252\5!\375o3u\241\2739C\315\20\324\366"\352=B\221\301\321r\245ReIU\220<\322\357G\226\346\307\270\304q*\236P\26\255\320o\23\2\5^\275\273[H\326\231\244KK\333\321\32\13\337\25\313\342V\335P\17\1h:M\36-\21\343R8\215aC\350\210\342\217\243\357\303\222N?D[O`\357O\265\215\243!\241\206\16`\264\273o\21\11\16\374\235u\15\274\5O\217\372\2102~\263\264\6\27\3516\370\263\223\375\177\21\317\226\240\342\4\24\352\323\356\362\205[v\3211:\270!bj\247Mgz\15\200d\262\25+\340\4\2472\343\315o\215\367M\267\212.\314\15d\254\330\324(]{\227\10\26\33\362Tjf\370\364", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) V\37e\32\262\212}\361HZ\22\345?\275\303\340u\323\375\326\227\325B\1suvv\332\307\220@8#\260C\352\275\246\220<\26\13R\256[\2569\316]\26\351Z\356\353\207,\314\302\324y%\346pV\303\357\241\36\346\262R*\203J\252 \33\1JY\20\252\5!\375o3u\241\2739C\315\20\324\366 (104, 0, 0, 0, "\273\354\206\26\274^d\35K\344`/\306\351K\1\224\311\0\363\344\374\333\246\362\35yC_!#"f3ji\31BEJ\211di\253\346\351q$-^\2569Gb\200@\273\262Y\252X<\14\332\21\357U}u\245\321\220\14 \310#"\273\216\334\253\1\21\5O\35\6|Ub\206\345\334\242\232;m'\270\210G\351\323\220\33g\372\206\267\212\214\232\270\376\266\304^\302\200\274|\364\337\216j\14V\212A\245Eu\330\377[\362\262\2j\334\273\311\265PL\267Q\312d\316*\337\363rp\232|\301oJ\230\272\225\357\313O\24\233ri\20-\350\314\376\333m1Y[c\310sD,N>\200\377\256\363\226K\263 x\224\262\245\360\211\307\14Qn|(u\226\360\273\256\242\3030\265"V\37e\32\262\212}\361HZ\22\345?\275\303\340u\323\375\326\227\325B\1suvv\332\307\220@8#\260C\352\275\246\220<\26\13R\256[\2569\316]\26\351Z\356\353\207,\314\302\324y%\346pV\303\357\241\36\346\262R*\203J\252 \33\1JY\20\252\5!\375o3u\241\2739C\315\20\324\366"\352=B\221\301\321r\245ReIU\220<\322\357G\226\346\307\270\304q*\236P\26\255\320o\23\2\5^\275\273[H\326\231\244KK\333\321\32\13\337\25\313\342V\335P\17\1h:M\36-\21\343R8\215aC\350\210\342\217\243\357\303\222N?D[O`\357O\265\215\243!\241\206\16`\264\273o\21\11\16\374\235u\15\274\5O\217\372\2102~\263\264\6\27\3516\370\263\223\375\177\21\317\226\240\342\4\24\352\323\356\362\205[v\3211:\270!bj\247Mgz\15\200d\262\25+\340\4\2472\343\315o\215\367M\267\212.\314\15d\254\330\324(]{\227\10\26\33\362Tjf\370\364", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00990   412   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "\33\304>^\356\5wM\428\34U\366\377\312\367\262\351\367\347\21\345\351\252\217\363\337p\324\35$#\0\27K@J<\33-18\14B\202\1"TO\350U\305 \333\355\350\305\253Fe\1\16\13\26Bb\30\304> \374@\13G+=\351|kW\245\334\213\340\27S\250\277\221\236\\237\24*\342&\23XZL\35i\200C9.\25\13\351\231\5\\232u\227e\202R\324\214\320\21 >KQ\200\7O\23\33\10Jw]\27\4@\11\274j\256U\230*>\231|\237\373,S\34h\20\16\200@\3\12\6VT\0.W`\23H-+\366\231\245\324\225T\307U\254\2P\17\33\0\37\20S=>1%A\2HI\30;<\353\337\25f\356\360\323\18\362\360\261^_\320\311\351V\250x\20\26\17bJd:`\24\32\10V\27xD'\34*T\W*\236\225\371K\322S\221Rvb\0\217\11R\33`\5[,.2\26\256\205\312\312\331\367\353\357\354\356R\277h\36Z~\34\0FR,\3"y\1\356\15\27A>\353\277*Z\321\243Z\243\307", 18949, 0x0, 0, ... {status=0x0, info=18949}, ) TO\350U\305 \333\355\350\305\253Fe\1\16\13\26Bb\30\304> \374@\13G+=\351|kW\245\334\213\340\27S\250\277\221\236\\237\24*\342&\23XZL\35i\200C9.\25\13\351\231\5\\232u\227e\202R\324\214\320\21 >KQ\200\7O\23\33\10Jw]\27\4@\11\274j\256U\230*>\231|\237\373,S\34h\20\16\200@\3\12\6VT\0.W`\23H-+\366\231\245\324\225T\307U\254\2P\17\33\0\37\20S=>1%A\2HI\30;<\353\337\25f\356\360\323\18\362\360\261^_\320\311\351V\250x\20\26\17bJd:`\24\32\10V\27xD'\34*T\W*\236\225\371K\322S\221Rvb\0\217\11R\33`\5[,.2\26\256\205\312\312\331\367\353\357\354\356R\277h\36Z~\34\0FR,\36/3\350\305\227[\255\370]\252N\363\257\337\200\22T\37[I'\354\w\12\1<+2:=\21\36\331\353:\342'\255\3260\273=\26\243\216!\312\330\365\271\210\303\25QG\230\109\30\7/`\12\34C\21\36dT\231\344\22&\352:\343\300\251{\262\371\274\350\216\235\300O.$\06R\24%\151\20T\27]E\5\1\330).\31\352c\332\255U\243\277\177ew\206\300\324\16[\31\4\26\346U\22A$\11\4\242YX\352\316\227\264\252\212\14\264\377(-b\0\27c$LJ\20dF\2727\1\354\235\277[\3606\320%+t\366\257]\260\326\23\344\0\25(NFZQ\33\32x (104, 0, 0, 0, "\33\304>^\356\5wM\428\34U\366\377\312\367\262\351\367\347\21\345\351\252\217\363\337p\324\35$#\0\27K@J<\33-18\14B\202\1"TO\350U\305 \333\355\350\305\253Fe\1\16\13\26Bb\30\304> \374@\13G+=\351|kW\245\334\213\340\27S\250\277\221\236\\237\24*\342&\23XZL\35i\200C9.\25\13\351\231\5\\232u\227e\202R\324\214\320\21 >KQ\200\7O\23\33\10Jw]\27\4@\11\274j\256U\230*>\231|\237\373,S\34h\20\16\200@\3\12\6VT\0.W`\23H-+\366\231\245\324\225T\307U\254\2P\17\33\0\37\20S=>1%A\2HI\30;<\353\337\25f\356\360\323\18\362\360\261^_\320\311\351V\250x\20\26\17bJd:`\24\32\10V\27xD'\34*T\W*\236\225\371K\322S\221Rvb\0\217\11R\33`\5[,.2\26\256\205\312\312\331\367\353\357\354\356R\277h\36Z~\34\0FR,\3"y\1\356\15\27A>\353\277*Z\321\243Z\243\307", 18949, 0x0, 0, ... {status=0x0, info=18949}, ) , 18949, 0x0, 0, ... {status=0x0, info=18949}, ) == 0x0
 00991   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 00992   412   NtSetInformationFile  (104, 1237980, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00993   412   NtClose  (12, ... ) == 0x0
 00994   412   NtClose  (104, ... ) == 0x0
 00995   412   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00996   412   NtSetInformationFile  (104, 1238180, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00997   412   NtClose  (104, ... ) == 0x0
 00998   412   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00999   412   NtSetInformationFile  (104, 1238180, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01000   412   NtClose  (104, ... ) == 0x0
 01001   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237884,  (0x80100080, {24, 0, 0x40, 0, 1237884, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01002   412   NtQueryInformationFile  (104, 1237936, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01003   412   NtClose  (104, ... ) == 0x0
 01004   412   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1237884,  (0x40100080, {24, 0, 0x40, 0, 1237884, "\??\C:\WINDOWS\System32\algs.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01005   412   NtSetInformationFile  (104, 1237936, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01006   412   NtClose  (104, ... ) == 0x0
 01007   412   NtOpenFile  (0x10080, {24, 108, 0x40, 0, 0,  (0x10080, {24, 108, 0x40, 0, 0, "alguo.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008   412   NtCreateFile  (0x40100080, {24, 108, 0x40, 0, 1238132,  (0x40100080, {24, 108, 0x40, 0, 1238132, "alguo.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 01009   412   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del alguo.bat\15\12", 121, 0x0, 0, ... {status=0x0, info=121}, ) , 121, 0x0, 0, ... {status=0x0, info=121}, ) == 0x0
 01010   412   NtClose  (104, ... ) == 0x0
 01011   412   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231472, ... ) }, 1231472, ... ) == 0x0
 01013   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01014   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 12, ) == 0x0
 01015   412   NtClose  (104, ... ) == 0x0
 01016   412   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 262144, ) == 0x0
 01017   412   NtClose  (12, ... ) == 0x0
 01018   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 01019   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01020   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01021   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01022   412   NtAllocateVirtualMemory  (-1, 1392640, 0, 16384, 4096, 4, ... 1392640, 16384, ) == 0x0
 01023   412   NtUserRegisterClassExWOW  (1233556, 1233636, 1233620, 1233652, 0, 384, 0, ... ) == 0x810cc038
 01024   412   NtUserGetAtomName  (49208, 1232320, ... ) == 0x15
 01025   412   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01026   412   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01027   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229844, ... ) }, 1229844, ... ) == 0x0
 01028   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01029   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 104, ) == 0x0
 01030   412   NtClose  (12, ... ) == 0x0
 01031   412   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1280000), 0x0, 204800, ) == 0x0
 01032   412   NtClose  (104, ... ) == 0x0
 01033   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 01034   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230160, ... ) }, 1230160, ... ) == 0x0
 01035   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01036   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 12, ) == 0x0
 01037   412   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01038   412   NtClose  (104, ... ) == 0x0
 01039   412   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01040   412   NtClose  (12, ... ) == 0x0
 01041   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01042   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01043   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01044   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01045   412   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01046   412   NtClose  (12, ... ) == 0x0
 01047   412   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01048   412   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 104, ) }, ... 104, ) == 0x0
 01049   412   NtQueryValueKey  (104,  (104, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   412   NtClose  (104, ... ) == 0x0
 01051   412   NtClose  (12, ... ) == 0x0
 01052   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01053   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01054   412   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01055   412   NtClose  (12, ... ) == 0x0
 01056   412   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01057   412   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 01058   412   NtQueryValueKey  (104,  (104, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   412   NtClose  (104, ... ) == 0x0
 01060   412   NtClose  (12, ... ) == 0x0
 01061   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1229660, ... ) }, 1229660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "UxTheme.dll"}, 1229660, ... ) }, 1229660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1229660, ... ) }, 1229660, ... ) == 0x0
 01064   412   NtUserGetProcessWindowStation  (... ) == 0x28
 01065   412   NtUserGetObjectInformation  (40, 2, 0, 0, 1231956, ... ) == 0x0
 01066   412   NtUserGetObjectInformation  (40, 2, 1347056, 16, 1231956, ... ) == 0x1
 01067   412   NtUserGetGUIThreadInfo  (412, 1231912, ... ) == 0x1
 01068   412   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1231732, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1231732, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01069   412   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 408, 412, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 408, 412, 1590, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 408, 412, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01070   412   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 408, 412, 1591, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 408, 412, 1591, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 408, 412, 1591, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01071   412   NtUserCallNoParam  (29, ...
 01072   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229204, ... ) }, 1229204, ... ) == 0x0
 01071   412   NtUserCallNoParam  ... ) == 0x0
 01073   412   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01074   412   NtGdiHfontCreate  (1231284, 356, 0, 0, 1356144, ... ) == 0x80a047f
 01075   412   NtGdiHfontCreate  (1231284, 356, 0, 0, 1356136, ... ) == 0x10a0480
 01076   412   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 408, 412, 1592, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 408, 412, 1592, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 408, 412, 1592, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01077   412   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1280000), {0, 0}, 331776, ) == 0x0
 01078   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01079   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01080   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01081   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01082   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01083   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01084   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01085   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01086   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01087   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01088   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01089   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01090   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01091   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01092   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01093   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01094   412   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01095   412   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100482
 01096   412   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01097   412   NtUserCallNoParam  (29, ...
 01098   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228648, ... ) }, 1228648, ... ) == 0x0
 01097   412   NtUserCallNoParam  ... ) == 0x0
 01099   412   NtUserCallNoParam  (29, ...
 01100   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228644, ... ) }, 1228644, ... ) == 0x0
 01099   412   NtUserCallNoParam  ... ) == 0x0
 01101   412   NtUserMessageCall  (0x200be, WM_NCCREATE, 0x0, 0x12cd6c, 0, 670, 0, ... ) == 0x1
 01102   412   NtUserMessageCall  (0x200be, WM_NCCALCSIZE, 0x0, 0x12cd94, 0, 670, 0, ... ) == 0x0
 01103   412   NtUserSetProp  (131262, 43288, -1, ... ) == 0x1
 01025   412   NtUserCreateWindowEx  ... ) == 0x200be
 01104   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01105   412   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01107   412   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   412   NtClose  (120, ... ) == 0x0
 01109   412   NtClose  (116, ... ) == 0x0
 01110   412   NtAllocateVirtualMemory  (-1, 1409024, 0, 24576, 4096, 4, ... 1409024, 24576, ) == 0x0
 01111   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01112   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 01114   412   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   412   NtClose  (116, ... ) == 0x0
 01116   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01118   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01119   412   NtQuerySystemTime  (... {569746042, 29873173}, ) == 0x0
 01120   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01121   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01123   412   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01124   412   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01125   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01126   412   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01127   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01128   412   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01129   412   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01130   412   NtClose  (140, ... ) == 0x0
 01131   412   NtClose  (136, ... ) == 0x0
 01132   412   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01133   412   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01134   412   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01135   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01136   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01137   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01138   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01139   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232084,  (0xc0100080, {24, 0, 0x40, 0, 1232084, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01140   412   NtSetInformationFile  (152, 1232140, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01141   412   NtSetInformationFile  (152, 1232132, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01142   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01143   412   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01144   412   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01145   412   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01146   412   NtClose  (148, ... ) == 0x0
 01147   412   NtClose  (152, ... ) == 0x0
 01148   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1232128, ... ) }, 1232128, ... ) == 0x0
 01149   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01150   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01151   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "alguo.bat"}, 1231948, ... ) }, 1231948, ... ) == 0x0
 01152   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01153   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01154   412   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356160, 0,  (0x1f0003, {24, 52, 0x80, 1356160, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 152, ) }, 0, 2147483647, ... 152, ) == STATUS_OBJECT_NAME_EXISTS
 01155   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01156   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01157   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01159   412   NtQueryValueKey  (148,  (148, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   412   NtClose  (148, ... ) == 0x0
 01161   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01162   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01163   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01165   412   NtQueryValueKey  (148,  (148, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   412   NtClose  (148, ... ) == 0x0
 01167   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01168   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01169   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01171   412   NtQueryValueKey  (148,  (148, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   412   NtClose  (148, ... ) == 0x0
 01173   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01174   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01175   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01177   412   NtQueryValueKey  (148,  (148, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   412   NtClose  (148, ... ) == 0x0
 01179   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 148, ) }, ... 148, ) == 0x0
 01180   412   NtEnumerateKey  (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01181   412   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 156, ) }, ... 156, ) == 0x0
 01182   412   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   412   NtClose  (156, ... ) == 0x0
 01184   412   NtEnumerateKey  (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01185   412   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 156, ) }, ... 156, ) == 0x0
 01186   412   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   412   NtClose  (156, ... ) == 0x0
 01188   412   NtEnumerateKey  (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01189   412   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 156, ) }, ... 156, ) == 0x0
 01190   412   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   412   NtClose  (156, ... ) == 0x0
 01192   412   NtEnumerateKey  (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01193   412   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 156, ) }, ... 156, ) == 0x0
 01194   412   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   412   NtClose  (156, ... ) == 0x0
 01196   412   NtEnumerateKey  (148, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01197   412   NtClose  (148, ... ) == 0x0
 01198   412   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   412   NtOpenProcessToken  (-1, 0x8, ... 148, ) == 0x0
 01200   412   NtQueryInformationToken  (148, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01201   412   NtClose  (148, ... ) == 0x0
 01202   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01203   412   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 148, 2, ) }, 0, 0x0, 0, ... 148, 2, ) == 0x0
 01204   412   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 156, ) == 0x0
 01205   412   NtCreateKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "SessionInfo\00000000000091f3"}, 0, 0x0, 1, ... 160, 2, ) }, 0, 0x0, 1, ... 160, 2, ) == 0x0
 01206   412   NtClose  (156, ... ) == 0x0
 01207   412   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   412   NtClose  (160, ... ) == 0x0
 01209   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01210   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01211   412   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01212   412   NtClose  (160, ... ) == 0x0
 01213   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 160, ) }, ... 160, ) == 0x0
 01214   412   NtSetInformationObject  (162, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01215   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01216   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01218   412   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01219   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01220   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01221   412   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01222   412   NtClose  (164, ... ) == 0x0
 01223   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   412   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   412   NtClose  (158, ... ) == 0x0
 01226   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01227   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01229   412   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01230   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01231   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01232   412   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01233   412   NtClose  (164, ... ) == 0x0
 01234   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   412   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   412   NtClose  (158, ... ) == 0x0
 01237   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01238   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01240   412   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01241   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01242   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01243   412   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01244   412   NtClose  (164, ... ) == 0x0
 01245   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   412   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01247   412   NtClose  (158, ... ) == 0x0
 01248   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01250   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01252   412   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01253   412   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01254   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01255   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01256   412   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01257   412   NtClose  (164, ... ) == 0x0
 01258   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   412   NtQueryValueKey  (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01260   412   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01261   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01262   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01263   412   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01264   412   NtClose  (164, ... ) == 0x0
 01265   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   412   NtQueryValueKey  (158,  (158, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   412   NtClose  (158, ... ) == 0x0
 01268   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01269   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01270   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01272   412   NtQueryValueKey  (156,  (156, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   412   NtClose  (156, ... ) == 0x0
 01274   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01275   412   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01276   412   NtClose  (156, ... ) == 0x0
 01277   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 156, ) }, ... 156, ) == 0x0
 01278   412   NtQueryValueKey  (156,  (156, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   412   NtClose  (156, ... ) == 0x0
 01280   412   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01281   412   NtQueryValueKey  (156, " (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01282   412   NtClose  (156, ... ) == 0x0
 01283   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01284   412   NtQueryVolumeInformationFile  (156, 1232268, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01285   412   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 164, ) }, ... 164, ) == 0x0
 01286   412   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 01287   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 168, ) }, ... 168, ) == 0x0
 01288   412   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x12e0000), {0, 0}, 57344, ) == 0x0
 01289   412   NtQueryInformationFile  (156, 1232232, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01290   412   NtQueryInformationFile  (156, 1232272, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01291   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01292   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01293   412   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01294   412   NtClose  (172, ... ) == 0x0
 01295   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   412   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 01297   412   NtClose  (156, ... ) == 0x0
 01298   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01299   412   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01300   412   NtClose  (156, ... ) == 0x0
 01301   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1230020, ... ) }, 1230020, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "CLBCATQ.DLL"}, 1230020, ... ) }, 1230020, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1230020, ... ) }, 1230020, ... ) == 0x0
 01305   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01306   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 172, ) == 0x0
 01307   412   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01308   412   NtClose  (156, ... ) == 0x0
 01309   412   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01310   412   NtClose  (172, ... ) == 0x0
 01311   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1229216, ... ) }, 1229216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "COMRes.dll"}, 1229216, ... ) }, 1229216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1229216, ... ) }, 1229216, ... ) == 0x0
 01315   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01316   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 156, ) == 0x0
 01317   412   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01318   412   NtClose  (172, ... ) == 0x0
 01319   412   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01320   412   NtClose  (156, ... ) == 0x0
 01321   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01322   412   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01323   412   NtClose  (156, ... ) == 0x0
 01324   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 156, ) }, ... 156, ) == 0x0
 01327   412   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   412   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   412   NtClose  (156, ... ) == 0x0
 01330   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1230048, ... ) }, 1230048, ... ) == 0x0
 01331   412   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   412   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01333   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01334   412   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01335   412   NtClose  (156, ... ) == 0x0
 01336   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 156, ) }, ... 156, ) == 0x0
 01337   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01338   412   NtNotifyChangeKey  (156, 172, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01339   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 176, ) }, ... 176, ) == 0x0
 01340   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01341   412   NtNotifyChangeKey  (176, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01342   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01343   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 188, ) }, ... 188, ) == 0x0
 01344   412   NtSetInformationObject  (188, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01345   412   NtNotifyChangeKey  (188, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01346   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 192, ) }, ... 192, ) == 0x0
 01347   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01348   412   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01349   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01350   412   NtNotifyChangeKey  (188, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01351   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01352   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01353   412   NtNotifyChangeKey  (204, 208, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01354   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01355   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01356   412   NtNotifyChangeKey  (212, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01357   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 220, ) }, ... 220, ) == 0x0
 01358   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01359   412   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01360   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 228, ) }, ... 228, ) == 0x0
 01361   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01362   412   NtNotifyChangeKey  (228, 232, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01363   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0
 01364   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01365   412   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01366   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01367   412   NtNotifyChangeKey  (188, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01368   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01369   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01370   412   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01371   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01372   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01373   412   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01374   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01375   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01376   412   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01377   412   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 272, ) }, ... 272, ) == 0x0
 01379   412   NtQueryValueKey  (272,  (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01380   412   NtClose  (272, ... ) == 0x0
 01381   412   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01382   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01383   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01384   412   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 272, ) }, ... 272, ) == 0x0
 01385   412   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x12f0000), {0, 0}, 24576, ) == 0x0
 01386   412   NtAllocateVirtualMemory  (-1, 18898944, 0, 8192, 4096, 4, ... 18898944, 8192, ) == 0x0
 01387   412   NtAllocateVirtualMemory  (-1, 18907136, 0, 8192, 4096, 4, ... 18907136, 8192, ) == 0x0
 01388   412   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01390   412   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01391   412   NtClose  (276, ... ) == 0x0
 01392   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01393   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01394   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 19922944, 65536, ) == 0x0
 01395   412   NtAllocateVirtualMemory  (-1, 19922944, 0, 4096, 4096, 4, ... 19922944, 4096, ) == 0x0
 01396   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01397   412   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01399   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01400   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01401   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01402   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01403   412   NtClose  (280, ... ) == 0x0
 01404   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   412   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   412   NtClose  (278, ... ) == 0x0
 01407   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01408   412   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01410   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01411   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01412   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01413   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01414   412   NtClose  (280, ... ) == 0x0
 01415   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01417   412   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01418   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01419   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01420   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01421   412   NtClose  (284, ... ) == 0x0
 01422   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423   412   NtQueryValueKey  (282,  (282, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   412   NtClose  (282, ... ) == 0x0
 01425   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01426   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01427   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01428   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01429   412   NtClose  (280, ... ) == 0x0
 01430   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01433   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01434   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01435   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01436   412   NtClose  (280, ... ) == 0x0
 01437   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01440   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01441   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01442   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01443   412   NtClose  (280, ... ) == 0x0
 01444   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01446   412   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01447   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01448   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01449   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01450   412   NtClose  (284, ... ) == 0x0
 01451   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   412   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01453   412   NtClose  (282, ... ) == 0x0
 01454   412   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01455   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01456   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01457   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01458   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01459   412   NtClose  (280, ... ) == 0x0
 01460   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01463   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01464   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01465   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01466   412   NtClose  (280, ... ) == 0x0
 01467   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01470   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01471   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01472   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01473   412   NtClose  (280, ... ) == 0x0
 01474   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01477   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01478   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01479   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01480   412   NtClose  (280, ... ) == 0x0
 01481   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01484   412   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01486   412   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01487   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01488   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01489   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01490   412   NtClose  (284, ... ) == 0x0
 01491   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   412   NtQueryValueKey  (282,  (282, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   412   NtClose  (282, ... ) == 0x0
 01494   412   NtClose  (278, ... ) == 0x0
 01495   412   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {408, 0}, ... 276, ) == 0x0
 01496   412   NtQueryInformationProcess  (276, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01497   412   NtClose  (276, ... ) == 0x0
 01498   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01499   412   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01500   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01501   412   NtClose  (278, ... ) == 0x0
 01502   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01503   412   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01505   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01506   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01507   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01508   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01509   412   NtClose  (280, ... ) == 0x0
 01510   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   412   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01512   412   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01513   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01514   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01515   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01516   412   NtClose  (284, ... ) == 0x0
 01517   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   412   NtQueryValueKey  (282,  (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01519   412   NtClose  (282, ... ) == 0x0
 01520   412   NtClose  (278, ... ) == 0x0
 01521   412   NtAllocateVirtualMemory  (-1, 1445888, 0, 8192, 4096, 4, ... 1445888, 8192, ) == 0x0
 01522   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01523   412   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01525   412   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01526   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01527   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01528   412   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01529   412   NtClose  (280, ... ) == 0x0
 01530   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   412   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   412   NtClose  (278, ... ) == 0x0
 01533   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226440, ... ) }, 1226440, ... ) == 0x0
 01534   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01535   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 01536   412   NtClose  (276, ... ) == 0x0
 01537   412   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1310000), 0x0, 1339392, ) == 0x0
 01538   412   NtClose  (280, ... ) == 0x0
 01539   412   NtUnmapViewOfSection  (-1, 0x1310000, ... ) == 0x0
 01540   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226756, ... ) }, 1226756, ... ) == 0x0
 01541   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01542   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 01543   412   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01544   412   NtClose  (280, ... ) == 0x0
 01545   412   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01546   412   NtClose  (276, ... ) == 0x0
 01547   412   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01548   412   NtQueryDefaultUILanguage  (1225120, ...
 01549   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01550   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01551   412   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01552   412   NtClose  (-2147482020, ... ) == 0x0
 01553   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01554   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   412   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01556   412   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   412   NtClose  (-2147482032, ... ) == 0x0
 01558   412   NtClose  (-2147482020, ... ) == 0x0
 01548   412   NtQueryDefaultUILanguage  ... ) == 0x0
 01559   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 276, {status=0x0, info=1}, ) }, 1, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01561   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 276, ... 280, ) == 0x0
 01562   412   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1310000), 0x0, 1339392, ) == 0x0
 01563   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   412   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 01565   412   NtQueryDefaultLocale  (1, 1223156, ... ) == 0x0
 01566   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   412   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1224012, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1224012, 1, 96, 0} "\210\6\27\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1593, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 412, 1593, 0}  (24, {128, 156, new_msg, 0, 1224012, 1, 96, 0} "\210\6\27\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1593, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\27\1\24\1\0\0\377\377\377\377\0\0\0\0\10\340<\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\27\1\0\0\0\0\0\0\0\0L\264\22\0\0\0\0\0" )  ) == 0x0
 01568   412   NtClose  (276, ... ) == 0x0
 01569   412   NtClose  (280, ... ) == 0x0
 01570   412   NtUnmapViewOfSection  (-1, 0x1310000, ... ) == 0x0
 01571   412   NtUnmapViewOfSection  (-1, 0x12b44c, ... ) == STATUS_NOT_MAPPED_VIEW
 01572   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01573   412   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01575   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01576   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1221696, ... ) }, 1221696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01578   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01579   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01580   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1222288, ... ) }, 1222288, ... ) == 0x0
 01581   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 280, {status=0x0, info=1}, ) }, 3, 33, ... 280, {status=0x0, info=1}, ) == 0x0
 01582   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01583   412   NtUserFindExistingCursorIcon  (1226240, 1226256, 1226824, ... ) == 0x10011
 01584   412   NtUserRegisterClassExWOW  (1226692, 1226772, 1226756, 1226788, 0, 384, 0, ... ) == 0x810c0000
 01585   412   NtUserGetClassInfo  (1905590272, 1226856, 1226808, 1226884, 0, ... ) == 0xc05f
 01586   412   NtGdiCreateHalftonePalette  (0, ... ) == 0x1080483
 01587   412   NtGdiDoPalette  (17302659, 0, 256, 1225948, 2, 0, ... ) == 0x100
 01588   412   NtGdiDeleteObjectApp  (17302659, ... ) == 0x1
 01589   412   NtGdiCreateCompatibleDC  (0, ... ) == 0x2010483
 01590   412   NtGdiCreatePaletteInternal  (1225944, 256, ... ) == 0x1080484
 01591   412   NtGdiDeleteObjectApp  (33621123, ... ) == 0x1
 01592   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01593   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 276, ) }, ... 276, ) == 0x0
 01595   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01596   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01597   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01598   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01599   412   NtClose  (284, ... ) == 0x0
 01600   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   412   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01602   412   NtClose  (278, ... ) == 0x0
 01603   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01604   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01606   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01607   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01608   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01609   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01610   412   NtClose  (284, ... ) == 0x0
 01611   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   412   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01613   412   NtClose  (278, ... ) == 0x0
 01614   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01615   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01617   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01618   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01620   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   412   NtClose  (284, ... ) == 0x0
 01622   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   412   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01624   412   NtClose  (278, ... ) == 0x0
 01625   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01626   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01627   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01628   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01629   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01630   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01631   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01632   412   NtClose  (284, ... ) == 0x0
 01633   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   412   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01635   412   NtClose  (278, ... ) == 0x0
 01636   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01637   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01639   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01640   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01641   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01642   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01643   412   NtClose  (284, ... ) == 0x0
 01644   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   412   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01646   412   NtClose  (278, ... ) == 0x0
 01647   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   412   NtAllocateVirtualMemory  (-1, 1454080, 0, 12288, 4096, 4, ... 1454080, 12288, ) == 0x0
 01649   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01650   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01652   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01653   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01654   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01655   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01656   412   NtClose  (284, ... ) == 0x0
 01657   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   412   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   412   NtClose  (278, ... ) == 0x0
 01660   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01661   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01662   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01663   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 01664   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01665   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01666   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01667   412   NtClose  (284, ... ) == 0x0
 01668   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   412   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   412   NtClose  (278, ... ) == 0x0
 01671   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01672   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01673   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01674   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 01675   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01676   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01677   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01678   412   NtClose  (284, ... ) == 0x0
 01679   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   412   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   412   NtClose  (278, ... ) == 0x0
 01682   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01683   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01685   412   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01686   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01687   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01688   412   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01689   412   NtClose  (284, ... ) == 0x0
 01690   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   412   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01692   412   NtClose  (278, ... ) == 0x0
 01693   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 276, ) }, ... 276, ) == 0x0
 01694   412   NtEnumerateValueKey  (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01695   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01696   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01697   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01698   412   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01699   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01700   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01701   412   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01702   412   NtClose  (288, ... ) == 0x0
 01703   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   412   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01705   412   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01706   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01707   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01708   412   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01709   412   NtClose  (288, ... ) == 0x0
 01710   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711   412   NtQueryValueKey  (286,  (286, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   412   NtClose  (286, ... ) == 0x0
 01713   412   NtEnumerateValueKey  (276, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01714   412   NtClose  (276, ... ) == 0x0
 01715   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01716   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01717   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 1231400, ... ) }, 1231400, ... ) == 0x0
 01718   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01719   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01720   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01721   412   NtQueryValueKey  (276,  (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01722   412   NtClose  (276, ... ) == 0x0
 01723   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01724   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01725   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 1232428, ... ) }, 1232428, ... ) == 0x0
 01726   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01727   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01728   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01729   412   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01730   412   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01731   412   NtClose  (276, ... ) == 0x0
 01732   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01733   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01734   412   NtQueryValueKey  (276,  (276, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   412   NtClose  (276, ... ) == 0x0
 01736   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01737   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01738   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01739   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01740   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01741   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01742   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01743   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01744   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01745   412   NtQueryDefaultLocale  (1, 1232716, ... ) == 0x0
 01746   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 276, ) }, ... 276, ) == 0x0
 01747   412   NtEnumerateKey  (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01748   412   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 284, ) }, ... 284, ) == 0x0
 01749   412   NtQueryValueKey  (284,  (284, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (284, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01750   412   NtQueryValueKey  (284,  (284, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (284, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01751   412   NtClose  (284, ... ) == 0x0
 01752   412   NtEnumerateKey  (276, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01753   412   NtClose  (276, ... ) == 0x0
 01754   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01756   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01769   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01770   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01771   412   NtClose  (276, ... ) == 0x0
 01772   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01774   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01775   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01776   412   NtClose  (276, ... ) == 0x0
 01777   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01779   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01780   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01781   412   NtClose  (276, ... ) == 0x0
 01782   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01784   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01785   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01786   412   NtClose  (276, ... ) == 0x0
 01787   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01789   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01790   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01791   412   NtClose  (276, ... ) == 0x0
 01792   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01794   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01795   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   412   NtClose  (276, ... ) == 0x0
 01797   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01799   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01800   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01801   412   NtClose  (276, ... ) == 0x0
 01802   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01804   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01805   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01806   412   NtClose  (276, ... ) == 0x0
 01807   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01809   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01810   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01811   412   NtClose  (276, ... ) == 0x0
 01812   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01813   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01814   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01815   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01816   412   NtClose  (276, ... ) == 0x0
 01817   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01819   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01820   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01821   412   NtClose  (276, ... ) == 0x0
 01822   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01824   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01825   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01826   412   NtClose  (276, ... ) == 0x0
 01827   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01829   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01830   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01831   412   NtClose  (276, ... ) == 0x0
 01832   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01834   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01835   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01836   412   NtClose  (276, ... ) == 0x0
 01837   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01839   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01840   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01841   412   NtClose  (276, ... ) == 0x0
 01842   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01844   412   NtQueryValueKey  (276,  (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01845   412   NtClose  (276, ... ) == 0x0
 01846   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01847   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01848   412   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01849   412   NtClose  (276, ... ) == 0x0
 01850   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   412   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01852   412   NtOpenProcessToken  (-1, 0xa, ... 276, ) == 0x0
 01853   412   NtDuplicateToken  (276, 0xc, {24, 0, 0x0, 0, 1233236, 0x0}, 0, 2, ... 284, ) == 0x0
 01854   412   NtClose  (276, ... ) == 0x0
 01855   412   NtAccessCheck  (1455520, 284, 0x1, 1233364, 1233308, 56, 1233392, ... (0x1), ) == 0x0
 01856   412   NtClose  (284, ... ) == 0x0
 01857   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 284, ) }, ... 284, ) == 0x0
 01858   412   NtQueryValueKey  (284,  (284, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (284, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01859   412   NtClose  (284, ... ) == 0x0
 01860   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233252,  (0x80100080, {24, 0, 0x40, 0, 1233252, "\??\u:\work\alguo.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01861   412   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 276, ) }, ... 276, ) == 0x0
 01862   412   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\WinDfs\U:00000000000091f3", 66, ) , 66, ) == 0x0
 01863   412   NtClose  (276, ... ) == 0x0
 01864   412   NtQueryInformationFile  (284, 1231696, 528, Name, ... {status=0x0, info=70}, ) == 0x0
 01865   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01866   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01867   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\alguo.bat"}, 1230376, ... ) }, 1230376, ... ) == 0x0
 01868   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 276, {status=0x0, info=1}, ) }, 3, 16417, ... 276, {status=0x0, info=1}, ) == 0x0
 01869   412   NtQueryDirectoryFile  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1,  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 01870   412   NtClose  (276, ... ) == 0x0
 01871   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 276, {status=0x0, info=1}, ) }, 3, 16417, ... 276, {status=0x0, info=1}, ) == 0x0
 01872   412   NtQueryDirectoryFile  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1,  (276, 0, 0, 0, 1229736, 616, BothDirectory, 1, "alguo.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01873   412   NtClose  (276, ... ) == 0x0
 01874   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1231108, ... ) }, 1231108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "WINTRUST.dll"}, 1231108, ... ) }, 1231108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01879   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1231108, ... ) }, 1231108, ... ) == 0x0
 01880   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01881   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 288, ) == 0x0
 01882   412   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01883   412   NtClose  (276, ... ) == 0x0
 01884   412   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01885   412   NtClose  (288, ... ) == 0x0
 01886   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 288, ) }, ... 288, ) == 0x0
 01887   412   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01888   412   NtClose  (288, ... ) == 0x0
 01889   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01890   412   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19988480, 262144, ) == 0x0
 01891   412   NtAllocateVirtualMemory  (-1, 19988480, 0, 4096, 4096, 4, ... 19988480, 4096, ) == 0x0
 01892   412   NtAllocateVirtualMemory  (-1, 19992576, 0, 8192, 4096, 4, ... 19992576, 8192, ) == 0x0
 01893   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01894   412   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20250624, 1048576, ) == 0x0
 01895   412   NtAllocateVirtualMemory  (-1, 20250624, 0, 1048576, 4096, 4, ... 20250624, 1048576, ) == 0x0
 01896   412   NtCreateMutant  (0x1f0001, 0x0, 0, ... 288, ) == 0x0
 01897   412   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 276, ) == 0x0
 01898   412   NtCreateMutant  (0x1f0001, 0x0, 0, ... 292, ) == 0x0
 01899   412   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 296, ) == 0x0
 01900   412   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 300, ) == 0x0
 01901   412   NtSetEvent  (300, ... 0x0, ) == 0x0
 01902   412   NtSetInformationFile  (284, 1233136, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01903   412   NtReadFile  (284, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (284, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 01904   412   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01905   412   NtClearEvent  (276, ... ) == 0x0
 01906   412   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01907   412   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01908   412   NtSetEvent  (276, ... 0x0, ) == 0x0
 01909   412   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01910   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01911   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01912   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 01913   412   NtClose  (304, ... ) == 0x0
 01914   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01915   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01916   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01917   412   NtClose  (304, ... ) == 0x0
 01918   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01919   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01920   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 01921   412   NtClose  (304, ... ) == 0x0
 01922   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01923   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01924   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 01925   412   NtClose  (304, ... ) == 0x0
 01926   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01927   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01928   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 01929   412   NtClose  (304, ... ) == 0x0
 01930   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01931   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01932   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 01933   412   NtClose  (304, ... ) == 0x0
 01934   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 01936   412   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 01937   412   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 01938   412   NtClose  (304, ... ) == 0x0
 01939   412   NtWaitForMultipleObjects  (2, (288, 276, ), 0, 0, 0x0, ... ) == 0x0
 01940   412   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01941   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01942   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01943   412   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01944   412   NtClose  (304, ... ) == 0x0
 01945   412   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01946   412   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01947   412   NtClose  (304, ... ) == 0x0
 01948   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 304, ) }, ... 304, ) == 0x0
 01949   412   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01950   412   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01951   412   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01952   412   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01953   412   NtClose  (304, ... ) == 0x0
 01954   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 304, ) }, ... 304, ) == 0x0
 01955   412   NtQueryValueKey  (304,  (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01956   412   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01957   412   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01958   412   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01959   412   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01960   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1230424, ... ) }, 1230424, ... ) == 0x0
 01961   412   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 308, ) }, ... 308, ) == 0x0
 01962   412   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01963   412   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01964   412   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01965   412   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01966   412   NtClose  (308, ... ) == 0x0
 01967   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   412   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01969   412   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 01970   412   NtQueryInformationToken  (308, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01971   412   NtClose  (308, ... ) == 0x0
 01972   412   NtClose  (304, ... ) == 0x0
 01973   412   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01974   412   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 01975   412   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01976   412   NtClose  (304, ... ) == 0x0
 01977   412   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01978   412   NtCreateKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 01979   412   NtClose  (304, ... ) == 0x0
 01980   412   NtQueryValueKey  (308,  (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 01981   412   NtClose  (308, ... ) == 0x0
 01982   412   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01983   412   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 01984   412   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01985   412   NtClose  (308, ... ) == 0x0
 01986   412   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 01987   412   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 304, ) }, ... 304, ) == 0x0
 01988   412   NtClose  (308, ... ) == 0x0
 01989   412   NtQueryValueKey  (304,  (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 01990   412   NtClose  (304, ... ) == 0x0
 01991   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   412   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 01993   412   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 01994   412   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01995   412   NtClose  (304, ... ) == 0x0
 01996   412   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01997   412   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   412   NtClose  (304, ... ) == 0x0
 01999   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   412   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 284, ... 304, ) == 0x0
 02001   412   NtMapViewOfSection  (304, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1450000), {0, 0}, 4096, ) == 0x0
 02002   412   NtClose  (304, ... ) == 0x0
 02003   412   NtQueryInformationFile  (284, 1232640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02004   412   NtUnmapViewOfSection  (-1, 0x1450000, ... ) == 0x0
 02005   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02006   412   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02007   412   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02008   412   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02009   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02010   412   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02011   412   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02012   412   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02013   412   NtClose  (316, ... ) == 0x0
 02014   412   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02015   412   NtClose  (312, ... ) == 0x0
 02016   412   NtClose  (308, ... ) == 0x0
 02017   412   NtClose  (304, ... ) == 0x0
 02018   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02019   412   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02020   412   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 312, ) }, ... 312, ) == 0x0
 02021   412   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02022   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 316, ) }, ... 316, ) == 0x0
 02023   412   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02024   412   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02025   412   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02026   412   NtClose  (316, ... ) == 0x0
 02027   412   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02028   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02029   412   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02030   412   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02031   412   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02032   412   NtClose  (316, ... ) == 0x0
 02033   412   NtEnumerateKey  (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02034   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 316, ) }, ... 316, ) == 0x0
 02035   412   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02036   412   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02037   412   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02038   412   NtClose  (316, ... ) == 0x0
 02039   412   NtEnumerateKey  (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02040   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02041   412   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02042   412   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02043   412   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02044   412   NtClose  (316, ... ) == 0x0
 02045   412   NtEnumerateKey  (312, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02046   412   NtClose  (312, ... ) == 0x0
 02047   412   NtClose  (308, ... ) == 0x0
 02048   412   NtClose  (304, ... ) == 0x0
 02049   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02050   412   NtEnumerateKey  (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02051   412   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02052   412   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02053   412   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02054   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02055   412   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02056   412   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02057   412   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02058   412   NtClose  (316, ... ) == 0x0
 02059   412   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02060   412   NtClose  (312, ... ) == 0x0
 02061   412   NtClose  (308, ... ) == 0x0
 02062   412   NtEnumerateKey  (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02063   412   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 1"}, ... 308, ) }, ... 308, ) == 0x0
 02064   412   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02065   412   NtClose  (308, ... ) == 0x0
 02066   412   NtEnumerateKey  (304, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02067   412   NtClose  (304, ... ) == 0x0
 02068   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230168, ... ) }, 1230168, ... ) == 0x0
 02069   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02070   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 304, ... 308, ) == 0x0
 02071   412   NtClose  (304, ... ) == 0x0
 02072   412   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1450000), 0x0, 16384, ) == 0x0
 02073   412   NtClose  (308, ... ) == 0x0
 02074   412   NtUnmapViewOfSection  (-1, 0x1450000, ... ) == 0x0
 02075   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230484, ... ) }, 1230484, ... ) == 0x0
 02076   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02077   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 02078   412   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02079   412   NtClose  (308, ... ) == 0x0
 02080   412   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02081   412   NtClose  (304, ... ) == 0x0
 02082   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1229744, ... ) }, 1229744, ... ) == 0x0
 02083   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 304, ) == 0x0
 02084   412   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21430272, 1048576, ) == 0x0
 02085   412   NtAllocateVirtualMemory  (-1, 22470656, 0, 8192, 4096, 4, ... 22470656, 8192, ) == 0x0
 02086   412   NtProtectVirtualMemory  (-1, (0x156e000), 4096, 260, ... (0x156e000), 4096, 4, ) == 0x0
 02087   412   NtCreateThread  (0x1f03ff, 0x0, -1, 1231692, 1232408, 1, ... 308, {408, 880}, ) == 0x0
 02088   412   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=408,Tid=880,}, 0x0, ) == 0x0
 02089   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0\230\1\0\0p\3\0\0" ... {28, 56, reply, 0, 408, 412, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0\230\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 408, 412, 1594, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0\230\1\0\0p\3\0\0" ... {28, 56, reply, 0, 408, 412, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0\230\1\0\0p\3\0\0" )  ) == 0x0
 02090   412   NtResumeThread  (308, ... 1, ) == 0x0
 02091   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... }, ...
 02092   880   NtTestAlert  (... ) == 0x0
 02093   880   NtContinue  (22478128, 1, ...
 02094   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02095   880   NtWaitForMultipleObjects  (1, (304, ), 1, 0, {-150000000, -1}, ...
 02091   412   NtOpenKey  ... 312, ) == 0x0
 02096   412   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02097   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 0"}, ... 316, ) }, ... 316, ) == 0x0
 02098   412   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 320, ) }, ... 320, ) == 0x0
 02099   412   NtEnumerateKey  (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02100   412   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 324, ) }, ... 324, ) == 0x0
 02101   412   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02102   412   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02103   412   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02104   412   NtClose  (324, ... ) == 0x0
 02105   412   NtEnumerateKey  (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02106   412   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02107   412   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02108   412   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02109   412   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02110   412   NtClose  (324, ... ) == 0x0
 02111   412   NtEnumerateKey  (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02112   412   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 324, ) }, ... 324, ) == 0x0
 02113   412   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02114   412   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02115   412   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02116   412   NtClose  (324, ... ) == 0x0
 02117   412   NtEnumerateKey  (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02118   412   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02119   412   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02120   412   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02121   412   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02122   412   NtClose  (324, ... ) == 0x0
 02123   412   NtEnumerateKey  (320, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02124   412   NtClose  (320, ... ) == 0x0
 02125   412   NtClose  (316, ... ) == 0x0
 02126   412   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02127   412   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 1"}, ... 316, ) }, ... 316, ) == 0x0
 02128   412   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   412   NtClose  (316, ... ) == 0x0
 02130   412   NtEnumerateKey  (312, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02131   412   NtClose  (312, ... ) == 0x0
 02132   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1230476, ... ) }, 1230476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "MSISIP.DLL"}, 1230476, ... ) }, 1230476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1230476, ... ) }, 1230476, ... ) == 0x0
 02136   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02137   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02138   412   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02139   412   NtClose  (312, ... ) == 0x0
 02140   412   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02141   412   NtClose  (316, ... ) == 0x0
 02142   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02143   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 21299200, 65536, ) == 0x0
 02144   412   NtAllocateVirtualMemory  (-1, 21299200, 0, 4096, 4096, 4, ... 21299200, 4096, ) == 0x0
 02145   412   NtAllocateVirtualMemory  (-1, 21303296, 0, 8192, 4096, 4, ... 21303296, 8192, ) == 0x0
 02146   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1230064, ... ) }, 1230064, ... ) == 0x0
 02147   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02148   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02149   412   NtClose  (316, ... ) == 0x0
 02150   412   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1570000), 0x0, 262144, ) == 0x0
 02151   412   NtClose  (312, ... ) == 0x0
 02152   412   NtUnmapViewOfSection  (-1, 0x1570000, ... ) == 0x0
 02153   412   NtAllocateLocallyUniqueId  (... {97355, 0}, ) == 0x0
 02154   412   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02155   412   NtOpenProcessToken  (-1, 0x20008, ... 312, ) == 0x0
 02156   412   NtQueryInformationToken  (312, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02157   412   NtClose  (312, ... ) == 0x0
 02158   412   NtCreateSection  (0xf0007, {24, 52, 0x80, 1231384, 0,  (0xf0007, {24, 52, 0x80, 1231384, 0, "DfSharedHeap17C4B"}, {4194304, 0}, 4, 67108864, 0, ... 312, ) }, {4194304, 0}, 4, 67108864, 0, ... 312, ) == 0x0
 02159   412   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1570000), {0, 0}, 4194304, ) == 0x0
 02160   412   NtAllocateVirtualMemory  (-1, 22478848, 0, 16376, 4096, 4, ... 22478848, 16384, ) == 0x0
 02161   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228900,  (0x80100080, {24, 0, 0x40, 0, 1228900, "\??\UNC\missouri\binaries\work\alguo.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 02162   412   NtReadFile  (316, 0, 0, 1231604, 512, {0, 0}, 0, ... {status=0x0, info=121},  (316, 0, 0, 1231604, 512, {0, 0}, 0, ... {status=0x0, info=121}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del alguo.bat\15\12", ) , ) == 0x0
 02163   412   NtClose  (316, ... ) == 0x0
 02164   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230168, ... ) }, 1230168, ... ) == 0x0
 02165   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02166   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 320, ) == 0x0
 02167   412   NtClose  (316, ... ) == 0x0
 02168   412   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1970000), 0x0, 69632, ) == 0x0
 02169   412   NtClose  (320, ... ) == 0x0
 02170   412   NtUnmapViewOfSection  (-1, 0x1970000, ... ) == 0x0
 02171   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230484, ... ) }, 1230484, ... ) == 0x0
 02172   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02173   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 02174   412   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02175   412   NtClose  (320, ... ) == 0x0
 02176   412   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02177   412   NtClose  (316, ... ) == 0x0
 02178   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02179   412   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02180   412   NtClose  (316, ... ) == 0x0
 02181   412   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02182   412   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02183   412   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02184   412   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02185   412   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02186   412   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02187   412   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02188   412   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02189   412   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02190   412   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02191   412   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02192   412   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02193   412   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02194   412   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02195   412   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02196   412   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02197   412   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02198   412   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02199   412   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02200   412   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02201   412   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02202   412   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02203   412   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02204   412   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02205   412   NtClose  (316, ... ) == 0x0
 02206   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02207   412   NtReleaseMutant  (16, ...
 02208   412   NtContinue  (-136314744, 0, ...
 02207   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02209   412   NtQueryDefaultLocale  (1, 1229164, ... ) == 0x0
 02210   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227156, ... ) }, 1227156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227156, ... ) }, 1227156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02233   412   NtReleaseMutant  (16, ...
 02234   412   NtContinue  (-136314744, 0, ...
 02233   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02235   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227156, ... ) }, 1227156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227464, ... ) }, 1227464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02247   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02248   412   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02249   412   NtClose  (316, ... ) == 0x0
 02250   412   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 316, ) }, ... 316, ) == 0x0
 02251   412   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 320, ) }, ... 320, ) == 0x0
 02252   412   NtClose  (316, ... ) == 0x0
 02253   412   NtQueryValueKey  (320,  (320, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02254   412   NtQueryValueKey  (320,  (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02255   412   NtClose  (320, ... ) == 0x0
 02256   412   NtClose  (284, ... ) == 0x0
 02257   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 26673152, 4096, ) == 0x0
 02258   412   NtAllocateVirtualMemory  (-1, 26673152, 0, 4096, 4096, 4, ... 26673152, 4096, ) == 0x0
 02259   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 284, ) }, ... 284, ) == 0x0
 02260   412   NtQueryValueKey  (284,  (284, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   412   NtClose  (284, ... ) == 0x0
 02262   412   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   412   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02264   412   NtOpenProcessToken  (-1, 0x2000a, ... 284, ) == 0x0
 02265   412   NtQueryInformationToken  (284, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   412   NtQueryInformationToken  (284, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02267   412   NtClose  (284, ... ) == 0x0
 02268   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02270   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02271   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 284, ) }, ... 284, ) == 0x0
 02273   412   NtQueryValueKey  (284,  (284, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   412   NtClose  (284, ... ) == 0x0
 02275   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02276   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02277   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 284, ) }, ... 284, ) == 0x0
 02279   412   NtQueryValueKey  (284,  (284, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   412   NtClose  (284, ... ) == 0x0
 02281   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02282   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 02284   412   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02285   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02286   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02287   412   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02288   412   NtClose  (320, ... ) == 0x0
 02289   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   412   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02291   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1229772, ... ) }, 1229772, ... ) == 0x0
 02292   412   NtClose  (286, ... ) == 0x0
 02293   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02294   412   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 284, {status=0x0, info=1}, ) }, 3, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02295   412   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 320, ) }, ... 320, ) == 0x0
 02296   412   NtQuerySymbolicLinkObject  (320, ...  (320, ... "\Device\WinDfs\U:00000000000091f3", 66, ) , 66, ) == 0x0
 02297   412   NtClose  (320, ... ) == 0x0
 02298   412   NtQueryVolumeInformationFile  (284, 1233124, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02299   412   NtClose  (284, ... ) == 0x0
 02300   412   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02301   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 284, ) }, ... 284, ) == 0x0
 02302   412   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 320, ) }, ... 320, ) == 0x0
 02303   412   NtQueryValueKey  (320,  (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02304   412   NtQueryValueKey  (320,  (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02305   412   NtClose  (320, ... ) == 0x0
 02306   412   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02307   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02308   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02309   412   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02311   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02312   412   NtClose  (320, ... ) == 0x0
 02313   412   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02314   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02315   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02316   412   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02318   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02319   412   NtClose  (320, ... ) == 0x0
 02320   412   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02321   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02322   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02323   412   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02324   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02325   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02326   412   NtClose  (320, ... ) == 0x0
 02327   412   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02328   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02329   412   NtQueryValueKey  (320,  (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02330   412   NtQueryValueKey  (320,  (320, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02332   412   NtQueryValueKey  (320,  (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02333   412   NtClose  (320, ... ) == 0x0
 02334   412   NtClose  (284, ... ) == 0x0
 02335   412   NtQueryDefaultLocale  (1, 1232676, ... ) == 0x0
 02336   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230688, ... ) }, 1230688, ... ) == 0x0
 02337   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02338   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 320, ) == 0x0
 02339   412   NtClose  (284, ... ) == 0x0
 02340   412   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 12288, ) == 0x0
 02341   412   NtClose  (320, ... ) == 0x0
 02342   412   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02343   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231004, ... ) }, 1231004, ... ) == 0x0
 02344   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02345   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02346   412   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02347   412   NtClose  (320, ... ) == 0x0
 02348   412   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02349   412   NtClose  (284, ... ) == 0x0
 02350   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 284, ) }, ... 284, ) == 0x0
 02351   412   NtQueryValueKey  (284,  (284, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (284, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02352   412   NtClose  (284, ... ) == 0x0
 02353   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230688, ... ) }, 1230688, ... ) == 0x0
 02354   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02355   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 320, ) == 0x0
 02356   412   NtClose  (284, ... ) == 0x0
 02357   412   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 40960, ) == 0x0
 02358   412   NtClose  (320, ... ) == 0x0
 02359   412   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02360   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231004, ... ) }, 1231004, ... ) == 0x0
 02361   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02362   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02363   412   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02364   412   NtClose  (320, ... ) == 0x0
 02365   412   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02366   412   NtClose  (284, ... ) == 0x0
 02367   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02368   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1230192, ... ) }, 1230192, ... ) == 0x0
 02369   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02370   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 320, ) == 0x0
 02371   412   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02372   412   NtClose  (284, ... ) == 0x0
 02373   412   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02374   412   NtClose  (320, ... ) == 0x0
 02375   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1230192, ... ) }, 1230192, ... ) == 0x0
 02377   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02378   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02379   412   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02380   412   NtClose  (320, ... ) == 0x0
 02381   412   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02382   412   NtClose  (284, ... ) == 0x0
 02383   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02384   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1229388, ... ) }, 1229388, ... ) == 0x0
 02385   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02386   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 320, ) == 0x0
 02387   412   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02388   412   NtClose  (284, ... ) == 0x0
 02389   412   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02390   412   NtClose  (320, ... ) == 0x0
 02391   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1229388, ... ) }, 1229388, ... ) == 0x0
 02393   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02394   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 284, ) == 0x0
 02395   412   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02396   412   NtClose  (320, ... ) == 0x0
 02397   412   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02398   412   NtClose  (284, ... ) == 0x0
 02399   412   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 284, ) }, ... 284, ) == 0x0
 02400   412   NtQueryValueKey  (284,  (284, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   412   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 320, ) == 0x0
 02402   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230688, ... ) }, 1230688, ... ) == 0x0
 02403   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02404   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 324, ) == 0x0
 02405   412   NtClose  (316, ... ) == 0x0
 02406   412   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 24576, ) == 0x0
 02407   412   NtClose  (324, ... ) == 0x0
 02408   412   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02409   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231004, ... ) }, 1231004, ... ) == 0x0
 02410   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02411   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 316, ) == 0x0
 02412   412   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02413   412   NtClose  (324, ... ) == 0x0
 02414   412   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02415   412   NtClose  (316, ... ) == 0x0
 02416   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02417   412   NtQueryValueKey  (316,  (316, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02418   412   NtClose  (316, ... ) == 0x0
 02419   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02420   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02421   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02422   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02423   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230680, ... ) }, 1230680, ... ) == 0x0
 02424   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02425   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 324, ) == 0x0
 02426   412   NtClose  (316, ... ) == 0x0
 02427   412   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1980000), 0x0, 122880, ) == 0x0
 02428   412   NtClose  (324, ... ) == 0x0
 02429   412   NtUnmapViewOfSection  (-1, 0x1980000, ... ) == 0x0
 02430   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02431   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02432   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02433   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02434   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230996, ... ) }, 1230996, ... ) == 0x0
 02435   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02436   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 316, ) == 0x0
 02437   412   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02438   412   NtClose  (324, ... ) == 0x0
 02439   412   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 02440   412   NtClose  (316, ... ) == 0x0
 02441   412   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02442   412   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02443   412   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02444   412   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02445   412   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02446   412   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02447   412   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02448   412   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02449   412   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02450   412   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02451   412   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02452   412   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02453   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02454   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 26738688, 65536, ) == 0x0
 02455   412   NtAllocateVirtualMemory  (-1, 26738688, 0, 4096, 4096, 4, ... 26738688, 4096, ) == 0x0
 02456   412   NtAllocateVirtualMemory  (-1, 26742784, 0, 8192, 4096, 4, ... 26742784, 8192, ) == 0x0
 02457   412   NtAllocateVirtualMemory  (-1, 26750976, 0, 4096, 4096, 4, ... 26750976, 4096, ) == 0x0
 02458   412   NtQueryPerformanceCounter  (... {105826146, 0}, {3579545, 0}, ) == 0x0
 02459   412   NtRaiseException  (1230488, 1229748, 1, ...
 02460   412   NtContinue  (1228544, 0, ...
 02461   412   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 316, ) }, ... 316, ) == 0x0
 02462   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02463   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02464   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02465   412   NtRaiseException  (1220464, 1219724, 1, ...
 02466   412   NtContinue  (1218520, 0, ...
 02467   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02468   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02470   412   NtRaiseException  (1222224, 1221484, 1, ...
 02471   412   NtContinue  (1220280, 0, ...
 02472   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02473   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02474   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02475   412   NtRaiseException  (1222228, 1221488, 1, ...
 02476   412   NtContinue  (1220284, 0, ...
 02477   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02478   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02480   412   NtRaiseException  (1222224, 1221484, 1, ...
 02481   412   NtContinue  (1220280, 0, ...
 02482   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02483   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02484   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02485   412   NtRaiseException  (1222228, 1221488, 1, ...
 02486   412   NtContinue  (1220284, 0, ...
 02487   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02488   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02489   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02490   412   NtRaiseException  (1222224, 1221484, 1, ...
 02491   412   NtContinue  (1220280, 0, ...
 02492   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02493   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02495   412   NtRaiseException  (1222228, 1221488, 1, ...
 02496   412   NtContinue  (1220284, 0, ...
 02497   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02498   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02500   412   NtRaiseException  (1222224, 1221484, 1, ...
 02501   412   NtContinue  (1220280, 0, ...
 02502   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02503   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02504   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02505   412   NtRaiseException  (1222228, 1221488, 1, ...
 02506   412   NtContinue  (1220284, 0, ...
 02507   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02508   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02509   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02510   412   NtRaiseException  (1222224, 1221484, 1, ...
 02511   412   NtContinue  (1220280, 0, ...
 02512   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02513   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02514   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02515   412   NtRaiseException  (1222228, 1221488, 1, ...
 02516   412   NtContinue  (1220284, 0, ...
 02517   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02518   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02519   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02520   412   NtRaiseException  (1222224, 1221484, 1, ...
 02521   412   NtContinue  (1220280, 0, ...
 02522   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02523   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02524   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02525   412   NtRaiseException  (1222228, 1221488, 1, ...
 02526   412   NtContinue  (1220284, 0, ...
 02527   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02528   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02529   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02530   412   NtRaiseException  (1222224, 1221484, 1, ...
 02531   412   NtContinue  (1220280, 0, ...
 02532   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02533   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02534   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02535   412   NtRaiseException  (1222228, 1221488, 1, ...
 02536   412   NtContinue  (1220284, 0, ...
 02537   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02538   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02540   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230656, ... ) }, 1230656, ... ) == 0x0
 02541   412   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {408, 0}, ... 324, ) == 0x0
 02542   412   NtQueryInformationProcess  (324, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02543   412   NtClose  (324, ... ) == 0x0
 02544   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230656, ... ) }, 1230656, ... ) == 0x0
 02545   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02546   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 02547   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02548   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02549   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229704,  (0xc0100080, {24, 0, 0x40, 0, 1229704, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02550   412   NtSetInformationFile  (328, 1229760, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02551   412   NtSetInformationFile  (328, 1229752, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02552   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02553   412   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02554   412   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\211\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02555   412   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\211\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\211\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02556   412   NtClose  (324, ... ) == 0x0
 02557   412   NtClose  (328, ... ) == 0x0
 02558   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02559   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02560   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02561   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02562   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229704,  (0xc0100080, {24, 0, 0x40, 0, 1229704, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02563   412   NtSetInformationFile  (324, 1229760, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02564   412   NtSetInformationFile  (324, 1229752, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02565   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02566   412   NtWriteFile  (324, 129, 0, 0,  (324, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02567   412   NtReadFile  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\212\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02568   412   NtFsControlFile  (324, 129, 0x0, 0x0, 0x11c017,  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\212\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\212\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02569   412   NtClose  (328, ... ) == 0x0
 02570   412   NtClose  (324, ... ) == 0x0
 02571   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02572   412   NtQueryKey  (324, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02573   412   NtQuerySecurityObject  (324, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02574   412   NtQuerySecurityObject  (324, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02575   412   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 26804224, 524288, ) == 0x0
 02576   412   NtAllocateVirtualMemory  (-1, 26804224, 0, 4096, 4096, 4, ... 26804224, 4096, ) == 0x0
 02577   412   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02578   412   NtClose  (324, ... ) == 0x0
 02579   412   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02580   412   NtFsControlFile  (324, 0, 0x0, 0x0, 0x600bc,  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02581   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02582   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02583   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02584   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02585   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231144,  (0xc0100080, {24, 0, 0x40, 0, 1231144, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02586   412   NtSetInformationFile  (332, 1231200, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02587   412   NtSetInformationFile  (332, 1231192, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02588   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02589   412   NtWriteFile  (332, 129, 0, 0,  (332, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02590   412   NtReadFile  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02591   412   NtFsControlFile  (332, 129, 0x0, 0x0, 0x11c017,  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\220\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\220\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02592   412   NtClose  (328, ... ) == 0x0
 02593   412   NtClose  (332, ... ) == 0x0
 02594   412   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02595   412   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02596   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230656, ... ) }, 1230656, ... ) == 0x0
 02597   412   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02598   412   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02599   412   NtClose  (332, ... ) == 0x0
 02600   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02601   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02602   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02603   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02604   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231180,  (0xc0100080, {24, 0, 0x40, 0, 1231180, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02605   412   NtSetInformationFile  (328, 1231236, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02606   412   NtSetInformationFile  (328, 1231228, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02607   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02608   412   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02609   412   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20+\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02610   412   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20+\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20+\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02611   412   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) R\365Z\10@\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0 (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0 (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02612   412   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0#R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0#R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0#R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0#R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02613   412   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) R\365Z\10@\334\21\261\310\0\14)\371\246\305 (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0"R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) \5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) == 0x103
 02614   412   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0#R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0#R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02615   412   NtClose  (332, ... ) == 0x0
 02616   412   NtClose  (328, ... ) == 0x0
 02617   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02618   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02619   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02620   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02621   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230648, ... ) }, 1230648, ... ) == 0x0
 02622   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02623   412   NtQueryValueKey  (328,  (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 02624   412   NtClose  (328, ... ) == 0x0
 02625   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02626   412   NtQueryValueKey  (328,  (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 02627   412   NtClose  (328, ... ) == 0x0
 02628   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 02629   412   NtQueryValueKey  (328,  (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02630   412   NtClose  (328, ... ) == 0x0
 02631   412   NtRaiseException  (1221148, 1220408, 1, ...
 02632   412   NtContinue  (1219204, 0, ...
 02633   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02634   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02636   412   NtRaiseException  (1221144, 1220404, 1, ...
 02637   412   NtContinue  (1219200, 0, ...
 02638   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02639   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02640   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02641   412   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1231812, 0,  (0x1f0001, {24, 52, 0x80, 1231812, 0, "HGFSMUTEX"}, 1, ... 328, ) }, 1, ... 328, ) == 0x0
 02642   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02643   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1228832, ... ) }, 1228832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02644   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "shfolder.dll"}, 1228832, ... ) }, 1228832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02645   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1228832, ... ) }, 1228832, ... ) == 0x0
 02646   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02647   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 336, ) == 0x0
 02648   412   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02649   412   NtClose  (332, ... ) == 0x0
 02650   412   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 02651   412   NtClose  (336, ... ) == 0x0
 02652   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02653   412   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356160, 0,  (0x1f0003, {24, 52, 0x80, 1356160, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 336, ) }, 0, 2147483647, ... 336, ) == STATUS_OBJECT_NAME_EXISTS
 02654   412   NtReleaseSemaphore  (336, 1, ... 0, ) == 0x0
 02655   412   NtWaitForSingleObject  (336, 0, {0, 0}, ... ) == 0x0
 02656   412   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02657   412   NtQueryValueKey  (332,  (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 02658   412   NtClose  (332, ... ) == 0x0
 02659   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1229364, ... ) }, 1229364, ... ) == 0x0
 02660   412   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02661   412   NtSetValueKey  (332,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 02662   412   NtClose  (332, ... ) == 0x0
 02663   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02664   412   NtQueryDirectoryFile  (332, 0, 0, 0, 1229504, 616, BothDirectory, 1,  (332, 0, 0, 0, 1229504, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 02665   412   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 02666   412   NtRaiseException  (1220784, 1220044, 1, ...
 02667   412   NtContinue  (1218840, 0, ...
 02668   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02669   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02670   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02671   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1231812, 1231388,  (0xc0100080, {24, 0, 0x40, 1231812, 1231388, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02672   412   NtRaiseException  (1220784, 1220044, 1, ...
 02673   412   NtContinue  (1218840, 0, ...
 02674   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02675   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02677   412   NtCreateSection  (0xf0007, {24, 52, 0x80, 1231812, 0,  (0xf0007, {24, 52, 0x80, 1231812, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 340, ... 344, ) }, {27876, 0}, 4, 134217728, 340, ... 344, ) == 0x0
 02678   412   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1a20000), {0, 0}, 28672, ) == 0x0
 02679   412   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02680   412   NtRaiseException  (1222200, 1221460, 1, ...
 02681   412   NtContinue  (1220256, 0, ...
 02682   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02683   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02684   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02685   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232856, 1232444,  (0xc0100080, {24, 0, 0x40, 1232856, 1232444, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 02686   412   NtDeviceIoControlFile  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 02687   412   NtClose  (348, ... ) == 0x0
 02688   412   NtRaiseException  (1222180, 1221440, 1, ...
 02689   412   NtContinue  (1220236, 0, ...
 02690   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02691   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02692   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02693   412   NtRaiseException  (1222200, 1221460, 1, ...
 02694   412   NtContinue  (1220256, 0, ...
 02695   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02696   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02697   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02698   412   NtAllocateVirtualMemory  (-1, 1466368, 0, 20480, 4096, 4, ... 1466368, 20480, ) == 0x0
 02699   412   NtAllocateVirtualMemory  (-1, 1486848, 0, 20480, 4096, 4, ... 1486848, 20480, ) == 0x0
 02700   412   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02701   412   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02702   412   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 02703   412   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 02704   412   NtClose  (348, ... ) == 0x0
 02705   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02706   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02707   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02708   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02709   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231120,  (0xc0100080, {24, 0, 0x40, 0, 1231120, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02710   412   NtSetInformationFile  (352, 1231176, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02711   412   NtSetInformationFile  (352, 1231168, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02712   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02713   412   NtWriteFile  (352, 129, 0, 0,  (352, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02714   412   NtReadFile  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02715   412   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02716   412   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0$R\365Z\10@\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0$R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0$R\365Z\10@\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0$R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02717   412   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0%R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0%R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0%R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0%R\365Z\10@\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02718   412   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0$R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0$R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02719   412   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0%R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0%R\365Z\10@\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02720   412   NtClose  (348, ... ) == 0x0
 02721   412   NtClose  (352, ... ) == 0x0
 02722   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02723   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02724   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02725   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02726   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231212,  (0xc0100080, {24, 0, 0x40, 0, 1231212, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02727   412   NtSetInformationFile  (348, 1231268, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02728   412   NtSetInformationFile  (348, 1231260, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02729   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02730   412   NtWriteFile  (348, 129, 0, 0,  (348, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02731   412   NtReadFile  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20w#\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02732   412   NtFsControlFile  (348, 129, 0x0, 0x0, 0x11c017,  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20w#\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20w#\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02733   412   NtClose  (352, ... ) == 0x0
 02734   412   NtClose  (348, ... ) == 0x0
 02735   412   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02736   412   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02737   412   NtClose  (348, ... ) == 0x0
 02738   412   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02739   412   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02740   412   NtClose  (348, ... ) == 0x0
 02741   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02742   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02743   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02744   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02745   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02746   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02747   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02749   412   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02750   412   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02751   412   NtClose  (348, ... ) == 0x0
 02752   412   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02753   412   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02754   412   NtClose  (348, ... ) == 0x0
 02755   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02756   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02757   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02759   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02761   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02763   412   NtWaitForSingleObject  (320, 0, {-70000000, -1}, ... ) == 0x0
 02764   412   NtReleaseSemaphore  (320, 1, ... 0x0, ) == 0x0
 02765   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02766   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02767   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02768   412   NtClose  (348, ... ) == 0x0
 02769   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02770   412   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Network"}, ... 352, ) }, ... 352, ) == 0x0
 02771   412   NtClose  (348, ... ) == 0x0
 02772   412   NtQueryKey  (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 02773   412   NtQuerySecurityObject  (352, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02774   412   NtQuerySecurityObject  (352, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02775   412   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02776   412   NtEnumerateKey  (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 02777   412   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "f"}, ... 348, ) }, ... 348, ) == 0x0
 02778   412   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02779   412   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02780   412   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02781   412   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02782   412   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02783   412   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02784   412   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02785   412   NtClose  (348, ... ) == 0x0
 02786   412   NtEnumerateKey  (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 02787   412   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "u"}, ... 348, ) }, ... 348, ) == 0x0
 02788   412   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02789   412   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02790   412   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02791   412   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02792   412   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02793   412   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02794   412   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02795   412   NtClose  (348, ... ) == 0x0
 02796   412   NtClose  (352, ... ) == 0x0
 02797   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02798   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02799   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02800   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02801   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02802   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02803   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 352, ) }, ... 352, ) == 0x0
 02804   412   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02805   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02806   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02807   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02808   412   NtClose  (348, ... ) == 0x0
 02809   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   412   NtEnumerateKey  (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 02811   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02812   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02813   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 348, ) }, ... 348, ) == 0x0
 02814   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 02815   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02816   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02817   412   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02818   412   NtClose  (356, ... ) == 0x0
 02819   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820   412   NtQueryValueKey  (350,  (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02821   412   NtClose  (350, ... ) == 0x0
 02822   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02823   412   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 348, {status=0x0, info=1}, ) }, 3, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02824   412   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 356, ) }, ... 356, ) == 0x0
 02825   412   NtQuerySymbolicLinkObject  (356, ...  (356, ... "\Device\WinDfs\U:00000000000091f3", 66, ) , 66, ) == 0x0
 02826   412   NtClose  (356, ... ) == 0x0
 02827   412   NtQueryVolumeInformationFile  (348, 1232532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02828   412   NtClose  (348, ... ) == 0x0
 02829   412   NtEnumerateKey  (354, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02830   412   NtClose  (354, ... ) == 0x0
 02831   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02832   412   NtQueryDirectoryFile  (352, 0, 0, 0, 1231320, 616, BothDirectory, 1,  (352, 0, 0, 0, 1231320, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02833   412   NtClose  (352, ... ) == 0x0
 02834   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02835   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02836   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 352, ) }, ... 352, ) == 0x0
 02837   412   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02838   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02839   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02840   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02841   412   NtClose  (348, ... ) == 0x0
 02842   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02843   412   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02844   412   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02845   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02846   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02847   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02848   412   NtClose  (348, ... ) == 0x0
 02849   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02850   412   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 02851   412   NtClose  (354, ... ) == 0x0
 02852   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02853   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02854   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02855   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02856   412   NtQueryValueKey  (352,  (352, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02857   412   NtClose  (352, ... ) == 0x0
 02858   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02859   412   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 352, ) == 0x0
 02860   412   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02861   412   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02862   412   NtClose  (352, ... ) == 0x0
 02863   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02864   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02865   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02866   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02867   412   NtQueryValueKey  (352,  (352, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02868   412   NtClose  (352, ... ) == 0x0
 02869   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02870   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02871   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02872   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02873   412   NtQueryValueKey  (352,  (352, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02874   412   NtClose  (352, ... ) == 0x0
 02875   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02876   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02877   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02878   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02879   412   NtQueryValueKey  (352,  (352, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02880   412   NtClose  (352, ... ) == 0x0
 02881   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02882   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02883   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02884   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02885   412   NtQueryValueKey  (352,  (352, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02886   412   NtClose  (352, ... ) == 0x0
 02887   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02888   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02889   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02890   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02891   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02892   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02893   412   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02894   412   NtClose  (352, ... ) == 0x0
 02895   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02896   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02897   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02899   412   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02900   412   NtClose  (352, ... ) == 0x0
 02901   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02902   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02903   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02904   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02905   412   NtQueryValueKey  (352,  (352, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02906   412   NtClose  (352, ... ) == 0x0
 02907   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02908   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02909   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02910   412   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "Advanced"}, ... 352, ) }, ... 352, ) == 0x0
 02911   412   NtQueryValueKey  (352,  (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 02912   412   NtQueryValueKey  (352,  (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02913   412   NtQueryValueKey  (352,  (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02914   412   NtQueryValueKey  (352,  (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02915   412   NtQueryValueKey  (352,  (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02916   412   NtQueryValueKey  (352,  (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02917   412   NtQueryValueKey  (352,  (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02918   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02919   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02920   412   NtQueryValueKey  (352,  (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02921   412   NtQueryValueKey  (352,  (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02922   412   NtQueryValueKey  (352,  (352, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02923   412   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02924   412   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02925   412   NtClose  (352, ... ) == 0x0
 02926   412   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1356160, 0,  (0x1f0003, {24, 52, 0x80, 1356160, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 352, ) }, 0, 2147483647, ... 352, ) == STATUS_OBJECT_NAME_EXISTS
 02927   412   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 02928   412   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 02929   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02930   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02931   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02932   412   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02933   412   NtClose  (356, ... ) == 0x0
 02934   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02935   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02936   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02937   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02938   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02939   412   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02940   412   NtClose  (356, ... ) == 0x0
 02941   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02942   412   NtQueryValueKey  (350,  (350, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02943   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02944   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02945   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02946   412   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02947   412   NtClose  (356, ... ) == 0x0
 02948   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02949   412   NtQueryValueKey  (350,  (350, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02950   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02951   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02952   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02953   412   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02954   412   NtClose  (356, ... ) == 0x0
 02955   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02956   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02957   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02958   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02959   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 356, ) }, ... 356, ) == 0x0
 02960   412   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 02961   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02962   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02963   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02964   412   NtClose  (360, ... ) == 0x0
 02965   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02966   412   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02967   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02968   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02969   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02970   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02971   412   NtClose  (360, ... ) == 0x0
 02972   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02973   412   NtQueryValueKey  (350,  (350, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02974   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02975   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02976   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02977   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02978   412   NtClose  (360, ... ) == 0x0
 02979   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02980   412   NtQueryValueKey  (350,  (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02981   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02982   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02983   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02984   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02985   412   NtClose  (360, ... ) == 0x0
 02986   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02987   412   NtQueryValueKey  (350,  (350, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02988   412   NtClose  (350, ... ) == 0x0
 02989   412   NtClose  (358, ... ) == 0x0
 02990   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02991   412   NtQueryDirectoryFile  (356, 0, 0, 0, 1231248, 616, BothDirectory, 1,  (356, 0, 0, 0, 1231248, 616, BothDirectory, 1, "alguo.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02992   412   NtClose  (356, ... ) == 0x0
 02993   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02994   412   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "FileExts"}, ... 356, ) }, ... 356, ) == 0x0
 02995   412   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02996   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02997   412   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02998   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02999   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03000   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 348, ) }, ... 348, ) == 0x0
 03001   412   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03002   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03003   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03004   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03005   412   NtClose  (360, ... ) == 0x0
 03006   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03007   412   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03008   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03009   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03010   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 360, ) }, ... 360, ) == 0x0
 03011   412   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03012   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03013   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03014   412   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03015   412   NtClose  (364, ... ) == 0x0
 03016   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03017   412   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03018   412   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03019   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03020   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03021   412   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03022   412   NtClose  (364, ... ) == 0x0
 03023   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024   412   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0, ""}, ... 364, ) == 0x0
 03025   412   NtClose  (362, ... ) == 0x0
 03026   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03027   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03028   412   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03029   412   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03030   412   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03031   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03032   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03033   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03034   412   NtClose  (360, ... ) == 0x0
 03035   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03036   412   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03037   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03038   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03039   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03041   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03043   412   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03044   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03045   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03046   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03047   412   NtClose  (368, ... ) == 0x0
 03048   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03049   412   NtQueryValueKey  (362,  (362, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03050   412   NtClose  (362, ... ) == 0x0
 03051   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03052   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03053   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03054   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03055   412   NtClose  (360, ... ) == 0x0
 03056   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03057   412   NtQueryValueKey  (366,  (366, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03058   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03059   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03060   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03061   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03062   412   NtClose  (360, ... ) == 0x0
 03063   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064   412   NtQueryValueKey  (366,  (366, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03065   412   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03066   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03067   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03068   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03069   412   NtClose  (360, ... ) == 0x0
 03070   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03071   412   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03072   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03073   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03074   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 360, ) }, ... 360, ) == 0x0
 03075   412   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03076   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03077   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03078   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03079   412   NtClose  (368, ... ) == 0x0
 03080   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03081   412   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03082   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03083   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03084   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03085   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03086   412   NtClose  (368, ... ) == 0x0
 03087   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03088   412   NtQueryValueKey  (366,  (366, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03089   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03090   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03091   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03092   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03093   412   NtClose  (368, ... ) == 0x0
 03094   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03095   412   NtQueryValueKey  (366,  (366, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03096   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03097   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03098   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03099   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03100   412   NtClose  (368, ... ) == 0x0
 03101   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03102   412   NtQueryValueKey  (366,  (366, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03103   412   NtClose  (350, ... ) == 0x0
 03104   412   NtClose  (366, ... ) == 0x0
 03105   412   NtClose  (362, ... ) == 0x0
 03106   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03107   412   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03108   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03109   412   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03111   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03112   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03113   412   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03114   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03115   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03116   412   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03117   412   NtClose  (364, ... ) == 0x0
 03118   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03119   412   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03120   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03121   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03122   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 364, ) }, ... 364, ) == 0x0
 03123   412   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03124   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03125   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03126   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03127   412   NtClose  (348, ... ) == 0x0
 03128   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03129   412   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03130   412   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03131   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03132   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03133   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03134   412   NtClose  (348, ... ) == 0x0
 03135   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03136   412   NtOpenKey  (0x2000000, {24, 366, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 03137   412   NtClose  (366, ... ) == 0x0
 03138   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03139   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03140   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03141   412   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03142   412   NtClose  (364, ... ) == 0x0
 03143   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03144   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03145   412   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03146   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03147   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03148   412   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03149   412   NtClose  (364, ... ) == 0x0
 03150   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03151   412   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03152   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03153   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03154   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03155   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03156   412   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03157   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03158   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03159   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03160   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03161   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03162   412   NtClose  (368, ... ) == 0x0
 03163   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   412   NtQueryValueKey  (366,  (366, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   412   NtClose  (366, ... ) == 0x0
 03166   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03167   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 364, ) }, ... 364, ) == 0x0
 03169   412   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03170   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03171   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03172   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03173   412   NtClose  (368, ... ) == 0x0
 03174   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   412   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   412   NtClose  (362, ... ) == 0x0
 03177   412   NtClose  (350, ... ) == 0x0
 03178   412   NtClose  (366, ... ) == 0x0
 03179   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03180   412   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03181   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03182   412   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03183   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03184   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03186   412   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03187   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03188   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03189   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03190   412   NtClose  (348, ... ) == 0x0
 03191   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   412   NtQueryValueKey  (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03193   412   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03194   412   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03195   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 348, ) }, ... 348, ) == 0x0
 03196   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03197   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03198   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03199   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03200   412   NtClose  (360, ... ) == 0x0
 03201   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03202   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03203   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03204   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03205   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03206   412   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03207   412   NtClose  (360, ... ) == 0x0
 03208   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03209   412   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0, ""}, ... 360, ) == 0x0
 03210   412   NtClose  (350, ... ) == 0x0
 03211   412   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03212   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03213   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03214   412   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03215   412   NtClose  (348, ... ) == 0x0
 03216   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03217   412   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0,  (0x2000000, {24, 362, 0x40, 0, 0, "shell\open"}, ... 348, ) }, ... 348, ) == 0x0
 03218   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03219   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03220   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03221   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03222   412   NtClose  (368, ... ) == 0x0
 03223   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03224   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03225   412   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03226   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03227   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03228   412   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03229   412   NtClose  (372, ... ) == 0x0
 03230   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03231   412   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03232   412   NtClose  (370, ... ) == 0x0
 03233   412   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03234   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03235   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03236   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03237   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03238   412   NtClose  (368, ... ) == 0x0
 03239   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03240   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03241   412   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03242   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03243   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03244   412   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03245   412   NtClose  (372, ... ) == 0x0
 03246   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03247   412   NtQueryValueKey  (370,  (370, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03248   412   NtClose  (370, ... ) == 0x0
 03249   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\alguo.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03250   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03251   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03252   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03253   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03254   412   NtClose  (368, ... ) == 0x0
 03255   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03256   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03257   412   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03258   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03259   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03260   412   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03261   412   NtClose  (372, ... ) == 0x0
 03262   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03263   412   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03264   412   NtClose  (370, ... ) == 0x0
 03265   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03266   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03267   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03268   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03269   412   NtClose  (368, ... ) == 0x0
 03270   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03271   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03272   412   NtUserGetForegroundWindow  (... ) == 0x100ac
 03273   412   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03274   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03275   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03276   412   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03277   412   NtClose  (368, ... ) == 0x0
 03278   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03279   412   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03280   412   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03281   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03282   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03283   412   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03284   412   NtClose  (372, ... ) == 0x0
 03285   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03286   412   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03287   412   NtClose  (370, ... ) == 0x0
 03288   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03289   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03290   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03291   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03292   412   NtQueryValueKey  (368,  (368, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03293   412   NtClose  (368, ... ) == 0x0
 03294   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03295   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03296   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03297   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03298   412   NtQueryValueKey  (368,  (368, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299   412   NtClose  (368, ... ) == 0x0
 03300   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\alguo.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03302   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\alguo.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   412   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03304   412   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03305   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03306   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03307   412   NtQueryValueKey  (368,  (368, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03308   412   NtClose  (368, ... ) == 0x0
 03309   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\alguo.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03310   412   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03311   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 1227728, ... ) }, 1227728, ... ) == 0x0
 03312   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 1228420, ... ) }, 1228420, ... ) == 0x0
 03313   412   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03314   412   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03315   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 372, ) }, ... 372, ) == 0x0
 03316   412   NtQueryValueKey  (372,  (372, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03317   412   NtClose  (372, ... ) == 0x0
 03318   412   NtQueryVolumeInformationFile  (368, 1227728, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03319   412   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03320   412   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03321   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1225712, ... ) }, 1225712, ... ) == 0x0
 03322   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 03323   412   NtQueryInformationFile  (372, 1226316, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03324   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 372, ... 376, ) == 0x0
 03325   412   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1a30000), 0x0, 1028096, ) == 0x0
 03326   412   NtQueryInformationFile  (372, 1226412, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03327   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03328   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03329   412   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03330   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03331   412   NtQueryDirectoryFile  (380, 0, 0, 0, 1223976, 616, BothDirectory, 1,  (380, 0, 0, 0, 1223976, 616, BothDirectory, 1, "alguo.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03332   412   NtClose  (380, ... ) == 0x0
 03333   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03334   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03335   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 1223364, ... ) }, 1223364, ... ) == 0x0
 03336   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03337   412   NtQueryDirectoryFile  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1,  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03338   412   NtClose  (380, ... ) == 0x0
 03339   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03340   412   NtQueryDirectoryFile  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1,  (380, 0, 0, 0, 1222724, 616, BothDirectory, 1, "alguo.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03341   412   NtClose  (380, ... ) == 0x0
 03342   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03343   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03344   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03345   412   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 380, {status=0x0, info=1}, ) }, 3, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03346   412   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 384, ) }, ... 384, ) == 0x0
 03347   412   NtQuerySymbolicLinkObject  (384, ...  (384, ... "\Device\WinDfs\U:00000000000091f3", 66, ) , 66, ) == 0x0
 03348   412   NtClose  (384, ... ) == 0x0
 03349   412   NtQueryVolumeInformationFile  (380, 1224116, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03350   412   NtClose  (380, ... ) == 0x0
 03351   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03352   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 380, ) == 0x0
 03353   412   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03354   412   NtClose  (380, ... ) == 0x0
 03355   412   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03356   412   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\alguo.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03357   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03358   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03359   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\alguo.bat"}, 1225644, ... ) }, 1225644, ... ) == 0x0
 03360   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03361   412   NtQueryDirectoryFile  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03362   412   NtClose  (380, ... ) == 0x0
 03363   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03364   412   NtQueryDirectoryFile  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225004, 616, BothDirectory, 1, "alguo.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03365   412   NtClose  (380, ... ) == 0x0
 03366   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03367   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03368   412   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03369   412   NtQueryVolumeInformationFile  (368, 1226288, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03370   412   NtQueryInformationFile  (368, 1226268, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03371   412   NtQueryInformationFile  (368, 1226308, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03372   412   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03373   412   NtUnmapViewOfSection  (-1, 0x1a30000, ... ) == 0x0
 03374   412   NtClose  (376, ... ) == 0x0
 03375   412   NtClose  (372, ... ) == 0x0
 03376   412   NtClose  (368, ... ) == 0x0
 03377   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1227704, ... ) }, 1227704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03378   412   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "cmd.exe"}, 1227704, ... ) }, 1227704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03379   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1227704, ... ) }, 1227704, ... ) == 0x0
 03380   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228420, ... ) }, 1228420, ... ) == 0x0
 03381   412   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03382   412   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... 372, ) == 0x0
 03383   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03384   412   NtQuerySection  (372, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03385   412   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03386   412   NtCreateProcessEx  (1230356, 2035711, 0, -1, 0, 372, 0, 0, 0, ... ) == 0x0
 03387   412   NtSetInformationProcess  (376, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03388   412   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=884,ParentPid=408,}, 0x0, ) == 0x0
 03389   412   NtReadVirtualMemory  (376, 0x7ffdf008, 4, ...  (376, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03390   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03391   412   NtReadVirtualMemory  (376, 0x4ad00000, 4096, ...  (376, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03392   412   NtReadVirtualMemory  (376, 0x4ad3b000, 256, ...  (376, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03393   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03394   412   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=884,ParentPid=408,}, 0x0, ) == 0x0
 03395   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1228420, ... ) }, 1228420, ... ) == 0x0
 03396   412   NtAllocateVirtualMemory  (-1, 0, 0, 1640, 4096, 4, ... 27459584, 4096, ) == 0x0
 03397   412   NtAllocateVirtualMemory  (376, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03398   412   NtWriteVirtualMemory  (376, 0x10000,  (376, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03399   412   NtAllocateVirtualMemory  (376, 0, 0, 1640, 4096, 4, ... 131072, 4096, ) == 0x0
 03400   412   NtWriteVirtualMemory  (376, 0x20000,  (376, 0x20000, "\0\20\0\0h\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0:\0<\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\14\6\0\0\36\0 \0D\6\0\0\0\0\2\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1640, ... 0x0, ) , 1640, ... 0x0, ) == 0x0
 03401   412   NtWriteVirtualMemory  (376, 0x7ffdf010,  (376, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03402   412   NtWriteVirtualMemory  (376, 0x7ffdf1e8,  (376, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03403   412   NtFreeVirtualMemory  (-1, (0x1a30000), 0, 32768, ... (0x1a30000), 4096, ) == 0x0
 03404   412   NtAllocateVirtualMemory  (376, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03405   412   NtAllocateVirtualMemory  (376, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03406   412   NtCreateThread  (0x1f03ff, 0x0, 376, 1228620, 1229340, 1, ... 380, {884, 888}, ) == 0x0
 03407   412   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1230452, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1230452, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0t\3\0\0x\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 408, 412, 1596, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0t\3\0\0x\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 408, 412, 1596, 0}  (24, {168, 196, new_msg, 0, 0, 1230452, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0t\3\0\0x\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 408, 412, 1596, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0t\3\0\0x\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\0\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03408   412   NtResumeThread  (380, ... 1, ) == 0x0
 03409   412   NtClose  (368, ... ) == 0x0
 03410   412   NtClose  (372, ... ) == 0x0
 03411   412   NtClose  (350, ... ) == 0x0
 03412   412   NtClose  (366, ... ) == 0x0
 03413   412   NtClose  (362, ... ) == 0x0
 03414   412   NtClose  (376, ... ) == 0x0
 03415   412   NtClose  (380, ... ) == 0x0
 03416   412   NtGdiDeleteObjectApp  (17302660, ... ) == 0x1
 03417   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03418   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03419   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03420   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03421   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03422   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03423   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03424   412   NtUserGetClassInfo  (1989935104, 1232660, 1232612, 1232688, 0, ... ) == 0x0
 03425   412   NtUnmapViewOfSection  (-1, 0x1460000, ... ) == 0x0
 03426   412   NtClose  (280, ... ) == 0x0
 03427   412   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03428   412   NtUserDestroyWindow  (131262, ...
 03429   412   NtUserRemoveProp  (131262, 43288, ... ) == 0xffffffff
 03430   412   NtUserRemoveProp  (131262, 43282, ... ) == 0x0
 03431   412   NtUserRemoveProp  (131262, 43287, ... ) == 0x0
 03428   412   NtUserDestroyWindow  ... ) == 0x1
 03432   412   NtUserUnregisterClass  (1233800, 1998258176, 1233788, ... ) == 0x1
 03433   412   NtFreeVirtualMemory  (-1, (0x152000), 12288, 16384, ... (0x152000), 12288, ) == 0x0
 03434   412   NtClose  (184, ... ) == 0x0
 03435   412   NtClose  (176, ... ) == 0x0
 03436   412   NtClose  (180, ... ) == 0x0
 03437   412   NtClose  (156, ... ) == 0x0
 03438   412   NtClose  (172, ... ) == 0x0
 03439   412   NtClose  (204, ... ) == 0x0
 03440   412   NtClose  (208, ... ) == 0x0
 03441   412   NtClose  (200, ... ) == 0x0
 03442   412   NtClose  (192, ... ) == 0x0
 03443   412   NtClose  (196, ... ) == 0x0
 03444   412   NtClose  (220, ... ) == 0x0
 03445   412   NtClose  (224, ... ) == 0x0
 03446   412   NtClose  (212, ... ) == 0x0
 03447   412   NtClose  (216, ... ) == 0x0
 03448   412   NtClose  (244, ... ) == 0x0
 03449   412   NtClose  (236, ... ) == 0x0
 03450   412   NtClose  (240, ... ) == 0x0
 03451   412   NtClose  (228, ... ) == 0x0
 03452   412   NtClose  (232, ... ) == 0x0
 03453   412   NtClose  (248, ... ) == 0x0
 03454   412   NtClose  (252, ... ) == 0x0
 03455   412   NtClose  (264, ... ) == 0x0
 03456   412   NtClose  (268, ... ) == 0x0
 03457   412   NtClose  (256, ... ) == 0x0
 03458   412   NtClose  (260, ... ) == 0x0
 03459   412   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03460   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1234676, ... ) }, 1234676, ... ) == 0x0
 03461   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1235368, ... ) }, 1235368, ... ) == 0x0
 03462   412   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 03463   412   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 260, ... 256, ) == 0x0
 03464   412   NtQueryVolumeInformationFile  (260, 1234676, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03465   412   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03466   412   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03467   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 03468   412   NtQueryInformationFile  (268, 1233264, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03469   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 268, ... 264, ) == 0x0
 03470   412   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1a30000), 0x0, 1028096, ) == 0x0
 03471   412   NtQueryInformationFile  (268, 1233360, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03472   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03474   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1230924, 616, BothDirectory, 1,  (252, 0, 0, 0, 1230924, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03475   412   NtClose  (252, ... ) == 0x0
 03476   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03477   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03478   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1230312, ... ) }, 1230312, ... ) == 0x0
 03479   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03480   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03481   412   NtClose  (252, ... ) == 0x0
 03482   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03483   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03484   412   NtClose  (252, ... ) == 0x0
 03485   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03486   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229672, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03487   412   NtClose  (252, ... ) == 0x0
 03488   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03489   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03490   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03491   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03492   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 252, ) == 0x0
 03493   412   NtQueryInformationToken  (252, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03494   412   NtClose  (252, ... ) == 0x0
 03495   412   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03496   412   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\algs.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03498   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03499   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1232592, ... ) }, 1232592, ... ) == 0x0
 03500   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03501   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03502   412   NtClose  (252, ... ) == 0x0
 03503   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03504   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03505   412   NtClose  (252, ... ) == 0x0
 03506   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03507   412   NtQueryDirectoryFile  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1,  (252, 0, 0, 0, 1231952, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03508   412   NtClose  (252, ... ) == 0x0
 03509   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03510   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03511   412   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03512   412   NtQueryVolumeInformationFile  (260, 1233236, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03513   412   NtQueryInformationFile  (260, 1233216, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03514   412   NtQueryInformationFile  (260, 1233256, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03515   412   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03516   412   NtUnmapViewOfSection  (-1, 0x1a30000, ... ) == 0x0
 03517   412   NtClose  (264, ... ) == 0x0
 03518   412   NtClose  (268, ... ) == 0x0
 03519   412   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03520   412   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algs.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03521   412   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03522   412   NtOpenProcessToken  (-1, 0xa, ... 268, ) == 0x0
 03523   412   NtQueryInformationToken  (268, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03524   412   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03526   412   NtQueryValueKey  (264,  (264, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (264, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03527   412   NtQueryValueKey  (264,  (264, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (264, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03528   412   NtClose  (264, ... ) == 0x0
 03529   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03530   412   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03531   412   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03532   412   NtClose  (264, ... ) == 0x0
 03533   412   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 264, ) }, ... 264, ) == 0x0
 03534   412   NtQuerySymbolicLinkObject  (264, ...  (264, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03535   412   NtClose  (264, ... ) == 0x0
 03536   412   NtQueryInformationFile  (260, 1233028, 528, Name, ... {status=0x0, info=56}, ) == 0x0
 03537   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03538   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03539   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1231708, ... ) }, 1231708, ... ) == 0x0
 03540   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03541   412   NtQueryDirectoryFile  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03542   412   NtClose  (264, ... ) == 0x0
 03543   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03544   412   NtQueryDirectoryFile  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03545   412   NtClose  (264, ... ) == 0x0
 03546   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03547   412   NtQueryDirectoryFile  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231068, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03548   412   NtClose  (264, ... ) == 0x0
 03549   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03550   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03551   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03552   412   NtQueryValueKey  (264,  (264, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553   412   NtClose  (264, ... ) == 0x0
 03554   412   NtQueryInformationToken  (268, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03555   412   NtQueryInformationToken  (268, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03556   412   NtClose  (268, ... ) == 0x0
 03557   412   NtCreateProcessEx  (1237304, 2035711, 0, -1, 4, 256, 0, 0, 0, ... ) == 0x0
 03558   412   NtSetInformationProcess  (268, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03559   412   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=892,ParentPid=408,}, 0x0, ) == 0x0
 03560   412   NtReadVirtualMemory  (268, 0x7ffdf008, 4, ...  (268, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03561   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03562   412   NtReadVirtualMemory  (268, 0x400000, 4096, ...  (268, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0PE\0\0L\1\12\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\314\320S\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\340S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\0(\222;\0\0\0\0\0\0\0\0\0\320S\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.CODE\0\0\0\0`\1\0\0\20\0\077\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03563   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03564   412   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=892,ParentPid=408,}, 0x0, ) == 0x0
 03565   412   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 21364736, 4096, ) == 0x0
 03566   412   NtAllocateVirtualMemory  (268, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03567   412   NtWriteVirtualMemory  (268, 0x10000,  (268, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03568   412   NtAllocateVirtualMemory  (268, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03569   412   NtWriteVirtualMemory  (268, 0x20000,  (268, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0o\0\0\0\374\0\376\0\230\4\0\08\0:\0\230\5\0\08\0:\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0:\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03570   412   NtWriteVirtualMemory  (268, 0x7ffdf010,  (268, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03571   412   NtWriteVirtualMemory  (268, 0x7ffdf1e8,  (268, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03572   412   NtFreeVirtualMemory  (-1, (0x1460000), 0, 32768, ... (0x1460000), 4096, ) == 0x0
 03573   412   NtAllocateVirtualMemory  (268, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03574   412   NtAllocateVirtualMemory  (268, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03575   412   NtProtectVirtualMemory  (268, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03576   412   NtCreateThread  (0x1f03ff, 0x0, 268, 1235568, 1236288, 1, ... 264, {892, 908}, ) == 0x0
 03577   412   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442864, 1237388}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442864, 1237388} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 408, 412, 1626, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 408, 412, 1626, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1442864, 1237388} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 408, 412, 1626, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03578   412   NtResumeThread  (264, ... 1, ) == 0x0
 03579   412   NtClose  (260, ... ) == 0x0
 03580   412   NtClose  (256, ... ) == 0x0
 03581   412   NtTerminateProcess  (0, 0, ...
 02095   880   NtWaitForMultipleObjects  ... ) == 0xc0
 03581   412   NtTerminateProcess  ... ) == 0x0
 03582   412   NtRaiseException  (1237052, 1236312, 1, ...
 03583   412   NtContinue  (1235108, 0, ...
 03584   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 03585   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03586   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 03587   412   NtRaiseException  (1227028, 1226288, 1, ...
 03588   412   NtContinue  (1225084, 0, ...
 03589   412   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 03590   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03591   412   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 03592   412   NtUnmapViewOfSection  (-1, 0x1a20000, ... ) == 0x0
 03593   412   NtClose  (344, ... ) == 0x0
 03594   412   NtClose  (340, ... ) == 0x0
 03595   412   NtClose  (328, ... ) == 0x0
 03596   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03597   412   NtFreeVirtualMemory  (-1, (0x1980000), 0, 32768, ... (0x1980000), 65536, ) == 0x0
 03598   412   NtClose  (320, ... ) == 0x0
 03599   412   NtClose  (324, ... ) == 0x0
 03600   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03601   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 03602   412   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03603   412   NtClose  (324, ... ) == 0x0
 03604   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03605   412   NtFreeVirtualMemory  (-1, (0x1450000), 0, 32768, ... (0x1450000), 65536, ) == 0x0
 03606   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03607   412   NtFreeVirtualMemory  (-1, (0x1310000), 0, 32768, ... (0x1310000), 262144, ) == 0x0
 03608   412   NtUnmapViewOfSection  (-1, 0x12f0000, ... ) == 0x0
 03609   412   NtClose  (272, ... ) == 0x0
 03610   412   NtFreeVirtualMemory  (-1, (0x1300000), 4096, 16384, ... (0x1300000), 4096, ) == 0x0
 03611   412   NtFreeVirtualMemory  (-1, (0x1300000), 0, 32768, ... (0x1300000), 65536, ) == 0x0
 03612   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03613   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03614   412   NtUnmapViewOfSection  (-1, 0x1280000, ... ) == 0x0
 03615   412   NtClose  (104, ... ) == 0x0
 03616   412   NtGdiDeleteObjectApp  (17826946, ... ) == 0x1
 03617   412   NtUserGetProcessWindowStation  (... ) == 0x28
 03618   412   NtUserBuildNameList  (40, 256, 1331736, 1237692, ... ) == 0x0
 03619   412   NtUserGetProcessWindowStation  (... ) == 0x28
 03620   412   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x68
 03621   412   NtUserBuildHwndList  (104, 0, 0, 0, 64, ... (0x30040, 0x100e8, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x100a4, 0x1007e, 0x10074, 0x10068, 0x3003e, 0x10066, 0x30030, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x300be, 0x100e4, 0x100dc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100c0, 0x100bc, 0x100ba, 0x100ac, 0x100d8, 0x100ce, 0x100cc, 0x100b8, 0x100a6, 0x1006c, 0x50044, 0x40048, 0x50042, 0x10082, 0x10076, 0x1, ), 41, ) == 0x0
 03622   412   NtUserQueryWindow  (196672, 0, ... ) == 0x76c
 03623   412   NtUserQueryWindow  (196672, 1, ... ) == 0x778
 03624   412   NtUserQueryWindow  (65768, 0, ... ) == 0x76c
 03625   412   NtUserQueryWindow  (65768, 1, ... ) == 0x778
 03626   412   NtUserQueryWindow  (65718, 0, ... ) == 0x7d4
 03627   412   NtUserQueryWindow  (65718, 1, ... ) == 0x7d8
 03628   412   NtUserQueryWindow  (65716, 0, ... ) == 0x7d4
 03629   412   NtUserQueryWindow  (65716, 1, ... ) == 0x7d8
 03630   412   NtUserQueryWindow  (65714, 0, ... ) == 0x7d4
 03631   412   NtUserQueryWindow  (65714, 1, ... ) == 0x7d8
 03632   412   NtUserQueryWindow  (65710, 0, ... ) == 0x7d4
 03633   412   NtUserQueryWindow  (65710, 1, ... ) == 0x7d8
 03634   412   NtUserQueryWindow  (65700, 0, ... ) == 0x76c
 03635   412   NtUserQueryWindow  (65700, 1, ... ) == 0x778
 03636   412   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 03637   412   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 03638   412   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x1008a, 0x1008c, 0x1008e, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 03639   412   NtUserQueryWindow  (65664, 0, ... ) == 0x76c
 03640   412   NtUserQueryWindow  (65664, 1, ... ) == 0x778
 03641   412   NtUserQueryWindow  (65674, 0, ... ) == 0x76c
 03642   412   NtUserQueryWindow  (65674, 1, ... ) == 0x778
 03643   412   NtUserQueryWindow  (65676, 0, ... ) == 0x76c
 03644   412   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 03645   412   NtUserQueryWindow  (65678, 0, ... ) == 0x76c
 03646   412   NtUserQueryWindow  (65678, 1, ... ) == 0x778
 03647   412   NtUserQueryWindow  (65682, 0, ... ) == 0x76c
 03648   412   NtUserQueryWindow  (65682, 1, ... ) == 0x778
 03649   412   NtUserQueryWindow  (65684, 0, ... ) == 0x76c
 03650   412   NtUserQueryWindow  (65684, 1, ... ) == 0x778
 03651   412   NtUserQueryWindow  (65686, 0, ... ) == 0x76c
 03652   412   NtUserQueryWindow  (65686, 1, ... ) == 0x778
 03653   412   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 03654   412   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 03655   412   NtUserQueryWindow  (65690, 0, ... ) == 0x76c
 03656   412   NtUserQueryWindow  (65690, 1, ... ) == 0x778
 03657   412   NtUserQueryWindow  (65694, 0, ... ) == 0x76c
 03658   412   NtUserQueryWindow  (65694, 1, ... ) == 0x778
 03659   412   NtUserQueryWindow  (65696, 0, ... ) == 0x76c
 03660   412   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 03661   412   NtUserQueryWindow  (65698, 0, ... ) == 0x76c
 03662   412   NtUserQueryWindow  (65698, 1, ... ) == 0x778
 03663   412   NtUserQueryWindow  (65652, 0, ... ) == 0x76c
 03664   412   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 03665   412   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 03666   412   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 03667   412   NtUserQueryWindow  (196670, 0, ... ) == 0x76c
 03668   412   NtUserQueryWindow  (196670, 1, ... ) == 0x778
 03669   412   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 03670   412   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 03671   412   NtUserQueryWindow  (196656, 0, ... ) == 0x76c
 03672   412   NtUserQueryWindow  (196656, 1, ... ) == 0x778
 03673   412   NtUserBuildHwndList  (0, 196656, 1, 0, 64, ... (0x30032, 0x30036, 0x30034, 0x30038, 0x3003a, 0x3003c, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 03674   412   NtUserQueryWindow  (196658, 0, ... ) == 0x76c
 03675   412   NtUserQueryWindow  (196658, 1, ... ) == 0x778
 03676   412   NtUserQueryWindow  (196662, 0, ... ) == 0x76c
 03677   412   NtUserQueryWindow  (196662, 1, ... ) == 0x778
 03678   412   NtUserQueryWindow  (196660, 0, ... ) == 0x76c
 03679   412   NtUserQueryWindow  (196660, 1, ... ) == 0x778
 03680   412   NtUserQueryWindow  (196664, 0, ... ) == 0x76c
 03681   412   NtUserQueryWindow  (196664, 1, ... ) == 0x778
 03682   412   NtUserQueryWindow  (196666, 0, ... ) == 0x76c
 03683   412   NtUserQueryWindow  (196666, 1, ... ) == 0x778
 03684   412   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 03685   412   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 03686   412   NtUserQueryWindow  (65642, 0, ... ) == 0x76c
 03687   412   NtUserQueryWindow  (65642, 1, ... ) == 0x778
 03688   412   NtUserQueryWindow  (65646, 0, ... ) == 0x76c
 03689   412   NtUserQueryWindow  (65646, 1, ... ) == 0x778
 03690   412   NtUserQueryWindow  (65650, 0, ... ) == 0x76c
 03691   412   NtUserQueryWindow  (65650, 1, ... ) == 0x778
 03692   412   NtUserQueryWindow  (65692, 0, ... ) == 0x76c
 03693   412   NtUserQueryWindow  (65692, 1, ... ) == 0x778
 03694   412   NtUserQueryWindow  (65680, 0, ... ) == 0x76c
 03695   412   NtUserQueryWindow  (65680, 1, ... ) == 0x778
 03696   412   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 03697   412   NtUserQueryWindow  (65660, 1, ... ) == 0x770
 03698   412   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03699   412   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 03700   412   NtUserQueryWindow  (196798, 0, ... ) == 0x374
 03701   412   NtUserQueryWindow  (196798, 1, ... ) == 0x378
 03702   412   NtUserQueryWindow  (65764, 0, ... ) == 0xfc
 03703   412   NtUserQueryWindow  (65764, 1, ... ) == 0x100
 03704   412   NtUserQueryWindow  (65756, 0, ... ) == 0xfc
 03705   412   NtUserQueryWindow  (65756, 1, ... ) == 0x100
 03706   412   NtUserQueryWindow  (65738, 0, ... ) == 0x7dc
 03707   412   NtUserQueryWindow  (65738, 1, ... ) == 0x7e0
 03708   412   NtUserQueryWindow  (65736, 0, ... ) == 0x7dc
 03709   412   NtUserQueryWindow  (65736, 1, ... ) == 0x7e0
 03710   412   NtUserQueryWindow  (65734, 0, ... ) == 0x7dc
 03711   412   NtUserQueryWindow  (65734, 1, ... ) == 0x7e0
 03712   412   NtUserQueryWindow  (65732, 0, ... ) == 0x7dc
 03713   412   NtUserQueryWindow  (65732, 1, ... ) == 0x7e0
 03714   412   NtUserQueryWindow  (65730, 0, ... ) == 0x7dc
 03715   412   NtUserQueryWindow  (65730, 1, ... ) == 0x7e0
 03716   412   NtUserQueryWindow  (65728, 0, ... ) == 0x7dc
 03717   412   NtUserQueryWindow  (65728, 1, ... ) == 0x7e0
 03718   412   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 03719   412   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 03720   412   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 03721   412   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 03722   412   NtUserQueryWindow  (65708, 0, ... ) == 0x7e8
 03723   412   NtUserQueryWindow  (65708, 1, ... ) == 0x7ec
 03724   412   NtUserQueryWindow  (65752, 0, ... ) == 0x76c
 03725   412   NtUserQueryWindow  (65752, 1, ... ) == 0x10c
 03726   412   NtUserQueryWindow  (65742, 0, ... ) == 0x76c
 03727   412   NtUserQueryWindow  (65742, 1, ... ) == 0x10c
 03728   412   NtUserBuildHwndList  (0, 65742, 1, 0, 64, ... (0x100d0, 0x100d2, 0x100d4, 0x100d6, 0x1, ), 5, ) == 0x0
 03729   412   NtUserQueryWindow  (65744, 0, ... ) == 0x76c
 03730   412   NtUserQueryWindow  (65744, 1, ... ) == 0x10c
 03731   412   NtUserQueryWindow  (65746, 0, ... ) == 0x76c
 03732   412   NtUserQueryWindow  (65746, 1, ... ) == 0x10c
 03733   412   NtUserQueryWindow  (65748, 0, ... ) == 0x76c
 03734   412   NtUserQueryWindow  (65748, 1, ... ) == 0x10c
 03735   412   NtUserQueryWindow  (65750, 0, ... ) == 0x76c
 03736   412   NtUserQueryWindow  (65750, 1, ... ) == 0x10c
 03737   412   NtUserQueryWindow  (65740, 0, ... ) == 0x76c
 03738   412   NtUserQueryWindow  (65740, 1, ... ) == 0x778
 03739   412   NtUserQueryWindow  (65720, 0, ... ) == 0x7d4
 03740   412   NtUserQueryWindow  (65720, 1, ... ) == 0x7d8
 03741   412   NtUserQueryWindow  (65702, 0, ... ) == 0x7cc
 03742   412   NtUserQueryWindow  (65702, 1, ... ) == 0x7d0
 03743   412   NtUserQueryWindow  (65644, 0, ... ) == 0x76c
 03744   412   NtUserQueryWindow  (65644, 1, ... ) == 0x7b0
 03745   412   NtUserQueryWindow  (327748, 0, ... ) == 0x76c
 03746   412   NtUserQueryWindow  (327748, 1, ... ) == 0x770
 03747   412   NtUserQueryWindow  (262216, 0, ... ) == 0x76c
 03748   412   NtUserQueryWindow  (262216, 1, ... ) == 0x770
 03749   412   NtUserQueryWindow  (327746, 0, ... ) == 0x76c
 03750   412   NtUserQueryWindow  (327746, 1, ... ) == 0x770
 03751   412   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 03752   412   NtUserQueryWindow  (65666, 1, ... ) == 0x770
 03753   412   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 03754   412   NtUserQueryWindow  (65654, 1, ... ) == 0x770
 03755   412   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 03756   412   NtUserQueryWindow  (65656, 0, ... ) == 0x76c
 03757   412   NtUserQueryWindow  (65656, 1, ... ) == 0x770
 03758   412   NtUserQueryWindow  (65658, 0, ... ) == 0x76c
 03759   412   NtUserQueryWindow  (65658, 1, ... ) == 0x770
 03760   412   NtUserCloseDesktop  (104, ...
 03761   412   NtClose  (104, ... ) == 0x0
 03760   412   NtUserCloseDesktop  ... ) == 0x1
 03762   412   NtUserGetProcessWindowStation  (... ) == 0x28
 03763   412   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03764   412   NtUserGetProcessWindowStation  (... ) == 0x28
 03765   412   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03766   412   NtGdiDeleteObjectApp  (134874239, ... ) == 0x1
 03767   412   NtGdiDeleteObjectApp  (17433728, ... ) == 0x1
 03768   412   NtClose  (12, ... ) == 0x0
 03769   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03770   412   NtFreeVirtualMemory  (-1, (0x14c000), 16384, 16384, ... (0x14c000), 16384, ) == 0x0
 03771   412   NtClose  (96, ... ) == 0x0
 03772   412   NtUnmapViewOfSection  (-1, 0x1220000, ... ) == 0x0
 03773   412   NtClose  (100, ... ) == 0x0
 03774   412   NtClose  (92, ... ) == 0x0
 03775   412   NtFreeVirtualMemory  (-1, (0x1240000), 0, 32768, ... (0x1240000), 262144, ) == 0x0
 03776   412   NtUserUnregisterClass  (1237652, 1991376896, 1237640, ... ) == 0x0
 03777   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03778   412   NtUnmapViewOfSection  (-1, 0x1570000, ... ) == 0x0
 03779   412   NtClose  (312, ... ) == 0x0
 03780   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc03b
 03781   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03782   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc03d
 03783   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03784   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc03f
 03785   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03786   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc041
 03787   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03788   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc043
 03789   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03790   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc045
 03791   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03792   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc047
 03793   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03794   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc049
 03795   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03796   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc04b
 03797   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03798   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc04d
 03799   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03800   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc04f
 03801   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03802   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc051
 03803   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03804   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc053
 03805   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03806   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc057
 03807   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03808   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc059
 03809   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03810   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc05b
 03811   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03812   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc05d
 03813   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03814   412   NtUserGetClassInfo  (1999896576, 1237740, 1237692, 1237768, 0, ... ) == 0xc05f
 03815   412   NtUserUnregisterClass  (1237744, 1999896576, 1237732, ... ) == 0x1
 03816   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc03b
 03817   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03818   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc03d
 03819   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03820   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc03f
 03821   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03822   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc041
 03823   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03824   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc043
 03825   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03826   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc045
 03827   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03828   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc047
 03829   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03830   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc049
 03831   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03832   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc04b
 03833   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03834   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc04d
 03835   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03836   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc04f
 03837   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03838   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc051
 03839   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03840   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc053
 03841   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03842   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc057
 03843   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03844   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc059
 03845   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03846   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc05b
 03847   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03848   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc05d
 03849   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03850   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc05f
 03851   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03852   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc017
 03853   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03854   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc019
 03855   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03856   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc018
 03857   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03858   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01a
 03859   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03860   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01c
 03861   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03862   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01e
 03863   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03864   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc01b
 03865   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03866   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc068
 03867   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03868   412   NtUserGetClassInfo  (1905590272, 1237740, 1237692, 1237768, 0, ... ) == 0xc06a
 03869   412   NtUserUnregisterClass  (1237744, 1905590272, 1237732, ... ) == 0x1
 03870   412   NtUnmapViewOfSection  (-1, 0x1230000, ... ) == 0x0
 03871   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03872   412   NtClose  (336, ... ) == 0x0
 03873   412   NtClose  (152, ... ) == 0x0
 03874   412   NtClose  (352, ... ) == 0x0
 03875   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03876   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03877   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03878   412   NtClose  (148, ... ) == 0x0
 03879   412   NtClose  (356, ... ) == 0x0
 03880   412   NtClose  (112, ... ) == 0x0
 03881   412   NtFreeVirtualMemory  (-1, (0x1970000), 4096, 32768, ... (0x1970000), 4096, ) == 0x0
 03882   412   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237876}  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237876} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 408, 412, 1644, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ... {20, 48, reply, 0, 408, 412, 1644, 0}  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237876} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 408, 412, 1644, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ) == 0x0
 03883   412   NtTerminateProcess  (-1, 0, ...
 03884   412   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtContinue(>)	30
NtAllocateLocallyUniqueId(>)	1	NtGdiHfontCreate(>)	2	NtQuerySymbolicLinkObject(>)	6	NtQueryInformationFile(>)	30
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtCreateSemaphore(>)	7	NtEnumerateKey(>)	31
NtClearEvent(>)	1	NtQueryInformationJobObject(>)	2	NtUserCallNoParam(>)	7	NtCreateEvent(>)	32
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryVirtualMemory(>)	8	NtOpenThreadToken(>)	33
NtDelayExecution(>)	1	NtRegisterThreadTerminatePort(>)	2	NtWriteVirtualMemory(>)	8	NtReleaseMutant(>)	38
NtDuplicateToken(>)	1	NtSetEvent(>)	2	NtQueryDefaultUILanguage(>)	10	NtUnmapViewOfSection(>)	38
NtGdiCreateBitmap(>)	1	NtTestAlert(>)	2	NtUserGetWindowDC(>)	10	NtQueryInformationProcess(>)	39
NtGdiCreateHalftonePalette(>)	1	NtUserCloseDesktop(>)	2	NtSetValueKey(>)	11	NtProtectVirtualMemory(>)	40
NtGdiCreatePaletteInternal(>)	1	NtUserCreateWindowEx(>)	2	NtUserCallOneParam(>)	11	NtQueryDefaultLocale(>)	42
NtGdiCreatePatternBrushInternal(>)	1	NtUserDestroyWindow(>)	2	NtUserSystemParametersInfo(>)	11	NtUserUnregisterClass(>)	47
NtGdiDoPalette(>)	1	NtUserGetObjectInformation(>)	2	NtWriteFile(>)	11	NtUserFindExistingCursorIcon(>)	49
NtGdiInit(>)	1	NtUserMessageCall(>)	2	NtOpenProcessToken(>)	14	NtCreateSection(>)	56
NtGdiQueryFontAssocInfo(>)	1	NtCreateThread(>)	3	NtRequestWaitReplyPort(>)	14	NtUserRegisterClassExWOW(>)	65
NtGdiSelectBitmap(>)	1	NtDuplicateObject(>)	3	NtNotifyChangeKey(>)	15	NtWaitForSingleObject(>)	66
NtOpenKeyedEvent(>)	1	NtOpenMutant(>)	3	NtQueryVolumeInformationFile(>)	15	NtOpenSection(>)	74
NtQueryFullAttributesFile(>)	1	NtOpenProcess(>)	3	NtCreateKey(>)	17	NtReadFile(>)	77
NtQueryInformationThread(>)	1	NtResumeThread(>)	3	NtDeviceIoControlFile(>)	17	NtMapViewOfSection(>)	80
NtQueryObject(>)	1	NtTerminateProcess(>)	3	NtFsControlFile(>)	17	NtOpenFile(>)	88
NtQueryPerformanceCounter(>)	1	NtUserOpenDesktop(>)	3	NtFlushInstructionCache(>)	19	NtQuerySystemInformation(>)	89
NtQuerySystemTime(>)	1	NtUserRemoveProp(>)	3	NtUserRegisterWindowMessage(>)	19	NtUserGetClassInfo(>)	91
NtSecureConnectPort(>)	1	NtWaitForMultipleObjects(>)	3	NtQueryDirectoryFile(>)	20	NtAllocateVirtualMemory(>)	94
NtUserBuildNameList(>)	1	NtCreateMutant(>)	4	NtSetInformationProcess(>)	21	NtOpenProcessTokenEx(>)	110
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtEnumerateValueKey(>)	23	NtOpenThreadTokenEx(>)	110
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtFreeVirtualMemory(>)	23	NtQueryInformationToken(>)	126
NtUserGetForegroundWindow(>)	1	NtQuerySecurityObject(>)	4	NtQueryDebugFilterState(>)	24	NtQueryKey(>)	129
NtUserGetGUIThreadInfo(>)	1	NtGdiGetStockObject(>)	5	NtRaiseException(>)	25	NtUserQueryWindow(>)	134
NtUserGetThreadDesktop(>)	1	NtReadVirtualMemory(>)	5	NtSetInformationFile(>)	25	NtQueryAttributesFile(>)	147
NtUserSetProp(>)	1	NtSetInformationObject(>)	5	NtCreateFile(>)	27	NtQueryValueKey(>)	223
NtAccessCheck(>)	2	NtUserBuildHwndList(>)	5	NtSetInformationThread(>)	27	NtOpenKey(>)	476
NtCreateIoCompletion(>)	2	NtUserGetProcessWindowStation(>)	5	NtQuerySection(>)	28	NtClose(>)	570
NtCreateProcessEx(>)	2	NtGdiDeleteObjectApp(>)	6	NtReleaseSemaphore(>)	28